Which DNS Service to Utilize for Privacy (& How to Set it Up On Your Home Network)

By SB •  Updated: 11/23/22 •  7 min read

You might not think about DNS services as part of your privacy strategy, but Domain Name Servers (DNS) are a huge privacy (and censorship) issue since most people use defaults on all devices.

Cloudflare and Google DNS are no alternatives for privacy, either.

Why is DNS important, privacy-wise?

The service that handles your DNS requests knows all the pages you visit. Providers are known to sell this data for profit or surveillance. The good news is that DNS service is easy to change.

Look into getting a VPN with its own DNS. I use PIA (privateinternetaccess, affiliate link) as an affordable VPN. Look for a service where each VPN server runs its own DNS and has built-in leak protection for all platforms, and is log-free. Do your own research on the best platform for you. Particularly look for one based in a country that does not have log retention laws.

Note on How to Screw Up When Utilizing a VPN: as soon as you sign into any of your personal accounts, i.e. google or youtube account, email, bank account, etc., your identity has been linked to whatever internet service (IP address, VPN) you’re utilizing.

A VPN is only as effective as your awareness and your online practices; don’t reveal personal information when browsing “anonymously” — doing so defeats the purpose of de-linking your web service from your identity.

Option: NextDNS

DNS resolution is the core feature of the NextDNS platform. DNS refers to the domain name system, the decentralized naming system linking IP addresses to domain names. This is how a simple query typed into your web browser, e.g., startpage.com, takes you to the right website. Your default Internet Service Provider’s DNS resolver knows the correct IP address for startpage.com and directs your browser requests there.

Without DNS resolvers, you would have to type out strings of IP addresses. Thanks to the DNS system, all you need is a domain name. Simple and easy to remember.

NextDNS is one of many dedicated DNS resolution services that you can use in place of your ISP’s default provider. Utilizing a DNS provider assigned by your ISP can mean your data is being shared or sold without your permission.

NextDNS markets itself as a privacy-focused DNS resolver. The platform allows users to erase any logs of web queries as soon as they reach the server. This means no one can recover your web browsing history, thus protecting your privacy as there is no data to lose in a privacy breach.

Setting up NextDNS for Hardening Your Home Network

There is a free version of NextDNS; it has a limit of 300,000 queries per month, which active internet users could easily surpass. The premium plans offered by the NextDNS platform are Pro, Business, and Education. Select whichever plan works for your needs. Their premium plans are priced reasonably

NextDNS conducts the DNS queries required in order to navigate your internet traffic, but it also includes filtering options.

How to create filtering within NextDNS:

First, create a new free account at my.nextdns.io/signup.

Any masked email service should be accepted, and no payment source is required. You can enter an alias name if you so desire.

As mentioned, the free tier allows 300,000 monthly queries at no cost. After registration, you should be taken to your user portal which should display your unique DNS addresses, similar to ” 17a345.dns.nextdns.io”.

You can now use this address, or the other configuration options, to use their DNS service and filtering options within Firefox or Android devices. This is a great post showing how one user found NextDNS worked for his use-case.

Within Linux, configure a few more steps.

In Terminal, enter the following

.sh -c “$(curl -sLhttps://nextdns.io/install)”

Continue through the installation process.

When prompted for your Configuration ID, provide the unique identifier from NextDNS,17a345.

Answer “Y” to all questions with the exception of “Setup as router?” to which answer “N”.

Then launch the service with the following command in Terminal.

nextdns start

The service is now running on your Linux computer, and NextDNS is providing the DNS query service.

To change log settings in NextDNS

To see if your computer is sending data to places it shouldn’t, go back to the NextDNS portal and make sure logging is enabled in the settings menu. If it is enabled, click on the “Logs” tab and monitor the connections being sent from the computer.

If you are on Linux, most likely your operating system is not “calling home” about your usage. If you were on a macOS or Windows system, however, it would be full of calls back to those companies sharing data about anything you do.

Change blocklists for ads in NextDNS

You can also enable “Blocklists” under the Privacy tab. This will block known annoyances such as ads, trackers, and analytics. Select the Energized Ultimate blocklist for best blockage of unwanted resource drainers and attention wasters. You can also block any individual outgoing connection you want. If you see that an installed application is sending telemetry to their servers about your usage, add that domain to the “Deny list” in your NextDNS portal. There are many options here to explore to harden up your home network.

Your computer should now be blocking outgoing connections as you have set.

Reboot and test

Reboot your machine and watch the log within NextDNS. The NextDNS utility should launch on its own, hidden in the background. You will likely notice a few calls to your operating system servers, checking for updates. If you were on a Microsoft or MacOS operating system, you would have seen dozens of connections sending various data to Apple and iCloud servers, which would be stored forever and associated to the Apple ID and serial number of your device. Thankfully, Linux does not do this.

You also might consider whether you need DNS filtering at all, if you are on a Linux machine. If you are on an Apple or Microsoft spyware machine, now is a good time to switch anyway.

If you run Linux and are satisfied that nothing on your system is sending malicious data to third parties, you may want to remove NextDNS. Simply enter the previous installation command and choose “r” to remove it completely.

How to Use NextDNS to Monitor Your Network

I have Linux on my daily driver but I leave the NextDNS utility installed and enabled. I allow NextDNS to serve as my DNS querying and filtering service. If I ever need to disable it, typing the following command within Terminal turns it off.

nextdns stop

A great way to monitor your network is by inspecting any new programs you install on your computer — or any devices you connect to your network.

When you install a new application, re-enable the NextDNS logging capability within their portal and monitor the logs to make sure there is nothing which needs to be manually blocked. Once satisfied, disable logging within the NextDNS portal.

Odds are you will not find an open source application in Linux which needs to be blocked. If you are on Windows or use proprietary code, you might require a software application which is sending telemetry to various servers. Block what you can and see if your application continues to function properly.

There is no harm in allowing NextDNS to always run in the background.

In Summary

Since I have a home firewall running pfSense handling my DNS traffic, I have less need for NextDNS on the machine itself, but I like the filtering of various online annoyances. Every situation is unique, so here I am outlining another option. Experiment with NextDNS and see if it is appropriate for your setup.

Also, I use NextDNS for content filtering which eliminates most of the need for uBlock Origin.

In summary, NextDNS is running in the background of my Linux machine at all times. It conducts my DNS queries and filters many unwanted connections as I browse the internet. It is also there to investigate any suspicious activity from within applications.

See also:

SB

I've been practicing OSINT and utilizing Linux as my daily operating system for over twenty years. The tools are always changing and so I'm always learning, but helping you understand the value of protecting your own data remains at the forefront of everything I do.