this post was submitted on 28 Oct 2023
119 points (96.1% liked)
Privacy
31998 readers
1172 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Pihole is most popular among self holsters. It has nice GUI, it’s capable and its solid. It’s basic in sense of DNS features. You need to use config files to customize from terminal and even then it’s limited.
Adguard in my experience has more advanced blocking features. DNS also allows you little more flexibility like wildcard records. You can have separate config for different clients (like guest/kids network blocking)
NextDNS is SaaS only. It has most advanced blocking features but free account only gets you limited queries monthly. You can choose to keep your logs on specific servers or not to keep at all… from privacy perspective it’s arguably worse because you have to trust another company but it’s a good middle ground. Self hosted still needs upstream DNS but it could be tunneled through VPN which would anonymize traffic. NextDNS is upstream dns and it can’t distinguish internal network source.
I would throw zenarmor to the mix https://www.zenarmor.com/. Paid home license costs 10$/month and allows 3 different profiles. It is more advanced as it sniffs all network packets and not only DNS. It’s not replacing dns. It has great reports/dashboards.
For best DNS capabilities I would recommend technitium https://technitium.com/dns/. It’s free. You have gui, dns blocking and full DNS capability with some advanced plugins. It’s not as fancy for dashboards like pihole or Adguard.
You would use combination of solutions and nextDNS could be your upstream if you don’t mind paying them. If privacy is your thing you want to have more generic upstream that everyone uses like quad9.
Wait, you tunnel queries to your upstream DNS through a VPN? Nice.
I'll try to take a look at Blocky when I have the time
I use Tailscale to do this and it works quite well. I also use it to keep my pihole always reachable from my devices so I can continue to use it as my DNS server even when my phone is on cell data, etc.
I run a secondary Pihole on an AWS host that is also linked by tailscale as a fallback
Thanks, this is a great idea.
Yes! I have a split DNS setup with technitium using advanced forwarding plugin. You can set different upstream based on client IP or subnet. So this way you can send to vpn DNS to prevent leaking.
Also you can have multiple piholes (poor mans setup) and have each configured filtering for dedicated VLAN. For instance be more strict for guest kids and less on adults net. Adguard can do that without having to have many instances but then Adguard can’t forward traffic based on origin IP. You can make any kind of logic and send different clients to different upstreams. As far as I know only BIND provides this functionality through views but it’s more complicated setup and no lovely GUI. You can always send all traffic through tunnel but then some results may be not ideal if you will be detected to be in different country and content will be served in other language. I think results will vary based on VPN endpoint. You don’t need to tunnel through vpn if you use DNS over https. It’s completely invisible to the ISP. VPN is more of a use case if you want to be consistent with your exit IP and DNS queries.
I was planning to use UnBound as my recursive resolver with Blocky behind it. As for filtering by IP, multiple instances with some simple Network ACLs should do the trick. Thanks for the idea.
The problem with UnBound is that it doesn't use TLS whilst connecting and communicating to root servers and the like. TBH your idea of using a VPN seems excellent with my use-case, and if I rotate my VPN server every now and then my ISP along with other trackers might just be lost trying to find and correlate my DNS queries to my identity. Thanks again, I need to think more about this.