Thread

any thoughts on quad9?

They solve different problems and are not interchangeable resolvers. Quad9 is a public resolver with malware filtering. It does NOT protect from surveillance, telemetry, or advertising networks. NextDNS is a cloud DNS firewall with full threat intelligence. Protects from advertising, tracking SDKs, fingerprinting, telemetry, CDNs, cross service profiling, and malware. They are built for different threat models. Use whatever meets your needs.

How is protons Netshield ?

Self hosted solutions like Adguard Home are ideal since no public internet query is made if the DNS can be resolved locally. DNS over HTTPS providers like Mullvad or AdGuard are a good second since not only is the query encrypted from your ISP but also routed through HTTPS traffic adding more obfuscation. DNS over TLS is the last option to be considered, still encrypted but easier to fingerprint. Unencrypted DNS or ISP provided DNS should always be avoided. Security and privacy nightmare.

What about Pi-hole, compared to AdGuard?

Couldn't agree more. It is also probably the best bang for your buck in terms of changes you can make to improve privacy. My issue is that neither of those solutions provide sufficient anonymity. At the end of the day, all that is being done is transferring ownership of your DNS query data to someone else. Use DNS-over-TLS-over-TOR https://github.com/piskyscan/dns_over_tls_over_tor

Absolutely, but your talking about a completely different threat model. AdGuard Home and NextDNS solve a different problem. They aren’t anonymity tools. They’re privacy and control tools. DNS over TLS over Tor is the right move when the threat model requires anonymity from the resolver itself. That’s a different job than what AdGuard Home or NextDNS are doing. And Tor doesn’t replace DNS filtering. Almost nobody wants their entire network pinned through Tor. Tor is powerful, but most home setups won’t tolerate the latency or fragility. It’s best as an additional lane, not a replacement. Different tools, different jobs, different threat models.

The link I provided is for adapting a PiHole which does in fact provide those features. Yes, there is added latency because of the tor network (a feature, not a bug), but I have been running this setup for about 5 years now behind an OPNsense router with little to no issue.

PiHole-over-Tor is solid for people who can tolerate the tradeoffs, but that’s not what most people need and it’s not what the article was about. And it still doesn’t change the core point: PiHole + Tor is an anonymity stack, not a filtering and telemetry management stack for mixed device home networks. Most people are running phones, smart TVs, IoT junk, consoles, work laptops, and devices that melt down the moment DNS latency leaves the building. They need reliability and filtering, not anonymity from the resolver. That’s a different job. This isn’t a one is better argument. It’s apples and oranges. AdGuard and NextDNS solve a different problem entirely. They give you per-device policy control, telemetry blocking, encrypted DNS, parental rules, logs, statistics, and custom filtering. Tor doesn’t do any of that. PiHole doesn’t do most of that either. When people do need anonymity from the resolver, I point them to a separate isolated Tor lane (like my ZeroSentinel Shadow setup) or a per-device solution like Whonix or Tails. That keeps anonymity where it belongs without breaking the entire home network.