Adguardhome, NextDNS, ControlD etc....

[Calimarina]

I currently use OPNsense Unbound DNS, the DNS over TLS function enabled and the blocklist enabled and was wondering if anyone knew anything about Adguardhome, NextDNS, and/or ControlD. I've tried looking at some, "what is this" videos, but can't find the answer I'm looking for and I didn't want to contact the companies. So my question is what information would I be sending them if I used them instead of Unbound? Is it a program that installs in OPNsense of which I have complete control over the information or would I be sending all my DNS queries and whatever else to these companies. Any information would be greatly appreciated. Thank you.

[Koloa]

There are a few ways to answer this, but, in short, if you are using a third party DNS service, such as NextDNS, Control-D, CloudFlare, Google, etc, then, yes, all of your DNS queries are being sent to them and they can see anything/everything that your devices may attempt to query/lookup.

However, the word that does the heavy lifting above is "can" - that's purely at the technology level of a query leaving your network and going to their systems.  Whether or not they log that data, mine it, monetise it, sell it, harvest it, etc etc, is a more complicated question to answer.

You'll want to check the privacy policies of any company that you may forward queries to.  Some claim to be quite pro-privacy and that they do not log data related to queries, or, give you transparent access/control to what they log (NextDNS does this for example), as well as where they log it, and for how long.

DoT, DoH, or DoQ are all great ways to protect your DNS queries in transit from unscrupulous ISPs that may tamper with, censor, or otherwise interfere with your DNS activities, but, once the query lands at the DNS provider you may send upstream queries to, that's where things become more complicated.

There are a variety of ways of configuring AdGuardHome that may work to your liking; it allows you to specify what DNSBLs you make use of, and those lists are (I believe, but someone else will correct me if I'm wrong, because that's what the Internet does) kept locally for the purposes of blocking.

That means that if you are using AGH, and your local devices look up "evil.com" and evil.com is on a DNSBL you activated in AdGuardHome, then that query is not sent anywhere other than your local network.

Now, keep in mind that AdGuardHome also permits you to refer queries to upstream DNS resolvers (caching/forwarding resolvers) which AdGuard controls.  These may offer additional DNS query protections to minimise certain types of domains (ads, trackers, malware, whatever), but, you do not have to use those; you can use the "Filters" menu of AGH to control what blocklists you want to use, and those are periodically retrieved and downloaded to your local network.

So really the answer to your question falls to how you configure your network to get answers to queries that your local network doesn't know the answer to.  At some point you need to ask someone for the data, as gone are the days when we could FTP to DECVAX and download the HOSTS.TXT file (yes, I've been doing this this long.  Longer.).

Personally, I'd recommend a layered approach.  I use AdGuardHome with a series of custom upstreams for various domains which may either talk to something local I control, or, talk to NextDNS, but, I also have local Filters in AGH, but trust the privacy policy of NextDNS for the things I send them.  Read their privacy policy yourself at https://nextdns.io/privacy and see what you think.

But there are lots of other providers of DNS services, and you'll want to carefully review the services and policies of anyone you use.

I'd *like* to use Unbound, but, I've got a very complicated setup that was easier to accomplish in AdGuardHome, particularly because I'm using DoH, DoT, and wherever possible DoQ; and the latter (DNS over QUIC) is still somewhat experimental in Unbound, and I don't believe it's made it to the version in OPNSense yet.

Just my tuppence...

[Calimarina]

Thank you so much for the reply. It's exactly what I was looking for. I think I'll stick with Unbound as I don't trust companies and my networking knowledge isn't good enough to tell whether I'm screwing myself or not. My network consists of four homes and several family members that work from home. I'd like to make things easier for myself, but not at that expense. Anyway, your response was fantastic and I appreciate it.

[lebsack2]

How do encryption protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) enhance the security of DNS queries, and what limitations do they have regarding the privacy of data once it reaches the DNS provider?