this post was submitted on 13 Aug 2024
45 points (100.0% liked)

Privacy

31833 readers
247 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Do you use one or several providers ?

Do you use it at Browser, Device/OS, Router level ?

What's your configuration ?

top 28 comments
sorted by: hot top controversial new old
[–] Darkassassin07@lemmy.ca 9 points 2 months ago* (last edited 2 months ago) (1 children)

Two piholes at home (redundancy). Those both translate all regular DNS requests to DoH using Cloudflared which rotate through 4 non-isp upstream DoH providers.

The router is set to block all port 53 traffic from leaving the network and handout the 2 pihole IPs to dhcp clients for dns. If a LAN device wants regular dns, it MUST use the lan servers or it'll get no response. (or it can use its own DoH setup and/or vpn out of the network). This enforces the ad/telemetry/malware blocking lists pihole uses without having to configure dns on everything.

Those piholes also keep lists/records in sync using Gravity-Sync. Should I change ad lists or add/remove lan dns records, I don't have to do it on both.

[–] swampdownloader@lemmy.dbzer0.com 1 points 2 months ago (1 children)

Do you ever have any trouble blocking port 53? Do any services break?

[–] Darkassassin07@lemmy.ca 3 points 2 months ago

Haven't had any issues yet and it's been blocked for at least 4 years now. Everything just happily uses the DNS servers specified by DHCP.

[–] shortwavesurfer@lemmy.zip 6 points 2 months ago

I use Control-D, both on Android, through DNS over TLS, and at the router level, so that I'm protected from ads and malware, no matter whether I'm on cellular data or on Wi-Fi.

[–] BlackEco@lemmy.blackeco.com 5 points 2 months ago* (last edited 2 months ago) (1 children)

PiHole with unbound (it's its own recursive DNS resolver so you don't depend on Cloudflare, Quad9 and others) set on my local network DHCP, plus AdGuard's DNS Proxy to use PiHole outside my home on my phone through DNS over TLS.

[–] N0x0n@lemmy.ml 1 points 2 months ago

That's something I have to look into. I think I gave it a try but failed. Having everything on a old spare laptop doesn't help either (docker, vpn, dns resolver, pihole,firewall...).

Can't wait to put my n100 as router into my network and give it a second try :)))

[–] vk6flab@lemmy.radio 5 points 2 months ago

DHCP at the router that gives out these two filtered DNS servers from AdGuard:

  • 94.140.14.14
  • 94.140.15.15

https://adguard-dns.io/en/blog/adguard-dns-new-addresses.html

[–] Lemmchen@feddit.org 4 points 2 months ago* (last edited 2 months ago)

Mullvad's DNS servers at the router level.

[–] ssm@lemmy.sdf.org 4 points 2 months ago* (last edited 2 months ago)

/etc/unwind.conf

block list "/var/db/unwind_blocklist"
forwarder { X.X.X.X port X DoT X.X.X.X port X DoT }
preference { DoT }

unwind_blocklist is generated with this script I wrote:

#!/bin/sh
# Blocklists for unwind(8)

blocklist=/var/db/unwind_blocklist
[ ! -f $blocklist ] && \
        (umask 117; touch $blocklist && chgrp _unwind $blocklist)

{
        ftp -V -o - \
            https://blocklistproject.github.io/Lists/alt-version/everything-nl.txt \
            http://winhelp2002.mvps.org/hosts.txt \
            http://sysctl.org/cameleon/hosts \
            https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt \
            https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt \
            https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt
        echo twitter.com
        echo www.twitter.com
        echo www.x.com
        echo x.com
        echo facebook.com
        echo www.facebook.com
} | awk -safe '
        !/^M|#|(^|\.)[[:blank:]]*$|^definitely_not_porn$/ {       
                if ($1 ~ /127\.0\.0\.1|0\.0\.0\.0/) {
                        $0 = $2
                }
                if ($0 ~ /[[:upper:]]/) {
                        print tolower($0)
                } else {
                        print $0
                }
        }
' | sort -u >$blocklist
rcctl restart unwind

Regenerates occasionally with cron.

[–] Ransack3@lemmy.world 3 points 2 months ago

Pi-Hole using upstream Quad9 and Cloudflare, managed router redirect/blocking everything to Pi-Hole or no mans land, NextDNS out of the house for mobile devices or on WiFi I don't control.

[–] Andromxda@lemmy.dbzer0.com 3 points 2 months ago (1 children)

When using the network-wide VPN configuration of my firewall, I also use OPNSense to enforce that all devices connect to my self-hosted Pi-Hole, including redirecting DNS packets that are sent to DNS servers other than my Pi-Hole IP. There's a pretty cool guide for this: https://forum.opnsense.org/index.php?topic=9245.0

When running a VPN client on a device, I just use the VPN to manage DNS settings.
Both Mullvad and IVPN have very solid DNS settings within their desktop clients. Proton VPN unfortunately lacks behind in this regard. That's why I never use any Proton VPN clients on desktop, and rely on OPNSense, if I want to use Proton.

[–] OhVenus_Baby@lemmy.ml 1 points 2 months ago (1 children)

What about Mulls mobile DNS settings? Are they worth their salt or should one configure some other sort of setup?

[–] Andromxda@lemmy.dbzer0.com 1 points 2 months ago

If you use iOS, you have no other option. But on Android I would recommend just using the system Private DNS (DoT) instead.

[–] just_another_person@lemmy.world 2 points 2 months ago (1 children)

Can you elaborate more? Do you want controlled lookups, or just one of the public ad-removing providers?

[–] Freuks@lemmy.ml 1 points 2 months ago

Just how people have/use/configure their dns

[–] Reawake9179@lemmy.kde.social 2 points 2 months ago* (last edited 2 months ago)

I use several providers as upstream for Adguard Home where my blocklists, regex blocks and DNS rewrites are. Via DNS-over-TLS URL for Android phones or DHCP with the IP of the DNS-server they get directed to it.

[–] iturnedintoanewt@lemm.ee 2 points 2 months ago

TrackerControl on android, pihole at home.

[–] Deckweiss@lemmy.world 2 points 2 months ago

I use portmaster

[–] adespoton@lemmy.ca 2 points 2 months ago

I use a mix: I’ve got hardcoded hosts files, default third party DNS provider, DoH providers (different for each browser), a PiHole, and a VPN-based DNS resolver that I can run on a per-app basis.

This way, I don’t trust a single provider to handle all my DNS traffic.

[–] adonkeystomple@lemmy.ml 2 points 2 months ago

I use NextDNS. I use it network wide on my home internet and also have it installed on all my devices.

[–] communism@lemmy.ml 1 points 2 months ago

I just use Mullvad VPN's default DNS servers (with ad blocking, tracker blocking, and malware blocking)

[–] x@niwego.com 1 points 2 months ago

@Freuks I use pfsense and force all users to use the DNS that I set on the router, this allows me to use pfblockerNG to block ads, telemetry, etc. Instead, users who use the VPN (MULLVAD) will use the MULLVAD DNS to avoid DNS Leak

[–] ded@lemy.lol 1 points 2 months ago
[–] terminhell@lemmy.dbzer0.com 1 points 2 months ago

DNS is handled by my rpi that's running pi-hole and wireguard. It has static entries for quad nine and it's secondaries. Router (generic rax10 Netgear, nothing fancy, and it's not obnoxious like the nighthawks) DNS points to rpi.

So any device, set with dhcp, will use that. One day I'll have a opnsense or similar box to go even further.

[–] haui_lemmy@lemmy.giftedmc.com 1 points 2 months ago

On the global level I use domain registrars like ionos or namecheap.

Local public, I use nginx proxy manager

Local private I use pihole and nginx proxy manager.

I see a pattern emerging. :)

[–] 4vr@lemmy.ca 1 points 2 months ago

AdGuard Pro which runs a local DNS server.

[–] TheBigBrother@lemmy.world -1 points 2 months ago* (last edited 2 months ago)

Several providers depending if it's home, mobile with VPN or not.

[–] GreenEngineering3475@lemmy.world -1 points 2 months ago

Single provide:Adguard on Device and OS level