As best I understand it, running a private caching DNS server is the only guaranteed increase in privacy for DNS. That server still has to reach out to the net the first time a request is made, but will resolve all subsequent requests locally. DNSSEC to a privacy respecting DNS provider like quad9 at 149.112.112.112 from your local DNS server. Mayhaps the best you could do for a roaming device like a phone is to run a decent VPN with an option to prevent DNS leaks.
this post was submitted on 23 Apr 2025
6 points (100.0% liked)
Privacy
37156 readers
376 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
The Android private DNS setting is just for a DNS-over-TLS resolver. The only thing about it that's private is your queries are encrypted en route to the server (traditonal DNS is cleartext). There's no filtering or blocking.
Some Android versions also have a hard coded DNS server set to Google, which based on my tinkering uses DNS-over-HTTPS. Not only is it annoying but I find it awfully insecure - even if you think you have stuff locked down it might just not be. I fixed that issue by blocking all DNS-over-HTTPS servers in my router, and also have all outgoing requests to port 53 redirected to my local resolvers (Pihole + Unbound).
Is there any privacy advantage or security concern over them ?
This is more of a philosophical question than anything. If you trust that they're not using your data for anything nefarious, I really advocate for RethinkDNS. It's a really great service and truly fills a need between the clear-net and running your own DNS.
If you don't trust RethinkDNS, etc, etc, to not do anything nefarious, then it's time to setup your own.
I always use rethinkdns and block bypassed dns, so i think now every dns is routed through rethinkdns and its impossible to cause a leak. Is that a myth as no dns app can provide that much privacy or security ?
I wouldn't say it's a myth or anything, but to say you're 100% secure from leak? Probably don't trust that feeling. Keep it at 99% secure with 1% suspicion.
How effective is an application firewall than a network level firewall like nextdns ?
Like most security software, it depends on how you use them. If you use firewalls effectively, even software based firewalls can work exceptionally well.
may i use a application firewall or network level firewall ?
You can do both. Software based requires you to setup something on each device you want to firewall. Network is a blanket and will affect all of your devices with only one setup. But either works just fine--just depends on how much effort you want to put into it, I guess.
When am using rethinkdns does it matter am using rethinkdns hosted on cludflare / fly.io or just using other dns services (like adguard, nextdns, mullvad, etc.) ? Then it will miss the entire point of using rethink ?
It really doesn't matter. It tells you the difference between the CDNs right on the usage page.