Recently, I published a Gist I made with my preferred Public DNS Servers including information and linkage about them. Today, I re-setup Adguard, one of the best solutions for blocking malicious content across multiple realms including Content Blocking, DNS Filtering, Tracking Protection, and Phishing+Malware.

What’s even better is it allows you to specify your own DNS servers to use, natively supporting DNS over TLS, HTTPS, and DNSCrypt. Today, I leveraged that functionality to test and implement the following resolver configuration for my mobile device:


You can see more about what these resolvers are and why I chose them here.

Additionally, I wanted to learn how to test DNS-over-TLS querying, which helped me verify these servers worked as expected and directly see how this works. However, dig just isn’t going to cut it!

Here I install the knot-resolver (knot-dnsutils on linux) package on Mac via Brew to gain access to the kdig tool, then use that to make a DNS-over-TLS query.

brew install knot-resolver
kdig +tls @
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 22716
;; Flags: qr rd ra; QUERY: 1; ANSWER: 4; AUTHORITY: 0; ADDITIONAL: 1

;; Version: 0; flags: ; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 351 B

;;         		IN	A

;; ANSWER SECTION:         	31	IN	A         	31	IN	A         	31	IN	A         	31	IN	A

;; Received 468 B
;; Time 2020-04-21 16:57:18 EDT
;; From [email protected](TCP) in 51.7 ms
Mario Loria is a builder of diverse infrastructure with modern workloads on both bare-metal and cloud platforms. He's traversed roles in system administration, network engineering, and DevOps. You can learn more about him here.