Recently, I published a Gist I made with my preferred Public DNS Servers including information and linkage about them. Today, I re-setup Adguard, one of the best solutions for blocking malicious content across multiple realms including Content Blocking, DNS Filtering, Tracking Protection, and Phishing+Malware.
What’s even better is it allows you to specify your own DNS servers to use, natively supporting DNS over TLS, HTTPS, and DNSCrypt. Today, I leveraged that functionality to test and implement the following resolver configuration for my mobile device:
sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ tls://184.108.40.206 tls://dns11.quad9.net tls://dns.google
You can see more about what these resolvers are and why I chose them here.
Additionally, I wanted to learn how to test DNS-over-TLS querying, which helped me verify these servers worked as expected and directly see how this works. However,
dig just isn’t going to cut it!
Here I install the
knot-dnsutils on linux) package on Mac via Brew to gain access to the
kdig tool, then use that to make a DNS-over-TLS query.
brew install knot-resolver kdig +tls @220.127.116.11 target.com ;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 22716 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 4; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 1452 B; ext-rcode: NOERROR ;; PADDING: 351 B ;; QUESTION SECTION: ;; target.com. IN A ;; ANSWER SECTION: target.com. 31 IN A 18.104.22.168 target.com. 31 IN A 22.214.171.124 target.com. 31 IN A 126.96.36.199 target.com. 31 IN A 188.8.131.52 ;; Received 468 B ;; Time 2020-04-21 16:57:18 EDT ;; From [email protected](TCP) in 51.7 ms