I’ve set up two public BETA recursive caching DNS servers, testing the feasibility of blocking Advertising and Malware at the DNS level. Both servers are listening on port 53 (UDP and TCP) as well as ports 443 and 853 (TCP for DNS over TLS). By utilizing these DNS servers, you implicitly certify that you are only utilizing them for personal/home use. If you utilize this service and discover issues, please contact me via
- address_data: 220.127.116.11
- address_data: 18.104.22.168
Note #1: Do not add the 'tls_pubkey_pinset' option, as I rotate the keys regularly.
Note #2: I suggest using the setting 'dnssec_return_status: GETDNS_EXTENSION_FALSE', as the ZeroDNS DNS servers modify the replies for the advertising and malware domains, which violates DNSSEC for those domains. Resolution will work with it set to true but it may be slower.
Why block advertising? In short - if your service/product is good, people will be willing to pay for it. Ad networks have been used for malicious actions in the past - see "Malvertising". In addition, advertising companies have been known to violate users' privacy - see services like Panopticlick to see what information your browser is revealing and read up on methods like "LSOs" and "Canvas Fingerprinting" for a glance into some of the things advertising agencies are using to track you. This site also provides a good in-depth analysis of the benefits of ad blocking. As far as I'm concerned, advertising poses a threat; especially for less technical people who may not know the difference between a legitimate pop-up exclaiming that their browser needs to be updated and an illegitimate one. Don't get me wrong though, I understand the rationale for advertising - You offer something (like an app, website, service) for free, and more people will use it. In order to monetize it (which is only natural when you're spending your time/money to provide it), advertising is usually the go-to option.
Why block domains associated with malware? It provides a good first level of defense, especially if you're running a network where a lot of uncontrolled devices may enter and exit the network periodically (like a home network). Most people have their devices configured to use whatever DNS server is provided to them by the gateway, which gives a network administrator the ability to control what domains can and cannot be accessed from their network.