The quality of dns always makes or breaks your internet experience. Personally at home unbound on opnsense with some blocking list has always worked really well for me. Openwrt with pihole also works fine. But the moment I have to use some recursive dns like this, I tend to not enjoy the experience.
It really depends. Cloudflare, quad9 or whatever upstream DNS probably has huge cache which makes resolving the queries quite fast. Although, local caching, like with unbound, is still going to be a lot better than any upstream resolver
opnsense + ctrld[0] + unbound works great and automatically upgrades upstream requests to DoH (etc.)
Was using NextDNS for a while, but stability and performance was a common issue. I like the idea of something like pihole, but ControlD is good, works anywhere, and is easy to manage.
[0] https://github.com/Control-D-Inc/ctrld/wiki/pfSense-and-OPNs...
Are you just referring to ads not being blocked?
A regular dns like quad9 + ublock origin on Firefox has been a consistently great experience for me.
Probably the responsiveness of things. Firefox is very sensitive to DNS roundtrip time during daily use. A faster response time provides much better experience with it.
I guess that ~25% of "Firefox is slow" myth is coming from slow DNS response, if not higher.
That makes sense. Do you know the reason for Firefox being more sensitive? Is their DNS prefetching not as effective?
I honestly have no idea. I observe it all the time, and note repeatedly everywhere when the discussion comes up, but never had the time to dig into the code and see how that all works.
does PiHole cache dns queries and deliver them faster?
yes it caches, but it may not deliver them faster, depending on how good your previous dns service was and how good your hardware is.
just checked my pihole logs and almost all entries are answered by local cache. this is great.
How censored are Quad9? I find it annoying when DNS providers try to cut me off from foreign news services so if I were to switch I'd like to know that they won't.
There is some references to known threads. But nonspecific list on their website that I can find.
I've been trying nextdns.io out on my home router. So far its been pretty good. Just about two weeks in now.
I've been using NextDNS without issue for several years now, I love it.
I have been using 9.9.9.9.9 for more than 5 years and this DNS has never failed me unlike Cloudflare.
Oh yeah, the forgotton IPv5!!
Almost a decade of Cloudflare DNS not working with archive.is
They have the technical explanation but nobody cares. Your product doesn't work. It would be like a browser getting released that doesn't render anything except properly formatted xhtml -- your product must function at least as good as others on the market, even if it means making workarounds.
Thanks but no thanks. https://www.quad9.net/news/press/quad9-faces-new-dns-censors...
So they provide full information on what happened, with all legal papers attached at the end, and a link to a site that gives you a list of all "blocked sites" that where effected by that order.
While the outcome is quite unfortunate, the way they provide all info here seams like a plus in my book here.
If a state/entity comes after your org tomorrow, and you got to either fight legally or leave the market (like cisco in the story), what would you do?
The French legislation is targeting all major resolvers, Quad9 is not really any better or worse than others just for this.
A niche resolver may get away under the radar, but only because they were not targeted.
So then what do you use or recommend instead?
Mullvad [1], dns.watch, dnscrypt [2]
1 - https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
I use a combination of 1.1.1.1, 9.9.9.11, and OpenDNS over DNSSEC via Pihole. Not sure if it's a "good" strategy, though.
I think the France legislation is aimed at most major resolvers. You might get away with more niche ones for now, but the only stable way is to self-host a recursive resolver (like unbound) that walk the DNS tree themselves.
Host your own dns resolver. It isn't hard.
Hosting is never hard. It's about maintainability. How do you handle HA? How will you expose the service? What about backups? How efficiently are you running it? That's just the tip of the iceberg. For an average joe, this is not something they wanna deal with
> (1) How do you handle HA? (2) How will you expose the service? (3) What about backups? (4) How efficiently are you running it?
We are talking a DNS resolver at home or on a VPS.
1. you don't need HA, if it dies you revert back to your ISP DNS while you fix it. And you always have a secondary resolver set up anyway.
2. you just set up its ip address as first dns server on your home router and as DoH on your devices browsers.
2. you don't need to back up a local resolver, the only data it has is cache.
4. a local DNS resolver serving the needs of a household needs very little resource.
You are doing a bare minimum job which is of course not what I intended. Your workloads doesn't seem to be that sensitive. If you can afford a few minutes of downtime, sure. I cannot afford downtime because lots of critical services will fail which will require manual intervention
Bro it's a DNS server. People happily run Pi-holes without all that.
Good luck when something goes wrong, which it will. At the very least, you need HA for pi-hole which is easy to do with something like nebula-sync