Recently, I published a Gist I made with my preferred Public DNS Servers including information and linkage about them. Today, I re-setup Adguard, one of the best solutions for blocking malicious content across multiple realms including Content Blocking, DNS Filtering, Tracking Protection, and Phishing+Malware.
What’s even better is it allows you to specify your own DNS servers to use, natively supporting DNS over TLS, HTTPS, and DNSCrypt. Today, I leveraged that functionality to test and implement the following resolver configuration for my mobile device:
sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ
tls://1.1.1.2
tls://dns11.quad9.net
tls://dns.google
You can see more about what these resolvers are and why I chose them here.
Additionally, I wanted to learn how to test DNS-over-TLS querying, which helped me verify these servers worked as expected and directly see how this works. However, dig just isn’t going to cut it!
Here I install the knot-resolver (knot-dnsutils on linux) package on Mac via Brew to gain access to the kdig tool, then use that to make a DNS-over-TLS query.
brew install knot-resolver
kdig +tls @1.1.1.2 target.com
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 22716
;; Flags: qr rd ra; QUERY: 1; ANSWER: 4; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 351 B
;; QUESTION SECTION:
;; target.com. IN A
;; ANSWER SECTION:
target.com. 31 IN A 151.101.194.187
target.com. 31 IN A 151.101.130.187
target.com. 31 IN A 151.101.66.187
target.com. 31 IN A 151.101.2.187
;; Received 468 B
;; Time 2020-04-21 16:57:18 EDT
;; From 1.1.1.2@853(TCP) in 51.7 ms
