can You write the best blocklist what You usu, please?
should I use DNS-Over-HTTPS?
Do You use Setup Log2Ram?
Regards
There is no "best" block list, because each user has different browsing habits and needs. A good collection of potential block lists to add is here:
There is not a yes/no answer for this. If you want to hide your DNS queries from your ISP, then typically encrypted DNS (and DoH is one form) is used.
Some users have set up logging to RAM. Again, it's a choice you will need to make for your own configuration.
1 Like
thanks for replay:)
how many blocklist do You use ?
I use the seven that come with Pi-Hole.
1 Like
only this ? and this is enought for You?
what dns do You use?
Those are plenty. I don’t try to block the whole internet.
I use unbound as a local resolver.
2 Likes
many thanks
i'm going to try doing the same local resolver 
any advice yet how do this in easy way ?
Follow the guide.
2 Likes
I have been using the OpenDNS service as my upstream resolver, they have some nice filtering for both IP v4 and v6 to include rapid-response malware blocking that I find handy.
Also kinda funny to see my OpenDNS block page pop up on a screen every once in a while when a user is naughty, I use the ancient Ceiling Cat meme just to make it worse for them.
1 Like
but maybe using unbound as a local resolver is better than dns solution.
It is easy enough to try them both and see which meets your needs best.
1 Like
many thanks now I use Pi-hole as a recursive DNS server solution. I amy realy suprise that this works very fast:)
Regards
I was never a DNS guru and since I retired my skills have gotten stale but I'll offer this to think about.
Better is a slippery word, you have to have a lot more concrete definition to work with to make a decision. If you want an upstream server that is fast to respond and reliable there are many options that vary in what they provide and what the cost to you is, often no cash charges but you pay by providing tracking information.
A good place to start is to see what is fast for you: Google Code Archive - Long-term storage for Google Code Project Hosting.
Privacy, OpenDNS is now a Cisco company and they do some tracking, haven't really researched that much, Google's DNS does a lot more tracking, too much for me. Other servers may do some or not, you'd have to research and see. Your own server is best for this but you need to make sure you are using it securely.
I haven't run a local resolving DNS for many years, it always worked and gave me the best privacy but at a cost in inconvenience, I didn't always get directed to the closest/fastest destination IP for sites that offered multiple locations, looks like more has been done on that at the host server end, Geo-DNS, but how well it works for you would have to be tested.
One big thing you miss with a local resolving DNS is the filtering provided by some upstream providers, some filtering is good, other filtering is bad but how you feel about the type and amount of filtering varies by your needs.
OpenDNS really works well for my needs, I don't usually want any legitimate site blocked but if the grandkids are coming over I want a lot of sites blocked. OpenDNS gives me this with a few clicks.
Try it, a free plan: Home Free by OpenDNS
Basic IPv6 filtered server addresses are here: https://support.opendns.com/hc/en-us/articles/227986667-Does-OpenDNS-Support-IPv6-
More filtering for IPv6 by forcing IPv4 is at the above link too.
Like so many other things there is no "one size fits all" answer to DNS.
2 Likes
I like my unbound 2ms response time 
1 Like
What is your response time for non-cached queries? Here is one cached and one non-cached one from my pi-hole:
stan@dell-3620:~> dig google.com
;; Query time: 2 msec
;; SERVER: 172.16.1.94#53(172.16.1.94)
;; WHEN: Fri Nov 23 19:44:46 MST 2018
;; MSG SIZE rcvd: 55
stan@dell-3620:~> dig msnbc.com
;; Query time: 85 msec
;; SERVER: 172.16.1.94#53(172.16.1.94)
;; WHEN: Fri Nov 23 19:47:27 MST 2018
;; MSG SIZE rcvd: 54
Sometimes more important than the query time is the TTL for the requested domain (how long the result stays in cache). The install settings for unbound are a minimum TTL of 3,600 seconds, max 86,400.
With a cold dig for google.com to unbound, query time was 30 msec, and TTL was 3600 seconds. Subsequent queries to this domain for the next 3600 seconds are < 1 msec.
Same cold dig for google.com to Cloudflare, query time 21 msec, TTL 243 sec.
Unbound has a very effective cache. Even if the requested domain is not in cache, the higher level information is cached for longer and may not be queried as often. For example in this case, if google.com has expired in cache, unbound still remembers who is serving the .com names and goes directly to that server without asking the TLD who is serving .com.
In addition, the installation guide for unbound turns on prefetching. From the unbound.conf manual:
"If yes, message cache elements are prefetched before they expire to keep the cache up to date. Default is no. Turning it on gives about 10 percent more traffic and load on the machine, but popular items do not expire from the cache."
In exchange for a slightly longer time to resolve an initial query for a domain in unbound, subsequent queries to that domain are much faster for a longer period of time. The net result is generally faster overall DNS resolution.
1 Like
I have a fair understanding of unbound, it is used in my current router and I used it for many years running on a server. When I was on a satellite Internet connection DNS stuff was really important with 2000 ms ping times.
If I didn't like the convenience of OpenDNS I'd likely toggle the forwarding/direct option in pfSense and go to the root servers myself.
What I was trying to point out to Tntdruid is the difference in cached versus un-cached response times.
1 Like
root@blackhole:~# dig ubnt.com
; <<>> DiG 9.10.3-P4-Raspbian <<>> ubnt.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10701
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ubnt.com. IN A
;; ANSWER SECTION:
ubnt.com. 3463 IN A 54.69.158.142
ubnt.com. 3463 IN A 54.191.25.85
ubnt.com. 3463 IN A 54.191.191.154
;; Query time: 23 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 24 07:36:44 CET 2018
;; MSG SIZE rcvd: 85
root@blackhole:~# dig ubnt.com
; <<>> DiG 9.10.3-P4-Raspbian <<>> ubnt.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39564
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ubnt.com. IN A
;; ANSWER SECTION:
ubnt.com. 3459 IN A 54.191.191.154
ubnt.com. 3459 IN A 54.69.158.142
ubnt.com. 3459 IN A 54.191.25.85
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 24 07:36:48 CET 2018
;; MSG SIZE rcvd: 85
I got a very BIG userbase on my DNS 6k+ clients
1 Like
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.