Choosing upstream DNS for Proxmox homelab — what do people actually use?

[PaddraighNet]

Setting up a new Proxmox cluster for my homelab and thinking about the DNS side of things. Currently my VMs and containers just inherit whatever DNS my router hands out via DHCP (Cloudflare 1.1.1.1). Works fine but feels like there might be a better approach.

For those running Proxmox at home — what upstream DNS do you point your VMs at? Do you run your own recursive resolver (Unbound etc) or just point everything at a public provider? And if public, how did you pick which one? I've seen people swear by Quad9 for the malware filtering, others say just use whatever is geographically closest.

Is there a good up-to-date list of public DNS servers somewhere? Most of the comparison sites I've found are years out of date.

 

[IsThisThingOn]

what upstream DNS do you point your VMs at?

Link local IPv6 and IPv4 of OPNsense. No pointing from me tough, that is done via RA and DHCP.

Do you run your own recursive resolver (Unbound etc)

Yes. OPNsense does that by default.

Is there a good up-to-date list of public DNS servers somewhere? Most of the comparison sites I've found are years out of date.

I don't think much has changed. Quad9, Cloudflare, each with their different DNS with different blocklists.

I for one would trust my ISP more than any of these guys. And I think I can get a better blocklist by subscribing to others. And I can whitelist stuff. And I can create splitDNS for local overrides.

 

[UdoB]

I've seen people swear by Quad9 for the malware filtering

This!

Plus some piholes...

 

[PaddraighNet]

Interesting — so both of you run your own resolvers rather than forwarding to a public provider. Makes sense for privacy. @UdoB when you set up Quad9 as the upstream for your Pi-holes, did you just go with the default 9.9.9.9 or did you test whether there's a closer Quad9 node for your location? I'm wondering if the Anycast routing always picks the best one or if some locations end up hitting a node further away than expected.

 

[UdoB]

when you set up Quad9 as the upstream for your Pi-holes, did you just go with the default 9.9.9.9 or did you test whether there's a closer Quad9 node for your location?

The default works fine for me - I do not see the need for any optimization. I am in Germany with copper DSL:

~# ping 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) Bytes Daten.
64 Bytes von 9.9.9.9: icmp_seq=1 ttl=57 Zeit=16.7 ms
64 Bytes von 9.9.9.9: icmp_seq=2 ttl=57 Zeit=12.8 ms
64 Bytes von 9.9.9.9: icmp_seq=3 ttl=57 Zeit=13.0 ms
64 Bytes von 9.9.9.9: icmp_seq=4 ttl=57 Zeit=14.2 ms
64 Bytes von 9.9.9.9: icmp_seq=5 ttl=57 Zeit=12.8 ms

 

[louie1961]

I run pfSense as my firewall router. I use 1.1.1.3 and 1.0.0.3 for my upstream DNS. I also use pfblocker-NG to do IP blocking to malicious sites. So I lock down my network with regards to DNS. Through firewall rules, port 53 can only be reached on my pfSense and port 53 is blocked on all other IPs. I also completely block DNS over TLS and DNS over HTTPS. Finally I also SSL/TLS for queries to forwarding servers so all my DNS requests are encrypted and can't be intercepted (in theory).

NOW, this setup will break certain things like my Ring cameras. But because most of this setup is via firewall rules, I can turn it off for my IoT VLAN or for specific devices.

I tend use Cloudflare for a lot of stuff. They host my domains, I use the cloudflare tunnels, and I even use their R2 storage as cheap backup storage. I have been satisfied with their services.

 

[cwt]

East-West Firewall/Router system (1x Gateway OPNSense + 2x HA-OPNSense) with Unbound against the root servers. For VMs and Containers, I usually run Technitium DNS in a Cluster which have a copy of the root zone as a secondary zone.

 

[UdoB]

This may be mostly off-topic, but hey, you may ignore this post.

I tend use Cloudflare for a lot of stuff.

A lot of people do. Actually too many people (better: services) do, including the bad guys.

I hate CDNs, at least the large ones from Cloudflare, Google, Microsoft/Azure and Amazon. They work great, so why is that?

Every year I try to connect my Samsung TV to the internet. Every year I fail and disconnect it completely. It is absolutely impossible to create a whitelist for that thing to be able to run software updates. It is impossible to create a whitelist for a specific service, be it Netflix, Google or Amazon Prime. Every time I try this I end up with an endless ist of subnets of mutiple AS'. I need to whitelist millions (yes, literally!) of IP addresses to be able to start using that TV without runtime hickups/timeouts if I try to reduce that crazy large whitelist.

The reason is - obviously - that there is no small list of IP addresses of the servers for e.g. Amazon Prime.

Why am I upset? Because the requirement to allow so many CDN addresses does not only allow access to my - let's say - five wished services. It allows access to the vast and unlimited amount of bad (from my point of view) servers around the world.

Now my network cable of that "Smart" (what an irony!) TV is simply disconnected...

Again: please ignore the rant - or tell me a usable solution to solve that puzzle ;-)


Back to "on-topic":

I use the cloudflare tunnels

Yes, the tunnels are great. Mostly for DDOS protection and for not requiring port forwarding into my home.

If you have an external VPS or are willing to rent one for ~two Dollar per month, take a look here: https://github.com/fosrl/pangolin = "Tunneled Reverse Proxy Server with Access Control - Your own self-hosted zero trust tunnel."

This is a free Cloudflare Tunnel clone. Some (many?) features are missing, of course - e.g. the DDOS-protection part. But it successfully and completely removes the necessity to open any ports on your home router.

Oh, and you own the underlying key for the Letsencrypt certificates, not some potentially problematic third-party provider. This is really important for paranoia level three and above ;-)

I am using/testing it since spring 2025; until now it works really great.

Note that I am talking about a Homelab with light traffic, nothing important.

Have fun

 

[LnxBil]

And if public, how did you pick which one?

What is wrong with the one you provider offers you? I always used it without thinking about it. It is the fastest possible for upstream requests.

tell me a usable solution to solve that puzzle ;-)

Sadly, I don't have one either, yet I have an idea: I want to use a proxy, that is capable of masking the redirection that is done on http level and just forward the data that the client wants. I don't know if this would work or even exists, but it would be some MITM-capable proxy that just has a whitelist e.g. netflix and every connection that is requested will not redirect on the client but just yield data from the multiple-redirected backend traffic. I think this is prohibited by certificate pinnend etc. but one would need to investigate.

Besides the netflix, samsung update, I have the same problem with homebrew or the official docker registry, which is nowadays also on a CDN. I ended up having a special machine that has access to the CDN and acts as a local docker registry which has the allowed-image-list cached and has to be used as upstream from all the client machines.

 

[louie1961]

This may be mostly off-topic, but hey, you may ignore this post.

To each his own as they say. I stick my TVs in their own VLAN, lock it down with firewall rules, and I don't worry about it.

 

[UdoB]

yet I have an idea: I want to use a proxy, that is capable of masking the redirection that is done on http level and just forward the data that the client wants.

Interesting idea. But... I only know that I want my (for example) Netflix to receive the stream of data for my chosen video; I do not know any technical details of that streaming-protocol level. Of course that's a limitation of my personal knowledge, but I really hesitate to open that can of worms. I am not able to start a reverse engineering project just to whitelist some service.

A theoretical solution could be a high level proxy with deep packet inspection. But those streams are probably secured by crypto, for some... reasons. And they are probably different for all those independent providers.

 

[louie1961]

This is a free Cloudflare Tunnel clone.

Again, to each his own, or as my kids would say, "you do you". I like the cloudflare tunnels. I like the WAF that is included, I like how it accelerates caching for my websites. But most of all, I am not worried that somehow Cloudflare is spying on me. Even if they are, I don't care, TBH. My damn cellphone spies on me more.

 

[UdoB]

To each his own as they say. I stick my TVs in their own VLAN, lock it down with firewall rules,

That's what I am trying to do ;-)

But... I need to whitelist the source of a video stream of Amazon Prime - and I can not find "the single IP address" of that connection, as there is none.

It is just me - everybody else on this planet accepts the technical reality of CDNs...

 

[louie1961]

When I say I lock it down with firewall rules, I mean that the TV VLAN can't break out into my other VLANs. I don't try to filter what my TV receives. Seems like a waste of my time personally. The blast radius is confined to other TVs on that VLAN. With no ports open on my firewall, and the DNS records for my websites pointing to a cloudflare IP address, they only thing I really contend with is random port scanners. I run crowdsec on everything. and that is all that ever is reported. That's enough security for my risk tolerance level.

 

[Onslow]

What is wrong with the one you provider offers you? I always used it without thinking about it. It is the fastest possible for upstream requests.

Even if it is the fastest (mine isn't), it might not be the best (for various reasons, depending on the user's situation and needs).

I'm pasting excerpts from an AI overview of the term "risk of isp dns":


Key Risks of ISP DNS:

• Privacy Violations: ISP DNS servers track and log every website you visit, which can be sold or shared for advertising purposes.
• Data Snooping & Selling: Because queries are not encrypted, your ISP has a complete, detailed profile of your online activities.
• Censorship and Blocking: ISPs can, and often do, censor, redirect, or block websites by manipulating DNS responses.
• Security Vulnerabilities: ISP DNS servers often lack robust protection against phishing and malicious websites.
• Performance Issues: ISP DNS servers are often slower than third-party alternatives, resulting in higher latency and slower page loads.

P.S. I have personally experienced this "Censorship and Blocking" as a fact.

 

[LnxBil]

Even if it is the fastest (mine isn't), it might not be the best (for various reasons, depending on the user's situation and needs).

I'm pasting excerpts from an AI overview of the term "risk of isp dns":

good points, thank you.

 

[SteveITS]

run your own resolvers rather than forwarding to a public provider. Makes sense for privacy

FWIW, pfSense can forward DNS requests using TLS: https://docs.quad9.net/Setup_Guides/Open-Source_Routers/pfSense_(Encrypted)/ (and OPNsense, see link in left nav menu there).

re: anycast, it routes to closest: https://quad9.net/support/faq/#up_time (you may need to scroll up a bit from there to see that question). That is the green dots on https://quad9.net/service/locations/. I'm sure others are similar.