Which DNS provider do you use?

[ghost]

Hi guys! 👋
I usually behave like a 'smart guy' and answer questions in other discussions, but I decided to create one myself. 😉

I'm curious which DNS providers do you use, because I've been looking into the topic lately and cannot make up my mind which option is the best.

Cloudflare (1.1.1.1) looks nice, because it's the fastest available, BUT...
they don't block ads or trackers and are a US based company (and their CEO had some connections with Departament of Homeland Security!)

If you want something more private, then there is Quad9 (with recently moved to Switzerland), but they only block malicious domains and have (in my case) 6x worse performance than Cloudflare.

Other alternatives I would consider are NextDNS and AdGuard.
They block ads and trackers, offer pretty similar performance (in my case) being about 3x slower than Cloudflare with some significant differences:

• NextDNS was established only about a year ago, so they are pretty immature service (however, they are Firefox’s Trusted Recursive Resolver)
• NextDNS is based in US, but allow you to keep your logs in Switzerland, EU or just turn off the analytics
• NextDNS is free up to 300,000 queries/month (which you can easily exceed)
• NextDNS allows you to add custom block-lists and also block specific URLs
• AdGuard was founded in 2009, began testing AdGuard DNS in 2016 and launched it in 2018
• AdGuard is based in Cyprus
• AdGuard is open-source (it doesn't change much because they can run anything they want on their servers, but that's definitely a good practice which demonstrates openness)
• AdGuard is completely free, but has no customization options whatsoever

As you probably noticed by now I'm deliberating between NextDNS and AdGuard and I'm curious if anyone here uses them and could say something about reliability/uptime/etc.

As for now I'm just using 1.1.1.1 and looking for an alternative...

UPDATE: Thank you all for your answers. I decided to give AdGuard a try. If I have a bad experience with them, I will keep you guys updated. 👍

UPDATE (04/14/2021): Today my "custom written" DNS over TLS .mobileconfig stopped working properly on my Mac and I had to switch to AdGuard's signed DNS over HTTPS profile... it's not a network issue on my end, because Android's native DoT implementation works just fine. I'm really puzzled and will dig into this issue in the near future. 😉

UPDATE (04/18/2021): Today DoT worked fine... just to stop resolving some sites again... I couldn't identify anything odd using Wireshark. Performance difference between DoT and DoH is practically negligible, but in theory DoT should be slightly faster (1) (2). Also, when using DoH, you need to be more cautious about your client's implementation as it could be 'leaking' your user-agent to the DNS server.
I would say that you probably would be better off just using DoH (at least on macOS; yet again I will emphasize that DoT on Android works correctly). And also, other DoT profiles seem to work correctly. Why when using AdGuard it happens only on some sites (only on Mac and only when using DoT) remains a mistery for me. Apart from that, I didn't encounter ANY downtimes and I can wholeheartedly recommend AdGuard DNS 👍

[cabbage]

I'm using a Pi-hole for blocklists/filtering etc. and OpenDNS as upstream because it offers DNSSEC

The Pi-hole setup is really easy. The website offers an easy to follow guide. You don't need a Raspberry Pi, you can run it on any server or even in a container (e.g. Docker)

But what I think is equally important is having that DNS server enforced via DHCP. So, that every device in your network get's the treatment. For some Google devices you need to set static routes from Google DNS addresses to your DNS address.

And with Pi-hole you can set specific block/allow-profiles to different devices. My GF's phone is the only device with (restricted) facebook access 😅

[beerisgood]

OpenDNS is very weak at malware blocking

[ghost]

The problem with Pi-hole is that in order to use it on your phone you have to connect to your home network via VPN...
that's what I wanted to avoid.
And with NextDNS you can also make profiles for each device individually.
Another problem with AdGuard or NextDNS that I found is that their signed Apple Configuration Profiles are DoH and I would have to create my own config files in order to use DoT.
Seems like I just cannot escape from setting up Pi-hole 😂

[cabbage]

OpenDNS is very weak at malware blocking

Sure, but that's what I got the pi hole for. I configured a bunch of lists exactly for this protection. I just chose OpenDNS for its DNSSEC support.

The problem with Pi-hole is that in order to use it on your phone you have to connect to your home network via VPN...

You could deploy your pi hole to a cheap hosted VPS and have access from anywhere.

[beerisgood]

. I just chose OpenDNS for its DNSSEC support.

All DNS provider do that.

[beerisgood]

Beside NextDNS, Quad9 is now fine too as they moved to Switzerland.

[ghost]

I am using the DNS server of my vpn provider in combination with adguard in a docker.
I am not interested in speed but always searching for Quality.
I noticed that nextdns has a nice blockfile for the socials;can be imported in Adguard to.