Choosing a Public DNS Resolver

Public Resolver Choices

  • Many favor Quad9 (9.9.9.9) or Cloudflare (1.1.1.1); some combine Quad9 primary with Cloudflare or Google (8.8.8.8) as fallback.
  • Quad9: praised for privacy and DNSSEC support on all endpoints, but criticized for malware-blocking false positives (e.g., trackers, file-sharing, even large sites).
  • Cloudflare: seen as fast and robust; criticisms include occasional failures (NXDOMAIN on valid domains), lack of EDNS client subnet (ECS), and concerns about US surveillance laws.
  • Google DNS: used despite privacy reservations because it’s “fast, no blocking, never goes down” in some regions.
  • Other options mentioned positively: NextDNS (high configurability, integrates with VPNs), DNScrypt resolvers, regional services like Canadian Shield.

Self-Hosted Resolvers

  • Strong contingent runs local recursive resolvers (Unbound, PowerDNS/dnsdist, AdGuard Home, dnsmasq) for privacy, control, and reliability.
  • Techniques include:
    • DNS over HTTPS/TLS/QUIC frontends.
    • Heavy caching, prefetch, and “serve-expired” to survive upstream outages.
    • Pre-caching top domains via cron; some even intentionally generate “noise” traffic.
    • Large local blocklists for ads, trackers, malware, phishing variants, and homoglyph/unicode domains.
  • Downsides noted: more uncached queries (slower first lookups), root/authoritative traffic load, complexity, and lack of encryption to root servers unless tunneling via DoH/DoT/DoQ or VPN/Tor.

Ad/Malware Blocking Tradeoffs

  • DNS-level ad/malware blocking is valued for speed, reduced clutter, and privacy, especially on mobile apps.
  • Repeated concern about false positives breaking sites, games, or file-sharing; some revert to non-filtered DNS or insist on resolvers where they can manage allowlists.

Performance, ECS, and CDNs

  • ECS support is highlighted as a missing but important dimension: without it, users may be routed to distant CDN nodes (slower YouTube/Google downloads, etc.).
  • Some argue ISP DNS often gives best CDN locality; others prefer third-party DNS plus local caching and ad-blocking.
  • Anycast, BGP routing quirks, and ISP peering disputes complicate simple “nearest is fastest” assumptions.

Privacy, Censorship, and Captive Portals

  • Encrypted DNS (DoH/DoT/dnscrypt) is widely recommended to hide queries from ISPs, though SNI/ECH status is debated.
  • Regulatory context (e.g., GDPR vs. FISA 702) influences trust decisions.
  • Public Wi‑Fi captive portals remain painful when using fixed custom DNS; some rely on OS captive-portal mechanisms or direct IP access as workarounds.