In my recent post (1.1.1.1 and the inherent issue of DNS security) I outlined some of the difficulties in choosing the right DNS provider. That being said, here’s a short list of free DNS services to consider, if privacy is your priority.
1. Cloudflare’s 1.1.1.1
- Pros: Clear privacy policy; Yearly audit by KPMG; Cloudflare’s business model does not revolve around personal data mining or advertising
- Cons: Too early to tell – none so far
Remarks: I personally tested the service both on my machines and my router. Nothing to complain about so far: no downtime and I did not notice any performance degradation.
2. Uncensored DNS
- Pros: Online since 2009; Operated by an individual, rather than a company (owner clearly specified); Absolutely no logs kept; Resolves any domain without discrimination
- Cons: It’s a hobby-like project, downtime can occur; Being a personal project, it’s unknown if the provider has excellent security measures; Servers only in Denmark (can be slow in other geographical locations)
Remarks: I tested the service on my machines in early April 2018. I did encounter some downtime, however, aside from one situation, the service worked quite well. What got me concerned is the lack of proof of security measures – which is a common theme across most DNS providers. However, with this provider you’re baking on security measures implemented by one person, rather than a corporation. IPv4 addresses are 91.239.100.100 and 89.233.43.71. IPv6: 2001:67c:28a4:: and 2a01:3a0:53:53::.
3. Verisign
- Pros: Clear privacy policy; Claims not to sell data to third parties; No redirect queries
- Cons: Only US-based servers (can be slow to respond in different geographical locations); Not the best reputation for clearly notifying users of data leaks
Remarks: As with any non-dispersed DNS provider, reaching servers in the US can cause some slow-down for from non-US locations. Other than that, Verisign does not appear to have the best reputation when it comes to data breach disclosures: https://en.wikipedia.org/wiki/Verisign. IP addresses: 64.6.64.6 and 64.6.65.6.
4. DNS Watch
- Pros: Community managed; Absolutely no logs kept
- Cons: Servers only in Germany (can be slow to respond in other geographical locations)
Remarks: As with any community-driven project, it’s unclear how well they’re doing security-wise. Also, as of today, the service appears to have only one, platinum-level outside sponsor, which has me concerned about the project being under-funded (no funds=less work on security maintenance). However, they do accept bitcoin donations. IPv4 addresses are 84.200.69.80 and 84.200.70.40. IPv6: 2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b.
5. Quad-9
- Pros: DNS will check requests against IBM threat database; online security built-in; claims not to “store, correlate, or otherwise leverage” private information; 70 points of presence in 40 countries.
- Cons: Funded by City of London Police, District Attorney of New York County (?); none other than that
Remarks: I’m not sure if routing traffic through any organization officially affiliated with a government entity is a good idea. However, it’s definitely an option. IP address: 9.9.9.9.
6. OpenNIC
- Pros: Community-driven and open-source project; lots of servers to choose from; different levels of security to choose from; offers additional, non-ICANN TLDs resolution
- Cons: You really don’t know who’s your DNS provider; possible stability/uptime issues; can exhibit bandwidth issues depending on provider
Remarks: Seemingly a really good idea. However, you’re putting your trust into someone’s server, with no guarantee of SLA or accuracy of DNS queries. On the other hand, most open-source projects (if not all) come with no guarantee, so that’s nothing unusual. On a personal note, I tried configuring DNS servers from Czech Repubic and Germany to work (I’m in Poland.) No luck.
Others:
OpenDNS: Service provided by 25 data centers around the globe. While that sounds nice, at the same time, OpenDNS used to be an ad-generating DNS service, which now has been acquired by Cisco.
Google’s DNS: Claims to keep logs for only 24 hours and not to correlate your DNS queries with any other Google services. However, there’s no known to me audit that actually proves these points.
…and numerous others which I did not have the opportunity to review.