Has there been any objective analysis done on which is the best DoH string to use for the best possible privacy and security?
I've been advised to use "https://dns.quad9.net/dns-query" as that's one of the best DoH services to use. I can't seem to find any specifics about this like what is actually blocked like ads, trackers, malware, and how it is better than other DoH providers. Why is Quad9 commonly recommended?
I've been using Mullvad VPN for the last few months and I've been pretty satisfied with it. There are also specifics on their free DoH on the web. If one doesn't subscribe to Mullvad VPN, then that seems like a good option
My understanding of how a VPN is is that everything is encrypted. If I use ProtonVPN with the Beryl AX, I would assume it would use Proton's own DNS. The Beryl AX has its own DNS page where I can select another provider. Given a VPN's encryption, how does this all work? How is the Beryl AC able to use ProtonVPN, but ignore Proton's DNS and use another DoH like Quad9?
My understanding is to use a multilayer approach to deal with ads, tracking, and malware. I'm trying to understand how this all works and whether there are unnecessary complications. In other posts, I have mentioned I use ControlD, but I guess I could use any other DoH provider. Let's say I use Hagezi Pro at the DNS level, is it even necessary to enable Hagezi Pro in AdGuard Home? Is it the same thing and unnecessary duplication?
As far as I know, Quad9 just does not record your IP address and corresponding DNS requests to protect your privacy, while also helping with network threats/malware.
But it does not provide features such as ad and tracker filtering.
Since Quad9 does not provide ad or tracker protection, Mullvad's DNS may be a more suitable option for you.
As mentioned earlier, unencrypted DNS, UDP 53, can be easily modified.
Therefore, VPN providers such as Mullvad and ProtonVPN maybe redirect unencrypted DNS requests to their DNS servers to enable features such as advertising, tracker, and malware protection.
At the same time, VPN encrypts only the traffic that passes through the tunnel.
Therefore, before entering the VPN (in your LAN network, at Beryl AX), unencrypted DNS can still be processed, such as redirecting it to use encrypted DNS like a DoH server at Beryl AX .
Once DNS is encrypted, even VPN service providers cannot change it.
AdGuard Home also works at the DNS level.
So if ControlD is already able to use the same filter list, then there is no need to enable AdGuard Home.
I'm not sure if I understand you, @will.qiu. Let's pretend AGH is disabled. In the DNS page, I have DoH enabled and set it to use Quad9. In the VPN page, I have Proton enabled. If I understand you properly, Proton likely has its own DNS and will use it. Yet, I enabled DoH Quad9. How does that factor in with the ProtonVPN?
Let's assume that the DNS is sent by the TV, asking for the IP address of google.com, and that it is an unencrypted DNS request sent to 8.8.8.8.
If the 'Override DNS Settings of All Clients' option is not enabled on the Beyl AX, the DNS request will travel through the VPN to the Proton VPN server.
The Proton VPN server can see that the request is for the DNS of google.com. It will not forward the request to 8.8.8.8 but will instead query its own DNS server for the address corresponding to google.com and return the address to the TV via VPN tunnel.
If the 'Override DNS Settings of All Clients' option is enabled on the Beyl AX, Beyl AX will also see that it is query for the IP address of google.com, so it will not send it to 8.8.8.8, but will instead query the IP address via sending corresponding request to Quad9 DoH server and return the results to the TV.
In this process, the request sent to Quad9 DoH server still passes through the Proton VPN server, but since it is encrypted, the Proton VPN server cannot found which domain be queried or redirect the DNS request to its own server. Therefore, the request ultimately reaches Quad9 DoH server in a securely encrypted manner.
To get back to the topic of Quad9, as far as I know, it is not the only DNS that doesn't log. Mullvad and NextDNS both have no log options as well. So why is Quad9 referenced a lot? What am I missing here?
It seems like Quad9 only has one recommended DoH string. Mullvad also has a base with no filtering DNS. As a comparison, if I were to compare both no-filtering DoH strings, what's the advantage of Quad9 over Mullvad?
Yes, I want to prevent not only the ISP, but potentially state actors like the government from spying on me. So both methods that we discussed earlier are secure and neither is necessarily better than the other?
Everyone has their own preferred provider.
So, just forget about Quad9 and use the DNS service provider that you like and suits you best.
mullvad-extend-doh equivalent to extended.dns.mullvad.net mullvad-base-doh equivalent to base.dns.mullvad.net
If you want to use the mullvad-base-doh, please note that these options should be selected as 'All'.
Without VPN, DoH only protects DNS traffic, meaning that your ISP cannot see the domain names you visit, but they can see the IP addresses of the servers you connect to.
VPN can protect both DNS traffic and the IP addresses of the servers you connect to from being known by your ISP.
