Mullvad has a free DoH service.
this post was submitted on 19 Apr 2026
39 points (95.3% liked)
Ask Lemmy
39499 readers
1295 users here now
A Fediverse community for open-ended, thought provoking questions
Rules: (interactive)
1) Be nice and; have fun
Doxxing, trolling, sealioning, racism, toxicity and dog-whistling are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them
2) All posts must end with a '?'
This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?
3) No spam
Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.
4) NSFW is okay, within reason
Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com.
NSFW comments should be restricted to posts tagged [NSFW].
5) This is not a support community.
It is not a place for 'how do I?', type questions.
If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.
6) No US Politics.
Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world or !askusa@discuss.online
Reminder: The terms of service apply here too.
Partnered Communities:
Logo design credit goes to: tubbadu
founded 2 years ago
MODERATORS
You could probably just piggyback off some random DNS server out there that permits public queries. I doubt that most domains are logging everything.
$ egrep "^[a-z]+$" /usr/share/dict/words|shuf|sed "s/$/.com/"|xargs -n1 host -t ns|grep "name server"|cut -d" " -f 4|awk '!seen[$0]++'|xargs -n1 host www.slashdot.org|awk '/^$/ {f=0} /has address/ {f=1} /^Name:/ {if (f) {print}}'
Name: ns2.afternic.com.
Name: ns1.bluehost.com.
Name: ns2.bluehost.com.
Name: ns-570.awsdns-07.net.
Name: ns1.sedoparking.com.
Name: ns02.cashparking.com.
Name: ns01.cashparking.com.
Name: ns1.namefind.com.
Name: ns2.namefind.com.
etc.
That'll look up the DNS server for a bunch of domains and, omitting duplicates, list all of the ones that can resolve "www.slashdot.org", which I imagine likely means that they'll also probably be willing to resolve other domains.
EDIT: Modified the above command line to randomize the order of domains it tries so that if multiple people use this, everyone doesn't just grab the same DNS server.
This looks interesting for some scenarios.
There's not a ton - however you found Quad9 would have told you about the others.
Huh, I didn't know AdGuard also runs a DNS service. Who is AdGuard, anyway? Their stuff seems so corpo.
I wouldn't use theirs based on being originally Russian and then moving to Cyprus. Corpo-sketch.
That's what I found out, too. Reminds me of Telegram.
The concept of a privacy friendly DNS resolver is a paradox. You can hope that they dont log your traffic, but you will never know.
Exactly, but isn't it better to have tried and fail than to not try at all?
Sure yeah, but i think the better argument for switching is decentralization. Its dangerous for everyone to depend on one or a few monopolistic DNS providers. Thats also why you shouldnt use cloudflare.
You're totally right. In the long run I'll probably get myself some selfhosted solution, but right now I want to focus on other things. Also, I stay away from Cloudlare as far as I can. I don't trust them.
What would be a better alternative that you'd recommend to hide a public IP? I'm familiar with self-hosting, so I could deploy the necessities.
Depends on where you're at. If that's Germany or close to it, we have the Digitalcourage DNS server, OpenNIC. I haven't tested anything else but there's also dnsforge.de, Digitale Gesellschaft in Switzerland, and of course Quad9 who operate globally.
Mullvad is probably the most trustworthy one.
I use NextDNS, which allows to set filtering rules.
Unbound
The only downside here is that the root servers don't use TLS so your queries are plain text.
Which is funny when we're looking for "privacy-friendly"
Why does that matter when your ISP will know the IP of the server and a reverse lookup is probably very easy to find what domain you visited?
Reverse lookups are comparatively time consuming and a single IP may resolve to many domain names.
It's not the ISP I'm most worried about, although, in regard to their TOS, that one seems to go south, too.
i just use Quad9 too, or firefox's builtin DoH cloudflare since i'm a bit lazy.. (though it's very likely not a good option)
- mullvad.net
- dnsforge.de
I always used 4.2.2.2 and 4.2.2.1. Not sure how privacy friendly they are, but probably miles more than 8.8.8.8
I'll admit I'm not sure what the threat model is with 8.8.8.8.
Well, it belongs to Google, so I assume they use it for logging which addresses do which lookups, and correlate this with their other fingerprinting databases. I very much doubt they run a public DNS just to be nice.
I mean, that'd be a major GDPR breach, be hard to extract any signal from because queries will usually be coming from a relay or from behind a NAT so you can't tell who the query even originates from, and DNS is cached heavily too so you only get a small fraction of the queries anyway. I'm not seeing a way the calculus work in favor, basically.
OTOH the question of why they'd even run a public DNS is interesting, yeah. Running a public DNS is cheap and helps the Internet work better, and they make more money when the Internet works better since that adds up to more page views. Less charitably, though, it's possibly just a thing from back when they were an engineering company first and foremost and did that kind of stuff, and now they can't turn it off without breaking a lot of things and causing a lot of costly anger.
Run your own
You still have to perform lookups by reaching out to the root resolvers.
and all the authoritatives
Hm...That's just how it works though.
Exactly, hence why it's very difficult to run a truly "private" DNS. Your best bet would be to run your own resolver on a VPS or something
What's wrong with Quad9?
Nothing, I just want to have alternatives in case something goes belly up.
I've been using a PiHole for years now. It's super easy to set up. In practice, it's been the most reliable thing I keep on a pi. Technically, you don't need to host it on a raspberry pi, but you should host it on an always-on computer on your network.
Kind of a different way of looking at security; you can't guarantee someone's not keeping DNS logs, but you can guarantee that your DNS logs on a hard drive in your house aren't being shared.
you still need to point the pihole somewhere though
Unbound is a better solution. It queries the root, TLD, and authoritative servers recursively. Then it caches the response (for a quicker response next time). It works flawlessly with Pi-hole.
that, or technitium dns, which can do the same with a web admin interface
Cloudflare (1.1.1.1) is pretty good.
Of course, if you are self hosting, have a look at Unbound - also works nicely in combination with PiHole.
Cloudflare must be an NSA honeypot. It must be. Cloudflare has immense power to man-in-the-middle basically every website on the planet.
And if they aren't directly run by the NSA they probably have at least one agent working undercover. Probably from basically every other spy agency on the planet as well.
Can confirm the Cloudflare office in the NSA basement is right next to the NordVPN office and that math prof that solved the math problem of AES decryption who they have there chained to a radiator