Spotlight

Spotlight - Alternatives to Google DNS

The name server addresses 8.8.8.8 and 8.8.4.4 are widely known and used. But, is it a good idea to send basically every web request to google first? What are proper alternatives for public DNS servers? Preferably, with some security and privacy in mind?

Daniel Schier

Daniel Schier

6 min read
Spotlight - Alternatives to Google DNS
©2022, Daniel Schier, CC BY-SA 4.0

The name server addresses 8.8.8.8 and 8.8.4.4 are widely known and used. But, is it a good idea to send basically every web request to google first? What are proper alternatives for public DNS servers? Preferably, with some security and privacy in mind?

Let's take a look!

Alternative To

"Alternative To" is a format of blog articles, where I want to provide alternatives for widely used software, services, and products. Yes, I will have security, privacy and Open Source in mind, for sure. The first article of this kind is already pretty old, but still valid. Since it was a bit short, I wanted to add more "fuel" for you.

Spotlight - Alternatives for YouTube, Twitter, Instagram and more
There was a time when the internet was young, full of enthusiastic people that wanted to connect others. We became the product. Our data is used to sell ad-placements. Are there alternatives?
blog.while-true-do.ioDaniel Schier

In case you wonder what can be used to replace Google Docs, Dropbox and more, this series might be for you.

DNS

DNS (Domain Name System) is a technology, that resolves hostnames into IP Addresses. This sounds pretty low-tech, isn't it? Well, basically every browser request that you are performing uses DNS. I don't want to go into too much detail, but it works pretty much like this.

  1. You will open a Browser and point to https://example.com
  2. Your Browser will go to the next available DNS recursive resolver, which is most likely from your ISP or another public machine
  3. The resolver queries a DNS root nameserver
  4. The root nameserver will provide you with the address for the Top Level Domain (TLD) nameserver (.com in our case)
  5. The resolver then makes a request to the TLD nameserver
  6. The TLD nameserver answers with the domain's nameserver
  7. The domain nameserver replies to the resolver with a valid IP address
  8. The browser makes a request to this IP address
A picture illustrating the above steps by pointing arrows from client to resolver, root dns, tld dns, domain dns and webserver.
©2022, Daniel Schier, CC BY-SA 4.0

As you can see, there are many requests happening. Very often, this allows your ISP or the used resolver to track what you are doing.

Google DNS

Before providing alternatives to a service, you might be interested in what Google provides, and why it may be a good/bad idea using it. So, here is the quick rundown.

Googles Public DNS service is available for quite some time already. It is widely adopted, high available, properly scaled and provides several security features like DNS over TLS or DNS over HTTPS. In comparison to your ISP's DNS, you might also get more answers from the Google DNS, since it does not obey to "DNS blocking" like ISPs typically do.

On the other hand, all your requests are sent to Google. This means, Google has lots of information about how the web is used. Also, Google is known to change or even delete services at any point in time.

  • ✅ DNS over HTTPS (DoH)
  • ✅ DNS over TLS (DoT)
  • ✅ DNS over Quic (DoQ)
  • 🚫 DNSCrypt
  • 🚫 No logging
  • 🚫 Ad Block

Alternatives

Instead of making yourself depending on a single provider, it might be a good idea to choose the right provider for you. Some of them, even, add additional features on top of the regular DNS doings.

AdGuard DNS

Known for its ad-blocking capabilities as a browser extension. In addition, AdGuard offers a public DNS service, which provides extra Ad Blocking features. If a known ad DNS name is used, it will resolve this server to the address 0.0.0.0. Almost all clients are interpreting this result to "does not exist" and therefore skip further actions with this address.

With an (optional) account, you can configure even more features, including parental control, grabbing statistics and whatnot.

  • ✅ DNS over HTTPS (DoH)
  • ✅ DNS over TLS (DoT)
  • ✅ DNS over Quic (DoQ)
  • DNSCrypt
  • 🚫 No logging
  • ✅ Ad Block
AdGuard DNS — ad-blocking DNS server
Create your ad-blocking DNS server that will protect your personal data, prevent tracking and allow you to control access to specific content on the Internet.
AdGuard DNS — ad-blocking DNS server

Quad9

Quad9 positioned itself as the privacy-oriented alternative to Google's public DNS. In general, there will be no logs on the servers and many encryption protocols are supported. Quad9 provides a very detailed page how they want to ensure data privacy and why they consider this as important.

Quad9 | A public and free DNS service for a better security and privacy
A public and free DNS service for a better security and privacy
Quad9Christian Kaufmann Chairman, RIPE

dnsforge.de

dnsforge.de is an interesting approach from Germany, which offers a public DNS service with optional parental control. The project supports basically all encryption standards and added "no tracking", "no logging" and "no advertising" on top.

  • ✅ DNS over HTTPS (DoH)
  • ✅ DNS over TLS (DoT)
  • ✅ DNS over Quic (DoQ)
  • DNSCrypt
  • ✅ No logging
  • ✅ Ad Block

It is a very small project, though.

dnsforge.de DNS Resolver
DNS-over-TLS und DNS-over-HTTPS: Zensurfreier, sicherer und redundanter DNS Resolver ohne Logging, dafür mit Werbeblocker.
❤️
The next two providers were requested/recommended from the community. Thank you for the inspiration.

Cloudflare

Cloudflare hosts another, very public DNS resolver. It is exceptionally fast, compared to other providers, including Google's public DNS. Anyway, in daily use you will not "feel" a huge difference, since the loading of a web page will take way longer than the resolution of DNS records.

  • ✅ DNS over HTTPS (DoH)
  • ✅ DNS over TLS (DoT)
  • 🚫 DNS over Quic (DoQ)
  • 🚫 DNSCrypt
  • ✅ No logging
  • 🚫 Ad Block
1.1.1.1 — The free app that makes your Internet faster.
Install the free app that makes your phone’s Internet more fast, private, and reliable.

OpenDNS

OpenDNS (by Cisco) was recommended, too. Unfortunately, it is a bit tricky to find which features are supported. So, please see the below results as "based on my Knowledgebase foo with Cisco". In addition to the public DNS service, you can subscribe for additional features, including parental control or ad blocking and filtering.

  • ✅ DNS over HTTPS (DoH)
  • 🚫 DNS over TLS (DoT)
  • 🚫 DNS over Quic (DoQ)
  • DNSCrypt
  • 🚫 No logging
  • 🚫 Ad Block
Cloud Delivered Enterprise Security by OpenDNS
Predict and prevent attacks before they happen using our cloud-delivered enterprise security service. Protect any device, anywhere with OpenDNS.
OpenDNS

The community made me aware that there are some cool collections and links available, which I want to share with you.

GitHub - DNSCrypt/dnscrypt-resolvers: Lists of public DNSCrypt / DoH DNS servers and DNS relays
Lists of public DNSCrypt / DoH DNS servers and DNS relays - DNSCrypt/dnscrypt-resolvers
GitHubDNSCrypt
Best free and public DNS server of 2024
Speed up and secure your browsing with the best DNS servers
TechRadar proMike Williams

Conclusion

So, you might wonder which DNS resolver I am using? I opted for Quad9 some time ago, but I am also playing with dnsforge.de recently. Quad9 was reliable for private, company, and enterprise approaches for me.

But, enough of my opinion. What about you? Which DNS resolver is not on my list? Which one do you use? Any updates that are worth sharing with the community?

Read more