Favorite DNS over HTTPS provider?


DNS over HTTPS (DoH) is becoming available on more platforms. Do you have a favorite DoH provider?

Comments (8)

8 responses to “Favorite DNS over HTTPS provider?”

  1. wright_is

    I block DoH at the firewall and use DNS over TLS, the way it should be done. I use Quad9 at the moment.

    • dftf

      In reply to wright_is:

      What's the major advantage to DNS-over-TLS versus DNS-over-HTTPS?

      From reading-around online I thought the whole advantage of DoH was that it is harder to block on a firewall, as it uses the standard 443 port that HTTPS traffic does, whereas DoT uses its own unique port (853) and therefore can be blocked considerably easier?

      (I would assume Firefox and Google Chrome's built-in Secure DNS both use DoH?)

      • wright_is

        In reply to dftf:

        I have my own DNS server "in house". That means:

        1. I can access all my equipment by name
        2. I can set up my own blacklists and whitelists
        3. All devices use the same DNS provider (mine) and not what the browser/device thinks it should use
        4. The number of DNS queries that go externally are reduced, as they are cached on the local DNS server - thus making it harder for the DNS provider to know how frequently sites are visited.

        In essence, that means that if there is a problem with DNS, I know where to start looking. If each device uses DoH using its own default provider, if something suddenly stops working, it isn't as easy to diagnose, because some devices might still be working and some won't, so you would normally discount DNS as being the problem.

        I block all of Facebook, for example, (over 2,500 domains) and around 2.5 million tracking, malvertising and malware sites.

        It uses the same TLS encryption as DoH, but it uses the traditional DNS protocol. That is cleaner, is isn't abusing another protocol to do something it wasn't designed to do / shouldn't be doing.

        As I also have servers, switches, access points, printers, NAS and other PCs and phones in the house, they are all automatically assigned internal names (Printer001, Switch001, Switch002, PC1, PC2 etc. - well, I give them more meaningful names, but you get my drift). That means I can contact them with their assigned names. If the device / browser is using DoH, it won't know anything about the internal devices, so they will not be found - or I will have to wait for the external DoH server to fail its lookup and the browser to fall back on using "real" DNS instead; or it will jump to a search engine, like Google or DuckDuckGo, to search for the name, both of which are exposing the make-up of my internal network to services that don't need to know that!

        The local naming and blocklists are the main reasons why company networks will often block external DNS servers. They can block sites they consider as malware slingers, for example and there are often dozens or hundreds of printers, servers and other services on the internal network, that a) wouldn't be found on DoH and b) would expose company metadata to the DNS provider and possibly the search engine, if the browser borks at the DoH not finding the name.

      • infloop

        In reply to dftf:

        I second what wright_is said.

        I also run my own DNS server to access devices by name, and utilize solutions like Pi-hole to do some blocking of ad/malware/tracking domains. A browser or device that uses hard-coded DNS servers (a common one is Google's, and/or DNS over HTTPS means that any filtering and local name resolution that I want gets bypassed.

        If privacy is one of the things you want, there are some who argue that you should run your own local recursive resolver to query the authoritative servers directly, so that you aren't sending all of your DNS traffic through one place. But it will have to be done using the plain DNS protocol. And you would want to use a resolver that supports QNAME minimization (RFC 7816) so that your full query is not sent to every authoritative server as it goes down the chain. If you are going to use an external service, make sure you are comfortable with their privacy policies and practices.

    • F4IL

      In reply to wright_is:

      Same here. Using unbound with ~20 DNS-over-TLS providers. Unbound can use round robin over multiple providers so each one has a fraction of your queries at any point in time. The more you add the better the obfuscation. Blocking outbound queries at the firewall is also a nice touch. Also, I like that DoT is a system wide solution unlike DoH which is app specific.

  2. dftf

    Firefox now has this built-in (Options > General > Network Settings > "Enable DNS over HTTPS") with a choice of either Cloudfare or NextDNS by-default (though you can choose "custom" and specify your own). Anyone using either and would recommend one over-the-other?

    You can also turn it on in Google Chrome: in the address bar, type CHROME://FLAGS and search for DNS then under "Secure DNS lookups" change the dropdown to Enabled. It doesn't state which provider they use for this though.

  3. infloop

    Some of the known providers are Quad9, Cloudflare, OpenDNS, and Google, for example. There are more listed here: https://en.wikipedia.org/wiki/Public_recursive_name_server

    I use Quad9 and connect to it with DNS over TLS (DoT) via Stubby. I do this network-wide with a local DNS server that also does some filtering before passing it on to Quad9.

  4. ThemainJP

    We use Quad9 on our domain controllers and have a group policy for Firefox to used Quad9 with DoH. You don't get any real insight into what (if anything) Quad9 is doing for you, but we've found it to be reliable and fast, and if it blocks some malware or phishing, it's always good to have as many layers of protection as you can.