Why is Google the first DNS choice?

I love Pi-hole, and I am very thankful for the hard work that great developers put into it. I am a happy donor and supporter.

One gripe I have... Why do we continue to place Google at the top of recommended DNS resolvers? It amazes me that for a group of folks focused on security and privacy, you are still encouraging users to feed all their web queries to the worst offender of internet privacy. They are not the only one, but they are by far the worst.

Pi-hole users want to eliminate ads and protect privacy, so we go through all the time and effort to fine tune our filters to block unwanted stuff. Yet we go ahead and surrender to Google every one of our DNS queries, thus feeding the same beast we are trying to defeat.

Make no mistake... They absolutely use that data to profile us, track our every move, interest, activity, political & religious affiliation, where we bank, invest, get healthcare, what time we go to bed, wake up, etc. etc. etc. They spend billions of dollars to increase their reach and cover every possible angle, buying out any competitors in those areas.

From the Chrome browser, the Chrome OS, web searches, Android phones with constant GPS reporting, maps and travel, flights we take, Gmail and Google Message (where every text and email are scanned), thermostats with presence sensors, websites we authenticate via reCaptcha, websites we visit that ignorantly implement their analytics and fonts, DNS searches, etc. etc. etc. All their "free" products only mean YOU are the product.

And if you think they spend all that money, time, and effort, only to show you targetted ads that may interest you, I hate to tell you that is very naive thinking. They absolutely have nefarious socio-political agendas, which have been revealed time and again. Not only do they manipulate what shows up on search results, controlling what you see and believe, but also silence those they disagree with. If your political or religious leanings don't line up with theirs, you can be sure the information they have on you will be used to profile you, track you, and silence you.

Fortunately many individuals and businesses are waking up to the bizarre reality that Google has become, and are taking steps to erradicate Google's products and services from their lives.

Want to see how Google compares statistically to the other media giants when it comes to tracking? See here: https://whotracks.me/

So, why again are we still placing Google at the top of the suggested DNS resolvers?

"Encouraging" is a strong word here, isn't it?

because

is also not the absolute truth. I wouldn't say that, for instance, Cloudflare is any better than Google.

Instead of discussing who is better and who is worse (because this will be heavily biased by opinions), we should discuss about how to improve the selection mechanism in the installer. We're all ears for suggestions here.

The mere fact that an enter-mashing way of installing Pi-hole leads to selecting Google shouldn't be falsely interpreted as an encouragement of their service. We're open for suggestions on how to improve the selection.

DL6ER,
Thank you for your comments. Perhaps you are right that "encouraging" may be not the right word in this context, but Google is still placed at the top, in a list where IMO they shouldn't even be included.

Sure Google is not the only company that uses DNS analytics for various purposes beyond the intended scope, but I maintain that they are indeed the worst. You say it is not the absolute truth, but here are the facts: WhoTracks.me | Who Tracks the Most
And there are many other sources that corroborate those findings. Just point your DNS queries to NextDNS and enable all available filters for a few days. You will quickly see Google dwarfing the other media giants by a large margin, even if you don't directly use their products.

I am still very thankful for the great service you guys provide, which is why I am a sponsor. I mean no disrespect at all in bringing this up. I mainly want to bring awareness to something many folks are oblivious to, which is why Google's tentacles reach practically every area of our lives, as people naively deploy their "free" services everywhere.

Cheers mate!

Since this is a feature request, how do you envision your requested change to work?

Do you want another server offered at the top? If so, who decides what is best?

Tell us how this install screen should work to improve the software.

Good point. Perhaps list them by average latency? That would easily put Cloudflare at the top. Or perhaps it would be best to list them alphabetically, to avoid any preferences. It is just that righ now it looks like we are suggesting or implying (specially to beginners) that Google should be their obvious first choice. And since Google accounts for most of what Pi-hole ends up blocking, it strikes me as a contradiction of principle.

On a side note, I LOVE what you guys did with version 5. What great work. Thank you!

This will vary depending on your location. Lowest latency for you might be highest latency for me.

Alphabetically seems a reasonable method.

Perhaps if none of the upstream servers are preselected and they are presented in alphabetical order, and the user has to choose one or more to advance in the installer, that requires a bit more than enter-mashing.

We do have a guide for configuring your own recursive DNS server, which completely divorces you from any upstream DNS service.

https://docs.pi-hole.net/guides/unbound/

Yes, I saw that article on recursive DNS. Pretty cool stuff.

Currently I have Pi-hole do all the upfront blocking, and I keep adding to my local blacklist anything significant that gets flagged by upstream services like NextDNS. So gradually my internet speed is getting faster, as the bulk of the junk gets immediately dropped locally, and my upstream queries are nearly 100% legitimate. So yes, the next step would be perhaps making an internal DNS resolver my next hop.

Thanks for the suggestion.

Well, yes, hence ...

I read this and immediately thought: No. They can still enter-mach, when they reach the point of selection, they space- and then again enter-mach

Actually, Google is by far the fastest here (I just wrote a quick script for doing 100 lookups for random domains), 20 msec on average while Cloudflare is around 55 msec on average.

Google (ECS)
   8.8.8.8: avg 19 ms
   8.8.4.4: avg 20 ms
   2001:4860:4860:0:0:0:0:8888: avg 19 ms
   2001:4860:4860:0:0:0:0:8844: avg 25 ms
OpenDNS (ECS)
   208.67.222.222: avg 29 ms
   208.67.220.220: avg 28 ms
   2620:119:35::35: avg 27 ms
   2620:119:53::53: avg 29 ms
Level3
   4.2.2.1: avg 23 ms
   4.2.2.2: avg 26 ms
Comodo
   8.26.56.26: avg 30 ms
   8.20.247.20: avg 29 ms
DNS.WATCH
   84.200.69.80: avg 18 ms
   84.200.70.40: avg 19 ms
   2001:1608:10:25:0:0:1c04:b12f: avg 19 ms
   2001:1608:10:25:0:0:9249:d69b: avg 20 ms
Quad9 (filtered, DNSSEC)
   9.9.9.9: avg 43 ms
   149.112.112.112: avg 28 ms
   2620:fe::fe: avg 34 ms
   2620:fe::9: avg 34 ms
Quad9 (unfiltered, no DNSSEC)
   9.9.9.10: avg 25 ms
   149.112.112.10: avg 27 ms
   2620:fe::10: avg 32 ms
   2620:fe::fe:10: avg 31 ms
Quad9 (filtered + ECS)
   9.9.9.11: avg 25 ms
   149.112.112.11: avg 39 ms
   2620:fe::11: avg 34 ms
Cloudflare
   1.1.1.1: avg 50 ms
   1.0.0.1: avg 49 ms
   2606:4700:4700::1111: avg 31 ms
   2606:4700:4700::1001: avg 49 ms
NextDNS
   2a07:a8c1::d7:2288: avg 121 ms
   2a07:a8c0::d7:2288: avg 106 ms
   45.90.28.240: avg 93 ms
   45.90.30.240: avg 32 ms

And you don't really want to promote CF by putting it intentionally at the top, right? After all, it is another "free" service. And they did a lot of advertising around this new service when it was new. Advertisements are never cheap, so...

#!/bin/bash

test_server() {
	time=0
	i=0
	tests=200
	while [ $i -lt $tests ];
	do
		single="$(dig something.com @${1} | sed '/Query time/!d;s/;; Query time: //;s/ msec//')"
		time=$(( time + single ))
		i=$(( i + 1 ))
	done

	time=$(( time / tests ))
	echo "   ${1}: avg $time ms"
}

DNS_SERVERS=$(cat << EOM
Google (ECS);8.8.8.8;8.8.4.4;2001:4860:4860:0:0:0:0:8888;2001:4860:4860:0:0:0:0:8844
OpenDNS (ECS);208.67.222.222;208.67.220.220;2620:119:35::35;2620:119:53::53
Level3;4.2.2.1;4.2.2.2;;
Comodo;8.26.56.26;8.20.247.20;;
DNS.WATCH;84.200.69.80;84.200.70.40;2001:1608:10:25:0:0:1c04:b12f;2001:1608:10:25:0:0:9249:d69b
Quad9 (filtered, DNSSEC);9.9.9.9;149.112.112.112;2620:fe::fe;2620:fe::9
Quad9 (unfiltered, no DNSSEC);9.9.9.10;149.112.112.10;2620:fe::10;2620:fe::fe:10
Quad9 (filtered + ECS);9.9.9.11;149.112.112.11;2620:fe::11;
Cloudflare;1.1.1.1;1.0.0.1;2606:4700:4700::1111;2606:4700:4700::1001
EOM
)

# In an array, list the available upstream providers
DNSChooseOptions=()
DNSServerCount=0
# Save the old Internal Field Separator in a variable
OIFS="$IFS"
# and set the new one to newline
IFS=$'\n'
# Put the DNS Servers into an array
for DNSServer in ${DNS_SERVERS}
do
	DNSName="$(cut -d';' -f1 <<< "${DNSServer}")"
	echo "${DNSName}"
	first="$(cut -d';' -f2 <<< "${DNSServer}")"
	second="$(cut -d';' -f3 <<< "${DNSServer}")"
	third="$(cut -d';' -f4 <<< "${DNSServer}")"
	fourth="$(cut -d';' -f5 <<< "${DNSServer}")"
	[ -n "${first}" ] && test_server "${first}"
	[ -n "${second}" ] && test_server "${second}"
	[ -n "${third}" ] && test_server "${third}"
	[ -n "${fourth}" ] && test_server "${fourth}"
done
# Restore the IFS to what it was
IFS="${OIFS}"

This script runs roughly 2.5 minutes so measuring the average latency during install may not be the best idea. Even when you decrease the number of tests to 10 (which I would not recommend doing), it would still take roughly 15 seconds.

I was initially going to ask if you really see a difference when the delay to your upstream DNS server may be on the order of 20 ms, but I see that NextDNS is particularly slow for me, it is always > 100 ms so this is truly a notable delay.

What's about putting them in a random order during installation?

This will still have enter-mashers install Google or Cloudflare. I think the gain from this would be purely imaginary, one could say that Pi-hole is not favoring some server. However, we aren't favoring one right now. A good idea, nonetheless. And saying that I don't think it is an improvement worth implementing is solely my personal feeling.

Good points. I do think that alphabetical would be best. That way if the user wants to select Google they still can. Currently we are presenting it as the obvious first choice, probably based only on popularity, which I consider unfortunate.

Like I said, I don't doubt Cloudflare and all the others use the aggregate statistics from our DNS searches in some form. Of course they do. I just have little doubt of how and why Google uses them.

We can continue to block various ads and trackers from reaching our network, but when we submit our DNS searches through the most proliferous issuer of such intrusions, we are still surrendering to them all our interests, concerns, places we bank, invest, worship, etc. etc., even though we don't use their search engine.

I personally would rather have a little higher latency by routing my DNS calls elsewhere, just as some people favor a little slower connection through a VPN rather than a faster exposed connection. I guess it comes down to awareness of the bad actors out there, and what we can do to stop them.

Anyway, sorry about the long rant. Peace to y'all.

Would you mind to change the title of the FR to a specific request? This will help others to find it, invite them to discuss and (maybe) gather more votes

Gladly. Thanks for the suggestion.

This may be dumb but would it be possible to have the installer present the option of using the existing upstream resolver or choosing a different one and then present a list of servers (alphabetically sorted) or the option to enter a custom address, similar to how it reads the current IP and ask if you would like to set it as the static IP or enter a different one.

I expect that most people's installs would then just be pointing to their ISPs servers. I know I had not changed mine before deploying pi-hole. Then during install I selected google's servers log enough to complete the install and the configure unbound per the guide in the documentation.

If this would be an option please consider also

I'm a big proponent of the KISS principle.

One person's feelings on Google are another person's feelings on Cloudflare. Whatever is at the top of the list is going to upset someone.

Google is currently at the top of the list because that's just where it's always been. As alternatives have been added to the list, they've just gone in underneath that. For me, this doesn't suggest we are pushing one over the other, and ultimately it is the user's choice what they go for. Some people might be happy to use Google to resolve (I am) others, as evidented by this topic, are not.

So, we're not going to get into a position of telling you one is bad, or one is good, that is down to the user to research and decide upon for themselves.

In line with keeping it simple I propose something more along the lines of the following:

Rather than introducing increased complexity into what is ostensibly just a selection at the beginning of the install process, we improve the copy that is displayed to the user on this screen. Something along the lines of:

In order to resolve queries, you need to choose an upstream DNS resolver. There are many of these available, here are just a few of the more popular ones, feel free to choose whichever you would like to use

If you wish to use your ISP's, or know the IP address(es) of a DNS server you would like to use, then choose custom, and you will be prompted to enter the IP address(es)

(but, less verbose)

At the end of the day, we're not pushing any one particular provider. In reality, we're not even pushing anything. All we are doing is providing the tools for the user to apply their own considered choices to their networking environment. It's a big part of the reason we don't curate any of our own blocklists, either.

There has to be something there (like with the optional blocklists on the following screen) to lower the barrier to entry, making it more accessible to those starting out in the world of DNS-based ad blocking. The more privacy focussed people would know - when presented with a list of DNS servers - which one(s) (not) to choose, or they may already have an idea of an upstream server not already shown, in which case they can choose custom/

I forgot about the Custom field not accepting a port number! I'll look into this later if I get a chance

It's been Google since the start, 4 years ago. No conspiracy, no underhanded motives. Just was first in the PR that created the menu.

Why is this even worth discussing?

Even if the placement was intentional. People new or unfamiliar with the project would install it for what it says on the tin 'Ad blocking'. They care about blocking ads not security.
To be security conscious you would have to be informed / knowledgeable to an extend where you are well aware that neither of the listed providers make you surfing the internet safer in any fashion.
All you do when configuring those providers is pushing trust from your ISP to an other company on the internet which you don't know is doing with your data.
Like mentioned earlier Google is not worse than the other free providers. After all if the product is free, you are the product. Present company excluded

tl;dr
newbs need not care which provider they choose
the advanced user runs its own resolver

Obvious exceptions noted.

Ha, you got me there!
Though that was not the take away I intended.