digging-dns-logo

Choosing Your DNS Resolver

Should you use your ISP's DNS, switch to a public resolver, or run your own?

Last updated: July 10, 2025

https://unsplash.com/@hostreviews

Image by https://unsplash.com/@hostreviews

Introduction

If you spend any time on tech forums or read articles about "speeding up your internet," you will inevitably encounter the same piece of advice: change your DNS resolver. The Internet's conventional wisdom (at least here in America) is that your Internet Service Provider's (ISP's) DNS servers are awful, slow, and probably spying on you. The narrative suggests that a simple switch to a public service like Google's 8.8.8.8 or Cloudflare's 1.1.1.1 will fix all your problems, allegedly making your internet faster, more private, and more secure.

This advice irks me. Not because it's entirely wrong, but because it's dangerously incomplete. The choice of a DNS resolver is a significant one that involves real trade-offs between performance, privacy, and control. Let's explore this topic deeper and look at the three main paths you can take.

(This article will focus primarily on Cloudflare and Google as they are the most popular options, but there are other options out there.)

First, What is a DNS Resolver?

In the context of your home network, a DNS resolver (or recursive resolver) is the intermediary service your devices use to translate human-friendly domain names (like diggingdns.com) into computer-friendly IP addresses.

Every time you visit a website, your computer or router sends a query to its configured DNS resolver. That resolver then goes out and finds the correct IP address from the global Domain Name System (DNS) and sends it back to your device. By default, the resolver you use is assigned by your ISP. Your choice is whether to stick with that default, pick a different public one, or become your own resolver.

Option 1: The ISP's Default Resolver

This is the "do nothing" option. Your router gets its DNS settings automatically from your ISP, and every device on your network uses it by default.

  • Pros:

    • Ultimate Simplicity: It requires zero configuration. It just works, which is the right choice for the vast majority of non-technical users. If you're afraid of doing anything even slightly more advanced with your computer settings, you are right to leave this alone.

  • Cons:

    • Performance: ISP resolvers can sometimes be slower than the highly optimized, globally distributed networks of major public resolvers.
    • Potential for Tracking: Your ISP can see every DNS query you make. While this is also true of any third-party resolver you use, your ISP can directly tie this Browse data to your account, your name, and your physical address. Whether they use this for analytics, sell anonymized trend data, or simply comply with law enforcement requests are all valid considerations.
    • Lack of Features: ISP resolvers typically offer no advanced features like malware filtering or customizable blocklists.

Option 2: The Public Resolvers (Google, Cloudflare, etc.)

This is the path most online tutorials recommend. You manually change the DNS settings on your router or computer to use a public service like Google (8.8.8.8) or Cloudflare (1.1.1.1).

  • Pros:

    • Performance: These services are often very fast, with data centers all over the world, meaning your queries may be answered by a server geographically closer to you.
    • Security Features: Some public resolvers (like Quad9 [9.9.9.9]) offer built-in filtering of known malicious or phishing domains, adding a layer of security. Services like DNS-over-HTTPS (DoH) can also encrypt your DNS traffic, preventing snooping on local networks.

  • Cons:

    • The "Privacy" Misconception: You are not necessarily gaining absolute privacy. You are simply shifting who you trust with your data from your ISP to a massive tech corporation. These services are "free" because the data is valuable. Cloudflare, for example, uses the aggregate data it collects to publish public internet trend reports. You are trading your query and browsing data (even if it is more anonymized) for their service.
    • The Risk of Centralization: DNS was designed to be a massively decentralized system, which makes it resilient. By pushing a huge percentage of the world's DNS lookups to one or two companies, we create central points of failure. There are some (examples)[https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/] of major outages took down a significant portion of the internet, demonstrating the real-world risk of this centralization.
    • Geopolitical Risk: As these two major providers are both US entities, they are subject to US laws and law enforcement requests. The concentration of global DNS traffic within a single legal jurisdiction could, theoretically, put the entire world's internet access and privacy at risk if policies were to change.

A Note on the Limits of DoH and Encrypted DNS

It's crucial to understand the limitations of privacy features like DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT). While these protocols are excellent at encrypting the "first mile" and "last mile" of your DNS query, subsequently preventing anyone on your local network or your ISP from easily seeing the domains you are looking up, the privacy gains largely stop there. Your chosen DoH provider (be it Google, Cloudflare, or another service) still sees your IP address and a complete record of every domain you query. You are still simply shifting your trust from your ISP to the DNS provider. Furthermore, once your encrypted query reaches the resolver, it then performs standard, often unencrypted, DNS lookups out to the authoritative nameservers across the internet to find the answer. In essence, DoH privatizes your connection to the resolver, but it doesn't make your browsing habits anonymous from the resolver, nor does it encrypt the entire end-to-end DNS resolution path.

Option 3: Running Your Own Resolver (The Enthusiast's Path)

I once heard Paul Vixie, a contributor to the creation of the domain name system, state in a presentation something to the effect of how "we don't need to use Google's resolvers... we can run our own." Hearing the statement was a bit intimidating at the time, given his work. However, nearly a decade later, I understand what he means and he is 100% right.

The third alternative, and my personal preference, is to run your own recursive DNS resolver right inside your own network. This can be done with powerful open-source software like Pi-hole, Technitium, Knot Resolver, or even the venerable BIND9.

  • Pros:

    • Maximum Control & Privacy: No third party sees your raw DNS queries. You can implement network-wide ad-blocking, custom blocklists for trackers or malware, and see exactly what devices on your network are calling out to. The query data never leaves your network.
    • Potentially Faster (for you): A local resolver with a healthy cache can often serve up frequently visited domains instantly, without ever having to go out to the internet.

  • Cons:

    • The Tinkering Rabbit Hole: Setting it up is a project. Maintaining it, updating blocklists, and troubleshooting issues can become a time-consuming hobby.
    • The Single Point of Failure: If your resolver hardware fails or the software crashes and doesn't recover, your entire home network may lose internet access until it's fixed. This can lead to some... unhappy feedback from roommates orfamily members.
    • The Privacy Caveat: This is a crucial point. While running your own resolver hides your query patterns from your ISP or Google/Cloudflare, it does not make you anonymous on the internet. Your home IP address will still perform lookups directly against the internet's authoritative nameservers, which is by design.

(This article will not serve as a tutorial for setting up these services, but I encourage you to explore the links above if you are interested.)

So, Which Should You Use?

There is no single "best" answer; the right choice depends entirely on your needs and technical comfort level.

  • For the "Keep it Simple" User: Stick with your ISP's default resolver. It requires no effort, it's supported by them, and it just works. The marginal benefits of switching are not worth the potential hassle.

  • For the Light Enthusiast/Tinkerer: Public resolvers like 8.8.8.8 or 1.1.1.1 are a great starting point. They let you easily experiment with changing DNS settings and see if you notice a performance difference, without the commitment of maintaining your own hardware.

  • For the Parent, Security, or Privacy-Focused User: A filtering DNS resolver is likely your best choice. This can be a public resolver specifically designed for security (like Quad9's 9.9.9.9, which blocks malicious domains) or, for maximum control, a self-hosted solution like Pi-hole where you can fine-tune ad-blocking and content filtering lists yourself.

Conclusion

The go-to internet advice to "just change your DNS" often treats the subject as a simple switch with no downsides. The reality is a nuanced decision between convenience, performance, privacy, and control. There is no magic bullet. By understanding the role of the DNS resolver and the real trade-offs between your options, you can make an informed choice that best fits your needs, rather than just following the hype.

Get new posts and updates in your inbox
Connect with me
About