I have reason to think about DNS, because it determines where my devices go for directions.
This has many implications.
- For one, I would like a DNS services that does not record where I browse, so that I cannot be tracked and profiles by corporate interests or nascent police states. One way to fix this is with a VPN, but if I don’t want that overhead, I can also encrypt my DNS queries with the right DNS server.
- For another, I would like a DNS services that is deliberately broken and simply not work for malevolent sites such as malware distributors and advertisers, because this is becoming difficult with some browsers. Some people maintain their own blocklists, but I am happy to entrust a commercial DNS server with this power if they seem trustworthy.
- For a third, I would like a DNS server that does not spoof sites. For example, when I work in Indonesia if I try to visit videos from vimeo, I cannot without DNS hacks because otherwise I am redirected to a site which tells me that vimeo is pornographic (!). In China I understand this is how they enforce the great firewall. one way around this is DNSSEC, which is a verified DNS standard which is somewhat painful to set up.
How to switch bad vanilla DNS servers to better ones
First up, it’s a small step by you can just ditch your ISP’s DNS resolver for a better one. I am told this might be bad for your Netflix streaming, but since my ISP already can’t really handle streaming, this is not a huge problem for me. If you have special needs (intranet servers etc) you will need more sophistication. See the bottom for a list of providers.
If you are using these for VPN on Ubuntu, you need extra steps. But maybe your DNS cache is already poisoned with false records? You need to expunge them.
Your OS can benefit from a DNS flush; but also your browsers can keep stinky poisoned records around. clearing browser DNS caches is also possible.
DNS flush command keeps changing, eh?:
Blocking some DNS
You can do this yourself with dnsmaq plus much love and attention and OCD, but I’m not quite anal retentive enough to handle this myself. More comfortable might be to run a single board computer such as a rasppi as a net filter via pi-hole.
Linuxbabe on DNS-over-TLS for Ubuntu using some app called
stubby. Dan Pfiffer on DNS-over-TLS for macOS. (alt version.) These both look pretty simple. There was also dnscrypt, which was abdandoned so I guess you can ignore it.
The encrypted and verified DNS option. Obviously we should all be using this, but it still looks painful at least on macOS. The server app of choice seems to be
Alternate DNS servers
There are fancy DNS servers operated by e.g. Cloudflare and Adguard which offer value added features such as censoring advertisors sites (and optionally “family unfriendly” ones) and DNS-over-TLS.
Cloudflare is American and has enabled Nazi speech. Adguard operate in a Russian jurisdiction. What the risk and benefit profiles of these organisations I will leave you to decide for yourself.
Cisco’s opendns will do ad blocking, but not TLS-comaptible.
DNS Servers to use in Australia:
There are a LOT of DNS severs in Australia, and most do not block any websites. If all you want to do is unblock stuff then you can use any of these* AAPT DNS servers: 126.96.36.199 / 188.8.131.52 / 184.108.40.206 (* it appears only on iiNet/TPG group ISPs). In fact, you can even use this TPG server, strangely enough: 220.127.116.11, or of course any ISP not covered by the court order that has public DNS resolvers (many are network-locked) such as Broadband Solutions 18.104.22.168, or MyRepublic 22.214.171.124 / 126.96.36.199 (Au), 188.8.131.52 / 184.108.40.206 (NZ). There are also pubic resolvers operated by organisations as well, like this one from UNILINC: 220.127.116.11, or this one from Northwest Aviation Services: 18.104.22.168. […] Now that’s just a short list really, and confined to Australia[…] But before you enter them consider that most of those providers will log your data use, any run by an ISP are required to by law, and none of the others say they don’t log use. […]
You can also use DNS servers provided by VPNs. The PIA servers are 22.214.171.124 / 126.96.36.199. There are two Openic servers in Australia as well: 188.8.131.52 (NSW), 184.108.40.206 (Vic). Other options not recommended are GoogleDNS and CISCO. Google do say how long they keep logs for, so we’ll assume forever, and you’re giving all your metadata to the world’s largest advertising company! CISCO also keeps logs indefinitely, do not use.
The best option is to use one of these severs above as your back-up server, and set up dnscrypt, and use the d0wn Australia server (or really any server that doesn’t log, it’s up to you).
NB dnscrypt is dead so ignore that bit.
TODO: update this list for modern metadata retention laws etc.
CCC’s recommended DNS servers globally:
- 220.127.116.11 (FoeBud)
- 18.104.22.168 (f.6to4-servers.net, ISC, USA)
- 2001:4f8:0:2::14 (f.6to4-servers.net, IPv6, ISC)
- 22.214.171.124 (dns.as250.net; Berlin/Frankfurt)
- 126.96.36.199 (dnscache.berlin.ccc.de)
The Google Public DNS IP addresses (IPv4) are as follows:
The Google Public DNS IPv6 addresses are as follows: