Although Google's 8.8.8.8
DNS server is a popular alternative DNS server to the ones provided by your ISP, the privacy implications are too bothersome for me. While looking into privacy respecting alternative DNS servers, I found that the OpenNIC pool is fairly popular.
I'm not certain how I feel about the trustworthiness of these servers however. They have implemented their own extensions to the root zone outside of the IANA's authority. What would stop them (other than public scrutiny) from redefining portions of the root zone that IANA defines?
I understand that it's considered harmful to forward DNS queries directly to the DNS root nameservers on a large scale, but it seems like the only way to ensure both correct* and private results would be to have a caching, recursive resolver on your local network. For a single home network this wouldn't be burdensome to the root servers, but it definitely would not scale to every household.
So should I use OpenNIC or forward to the root servers? My own ISP is out of the question because they routinely DNS hijack.
* without widespread DNSSEC adoption, which would solve the correctness-aspect but not the privacy one.
Best Answer
The question of truth is not a technical one at its core, so you can never fully answer a question such as "Should I trust X", specifically if you add "... not to do action Y in some Z distant future".
Specially since in your question you seem both unsure about the provider itself, and what happens on the path between the provider and you.
If you want to be more in control of your resolution process you have mainly no other choice than running your own recursive caching nameserver, either on your host directly, or on some other one that you would trust. Especially if you want to fully ascertain to use features provided by DNSSEC: if you use a distant validating nameserver you trust it to do all the DNSSEC calculations correctly for you.
So I will not even try to assess if
1.1.1.1
(CloudFlare) or8.8.8.8
(Google) or9.9.9.9
(IBM+PCH+GlobalCyberAlliance) or OpenNIC or any other on https://en.wikipedia.org/wiki/Public_recursive_name_server or elsewere is trustworthy or more trustworthy than another one. It is also a hugely personal opinion (who do you give your trust to), and it shifts over time.Your assertion "but it definitely would not scale to every household." is not so clear cut. The movement is more and more for people to handle their DNS resolution in house (or forward to one of the previous public one), and the root servers have plenty of capacity. Note that the problem may not lie there in fact as this zonefile moves slowly, is small, and cached everywhere. The problem could be far more at some TLD nameservers, like
.COM
, where the zonefile has both millions of entries and regular changes that may not be small.You have various options on the table, that you can sometimes mix and match:
To expand your knowledge, this wiki may be a good start: https://dnsprivacy.org/wiki/