Your nodes will use whatever your server is set to use, or if it’s running on your local system, it’ll use your local system’s default DNS. In almost all cases, this will be your router unless you have specifically changed it, and it will use whatever your ISP says to use. You would need to update your resolv.conf or your local NIC’s DNS server to manually enter the DNS server you’d like to use. Setting up pi-hole locally isn’t too hard, and there are plenty of managed lists on Github that you can subscribe to. There are also plenty of DNS service providers, free and paid, you could also use.
AdGuard has an extensive list with explanations of DNS servers that are public/free that you can use: https://adguard-dns.io/kb/general/dns-providers/
My current setup is to deploy all of my Myst nodes (100) via Docker containers. I run a custom setup.sh after each is launched, which fixes a few missing firewall commands, as well as adding some very basic torrent blocking for n00bs that don’t know how to encrypt their connections, and it updates the resolve.conf for each to use pi-hole. I also set the host to use the local pi-hole server to ensure no DNS leaks. Pi-hole is configured with around 14 block lists, which range from blocking torrent trackers, torrent listing/search sites, and anything deemed illegal, questionable, drug-related, hate-related, etc. You can go as far as blocking ads, porn, basically whatever you want. I could care less about anything other than what is illegal or leads to illegal activity. I use Quad9’s DNS-over-HTTPS servers for all of my DNS servers for my local home lab, ensuring that all of my DNS queries are encrypted. Yes, even for pi-hole.
Plus, at least for me, they have a faster response time than Google and Cloudflare.
A little proof:
I received my first payment from my first node in Nov 2021. In early 2022, I received two warnings from my ISP about illegal torrenting from a single node, which is when I implemented everything above. Since then, I have deployed a few more… and I haven’t had a single report sent to my ISP or law enforcement breaking down my door. That’s not to say it can’t happen; I’m just not concerned.
I use almost all of the blocklists from the blocklistproject, which I’m sure includes many of the domains for CSAM. The one from Gardenfence I found recently is not extensive, but it’s the only one I can find that includes explicitly CSAM blocking. Since most law enforcement won’t release those lists, for good reason, it’s hard to get access to a dedicated CSAM list.
Please let me know if anyone knows of any other RBLs I could add.
https://github.com/blocklistproject/Lists
I also include this one:
https://github.com/gardenfence/blocklist
I hope this is helpful; please don’t hesitate to let me know if you have any other questions.
EDIT:
I forgot to include this one.
https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/doh-vpn-proxy-bypass.txt
Important Note: Using Quad9’s DNS-over-HTTPS is not the only thing you should do. It helps, but the endpoint, a website where things might get posted, knows the IP that requested it, which in this case would be your node’s IP. So, while it will keep your ISP and any other provider from snooping, the endpoints still show the IPs being used. This is why you still want to add block lists, to keep bad actors from accessing websites where they could post or disseminate anything illegal. It’s also why you want to run your own dedicated DNS server just for this, so you can, as an endpoint, track IPs in case five-o ever comes knocking.