Do you use one or several providers ?
Do you use it at Browser, Device/OS, Router level ?
What's your configuration ?
I use Control-D, both on Android, through DNS over TLS, and at the router level, so that I'm protected from ads and malware, no matter whether I'm on cellular data or on Wi-Fi.
DHCP at the router that gives out these two filtered DNS servers from AdGuard:
- 94.140.14.14
- 94.140.15.15
https://adguard-dns.io/en/blog/adguard-dns-new-addresses.html
When using the network-wide VPN configuration of my firewall, I also use OPNSense to enforce that all devices connect to my self-hosted Pi-Hole, including redirecting DNS packets that are sent to DNS servers other than my Pi-Hole IP. There's a pretty cool guide for this: https://forum.opnsense.org/index.php?topic=9245.0
When running a VPN client on a device, I just use the VPN to manage DNS settings.
Both Mullvad and IVPN have very solid DNS settings within their desktop clients. Proton VPN unfortunately lacks behind in this regard. That's why I never use any Proton VPN clients on desktop, and rely on OPNSense, if I want to use Proton.What about Mulls mobile DNS settings? Are they worth their salt or should one configure some other sort of setup?
If you use iOS, you have no other option. But on Android I would recommend just using the system Private DNS (DoT) instead.
/etc/unwind.conf
block list "/var/db/unwind_blocklist" forwarder { X.X.X.X port X DoT X.X.X.X port X DoT } preference { DoT }unwind_blocklist is generated with this script I wrote:
#!/bin/sh # Blocklists for unwind(8) blocklist=/var/db/unwind_blocklist [ ! -f $blocklist ] && \ (umask 117; touch $blocklist && chgrp _unwind $blocklist) { ftp -V -o - \ https://blocklistproject.github.io/Lists/alt-version/everything-nl.txt \ http://winhelp2002.mvps.org/hosts.txt \ http://sysctl.org/cameleon/hosts \ https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt \ https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt \ https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt echo twitter.com echo www.twitter.com echo www.x.com echo x.com echo facebook.com echo www.facebook.com } | awk -safe ' !/^M|#|(^|\.)[[:blank:]]*$|^definitely_not_porn$/ { if ($1 ~ /127\.0\.0\.1|0\.0\.0\.0/) { $0 = $2 } if ($0 ~ /[[:upper:]]/) { print tolower($0) } else { print $0 } } ' | sort -u >$blocklist rcctl restart unwindRegenerates occasionally with cron.
DNS is handled by my rpi that's running pi-hole and wireguard. It has static entries for quad nine and it's secondaries. Router (generic rax10 Netgear, nothing fancy, and it's not obnoxious like the nighthawks) DNS points to rpi.
So any device, set with dhcp, will use that. One day I'll have a opnsense or similar box to go even further.
I use several providers as upstream for Adguard Home where my blocklists, regex blocks and DNS rewrites are. Via DNS-over-TLS URL for Android phones or DHCP with the IP of the DNS-server they get directed to it.
I use NextDNS. I use it network wide on my home internet and also have it installed on all my devices.
I just use Mullvad VPN's default DNS servers (with ad blocking, tracker blocking, and malware blocking)
