Your ISP Is Watching Everything - Fix It With DNS Filtering!

If your smart TV is spying on you, your phone is narcing, and your ISP is selling your secrets, this video is for you. I've made a few videos lately, including one about VPN services and two about smart TV surveillance and tracking. They're linked in the video description below. In them, I briefly touched on DNS. DNS filtering sounds boring, but it can kill 70 to 90% of the junk hitting your devices. Less tracking, fewer ads, more privacy across almost every device you own, and it's

easier than you think. Welcome back to Dad Explains Everything. Today, I'm covering DNS filtering. This quality of life hack will change your online experience in all the right ways. Sound technical? Well, it can be, but I've also made sure that there's something in here for everyone. After all, I think this stuff is fun, but I've also been doing it for decades. So, if that's not you, don't worry. There are solutions in this video for people of every level of

technological curiosity and capability. Better still, the easiest of these solutions only takes a few minutes to enable. Let's go. So, what is DNS? How does it work? And how does it leak your life story? DNS or the domain name system is basically the internet's phone book. But instead of finding tow trucks, it finds servers. You see, internet communication works with IP addresses that look like this or this. But normal people don't remember IP addresses. So DNS was created to

allow structured names like www.youtube.com to be translated to something like this. When you type YouTube.com, your device asks a DNS server, "Hey, where's YouTube?" And here's the journey simplified a bit for non-networking people. First, your device asks the DNS resolver about youtube.com. That resolver asks the root DNS servers. They point to the top level domain server for that server points to YouTube's authoritative DNS server and you get back an IP address. Your browser then

connects to that IP. This loop happens hundreds or thousands of times per hour per device. Your phone does it, your laptop does it, your apps do it, your smart TV does it, and your IoT dishwasher probably does it, too. Because apparently someone needs to know that you've enabled stormwash. So, if DNS requests are basically cross reference lookups, what's the problem? After all, DNS requests are basically a timestamp, your IP address, the host or domain that you're trying to access, and

the device that asked. That still doesn't really seem like a big deal until you realize these requests reveal a ridiculous amount of data. When you wake up, when you go to sleep, what apps you open, what sites you visit, what streaming services you're watching on your TV or other devices, when you're home, away, or on vacation, what devices you own, and your entire behavioral pattern mapped second by second. ISPs love this data because they sell it. They build profiles from

it, and they use it for ad targeting. DNS is one of the largest unregulated privacy leaks in your digital life, which makes it the perfect thing to fix. And there are multiple ways to do that. Encrypted DNS, third party filtering services, or hosting your own DNS server. I'll cover all of those, but first, let me show you the DNS trick that gives you instant privacy improvements. The simple but powerful trick is to have a DNS server respond to host names you don't want your devices talking to by

either failing to resolve the host or domain or returning a bogus IP. It's essentially like adding fake entries to a host file. Put another way, it's like me ripping out the pages of the phone book belonging to scammers, stalkers, telemarketers, and people trying to sell you magic supplements on Tik Tok. If a domain is blocked at the DNS level, the ad server can't load and won't show ads. The tracking pixel never fires, so there's less tracking of your activities. The telemetry server never

receives your devices analytics, and ACR requests from your smart TVs never reach their corporate mothership. So, here's an incomplete list of what DNS filtering can block. banner ads, mobile app tracking, smart TV tracking, background telemetry, analytics beacons, direct data xfiltration to data brokers, hidden scripts in mobile apps, botnet callbacks, malware domains, and fishing sites. And here's a partial list of what DNS filtering cannot block. YouTube ads

that are in the same domain as the video instream Tik Tok and Instagram ads, Netflix and Hulu ads and adup supported plans. As you can see from the exceptions, DNS filtering isn't a magical ad killer. It's a network level bouncer who kicks out 70 to 90% of the trash before it reaches your devices. Your browser doesn't have to do the work. Your devices don't have to do the work. The network takes care of it before anything loads. and your smart TV, it gets the digital equivalent of

its mouth duct taped shut. If you haven't watched part one and part two of my smart TV surveillance videos, I highly recommend them as they show you how to turn off this tracking at the source. But DNS filtering is good as a backup in case you don't trust the manufacturers to honor your settings. So, I promised you that there would be a gradient of options, and there is. Generally, you can pick from solutions that are free, free with an asterisk and a subscription that's relatively inexpensive.

Some of the solutions are easy enough for your grandparents, while others stray into dad has opened a terminal window and things are about to get serious. As always, I'm happy to engage with all of you in the comments section. If I missed one of your favorite solutions or if you have questions, feel free to write me below. With that, I'm going to start with the beginning tier. These are ondevice solutions which are the easiest to implement. If you don't want any new hardware, you

want immediate results, and you don't want to have to change your router settings, the beginner tier is for you. The huge upside is that this protection follows you everywhere, your phone, your laptop, and your tablet. The downside is that you need to set it up on each device individually, and not every device exposes DNS settings. In this tier, I'm partial to solutions that don't require you to install another app. So, I prefer Nex DNS, which provides cloud DNS filtering, a giant

block list library, an analytics dashboard, per device profiles, parental controls, and an excellent interface. Also quite good is Adguard DNS. Has many of the same features as NexDNS, but also includes pre-built filtering and has a simple setup. If you do want an app, you can go with a solution like Adguard in device mode. It's simple, effective, works on tablets, phones, and laptops. It blocks ads and tracking at a DNS level, and it doesn't have any operating system level configuration.

These options are not the only ones in the tier, but they are probably the most popular and effective. Competitors include controld, clean browsing, quad 9, safe DNS, DNS filter, web titan, cloudflare 1, and open DNS home. The thing you need to know is that there are free but limited tiers for several of these options. They can have usage or device limits. Some providers even have free trials. Generally, most people will benefit from selecting a paid tier, but

these solutions tend to be inexpensive with the pro tier of NextDNS coming in at under $20 a year and the personal tiers of the Adguard app at around $31 a year. Those prices are in US dollars. But remember, using a third party DNS provider does not solve the ISP spying problem unless the provider supports encrypted DNS with DO, DOT, or DOQ. And if the site you're visiting supports ECH, which is encrypted client hello, the ISP won't even see the SNI, the part

of the handshake that normally reveals which site you're connecting to. What's the difficulty level of this? Well, Android, iOS, Mac OS, Windows, Linux and BSD, Chrome OS, and many browsers can all be configured in under 5 minutes, and anyone can do this. The next tier is the intermediate tier, and this is for people who want all devices protected, including smart TVs, streaming boxes, consoles, smart speakers, and random IoT nonsense. The same DNS filtering you used on your

devices can be configured on your router, instantly covering your entire home network. The massive benefit is that all of your devices receive the benefits of the AD and tracker blocking along with the DNS encryption of DO, DOT, or DOQ. assuming it's supported. There are two notable downsides. First, you'll still want ondevice config for portable devices to protect them off network. Second, you have to log into your router to set the DNS settings. If you've logged into your router before to

forward a port or to set a Wi-Fi password or whatever else, this won't be a big deal. For everyone else, this can be kind of difficult. The first thing to do is to identify the address of your router. It differs depending on the device you're using. From Windows, you open a command prompt. You type IP config. You look for the default gateway, usually starting with a 10 or a 192.168 address. You open a web browser and use the IP address for the default gateway. You log into your router using your

username and password. And you go to the WAN or internet settings to change your DNS server settings. The problems are you forgot the router password. You may have set it up months or years ago and forgotten it. Or it may be printed on a sticker on the router itself. You can't find the DNS settings. Ask in the comments. I can help. Or you realize your router is ancient and should be replaced or should be reloaded with WRT. I have a video on routers linked in the

description below. The next tier is the expert tier and this is also made up of networkwide solutions. The main difference in this tier is that you're hosting this solution yourself. This can be done in a container, a minimal computer like a Raspberry Pi or even as an app with some router ecosystems like PFSense or OPNSense. The software is free. The hardware is cheap. Also, these solutions are generally more powerful, flexible, and extensible. The main players are Pi Hole, the legendary

description below. The next tier is the expert tier and this is also made up of networkwide solutions. The main difference in this tier is that you're hosting this solution yourself. This can be done in a container, a minimal computer like a Raspberry Pi or even as an app with some router ecosystems like PFSense or OPNSense. The software is free. The hardware is cheap. Also, these solutions are generally more powerful, flexible, and extensible. The main players are Pi Hole, the legendary

Linux-based ad blocker. It runs on Linux and on minimal hardware like a Raspberry Pi. It can run in a container. It uses blockless. It protects every device on your network. It's highly customizable, and it's got serious geek riz. There's also Adgard Home, which is like Pi Hole, but has an easier setup, a cleaner interface, more built-in features, and is great for beginners. And while I'd probably say that Adgard Home is objectively better, I personally prefer Pi Hole. But that's mostly

because I've been using it for longer. Generally speaking though, there's not much daylight between the two in terms of capabilities. In terms of setup, both are fairly straightforward. The most difficult step for most will probably be setting their router to use the local blocker as their router's DNS server. This brings us to S tier. This tier takes trust no one to the next level. Pi Hole and Adgard Home normally act as DNS forwarders relying on a third party

resolver. But what if you don't want to trust any public DNS provider at all? Well, you can run your own recursive DNS resolver locally. Your options include unbound, bind 9, and not resolver. They perform the entire DNS lookup themselves directly from the root servers, the top level domain servers, and the authoritative servers. What that means is no Cloudflare, no Google, no ISP, no third party, no logging, no selling, no profiles. And it's relatively easy to

resolver. But what if you don't want to trust any public DNS provider at all? Well, you can run your own recursive DNS resolver locally. Your options include unbound, bind 9, and not resolver. They perform the entire DNS lookup themselves directly from the root servers, the top level domain servers, and the authoritative servers. What that means is no Cloudflare, no Google, no ISP, no third party, no logging, no selling, no profiles. And it's relatively easy to

combine Unbound with Pi Hole or Adguard Home. That's the DNS equivalent of wrapping your entire house in privacy armor because it removes every middleman between you and the DNS system. But why do this at all? First, there's no third party DNS logging. Public DNS providers have histories. Google logs for analytics. Cloudflare says they don't, but you have to trust them. Quad9 says they don't. But they also have partners. Open DNS logs for parental filtering.

When you run the resolver, there are no logs, no analytics, no selling, and no subpoena targets. Unless you enabled logs, there's nothing to collect. Second, your ISP sees nothing. Your ISP normally sees all DNS requests. Self-hosted recursion stops this. All your ISP sees is encrypted traffic to random IPs that they can't correlate. Your browsing behavior becomes invisible. SNI still leaks for sites that don't support TLS 1.3 and ECH, but more sites are supporting it every

month, so the situation is improving. Third, speed. Public DNS is fast. Local DNS is faster. Caching means that the first lookup goes out for resolution. After that, subsequent lookups are instant. Your entire home feels faster. Fourth, you become almost immune to DNS poisoning hijacking and man-in-the-middle attacks. Your local resolver can validate DNS sack, can avoid ISP level tampering, block captive portal hijacks, and stop DNS injection used by some ad networks. This is real

security, not vibes. So, Pi Hole or Adguard Home with Unbound gives you filtering, local caching, local recursion, zero trust in third parties, and total control. It is the best mixture of convenience, privacy, and protection available to normal humans. As a special note, some devices try to bypass your DNS settings altogether. Chcast, Android TV, and lots of IoT gadgets ignore DNS servers advertised by DHCP and use hard-coded resolvers like Google and Cloudflare. To stop this, you

can redirect all outbound DNS traffic to your resolver. Or you can block port 53 and 853 entirely and force all DNS through your setup. If you're really into home networking engineering, put all these untrusted devices on their own VLAN with dedicated firewall rules. You'll also want to make sure that you disable anything that looks like DNS relay or DNS proxy. Now that you know what your options are, it's time to choose your own adventure. Do you want an easy tutorial on Pi Hole with or

without Unbound, or do you want one with Adgard Home with or without Unbound? Let me know in the comments below. If it's pretty evenly split, I can do both. So for a normal user, DNS is one of the least understood pieces of the internet and one of the biggest privacy liabilities you have. Fixing it is like installing a deadbolt on your digital front door. Whether you configure Nex DNS, use Adgard on your phone, set up Pi Hole or Adguard Home on a Raspberry Pi,

or run your own recursive resolver with Unbound, you are reducing your data trail, blocking ads, and shutting down surveillance systems across your entire home. Your DNS provider sees everything you do. It's time to make sure that provider is you. And this is as simple as I can make it. If you only do one thing and you just want privacy on your phone or laptop, use NextDNS or Adguard DNS. If you're willing to plug in a Raspberry Pi, run Pi Hole or Adgard Home

and point your router to it. Everything else in this video is just making those ideas faster, stronger, and more private. If you got something out of this video, hit like, subscribe, and tell me in the comments what setup you're running and what you'd like your setup to look like in the near future. If you really liked this video, please share it with people you know. If you want to support my work, please hype this video and consider becoming a member. I'm not a big deal, so it's

really, really cheap. And speaking of members, I want to thank new members Linda M, Brian M, and James R for their support. Thanks for watching and have a great and private day.