Encrypted DNS Resolvers
Don't let Google see all your DNS traffic. Discover privacy-centric alternatives to the traditional DNS providers.
Note: Using an encrypted DNS resolver will not make you anonymous, nor hide your internet traffic from your Internet Service Provider. But, it will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here.
|AdGuard||Anycast (based in Cyprus)||Commercial||No||DoH, DoT, DNSCrypt||Yes||Yes||Ads, trackers, malicious domains||Serveroid, LLC|
|BlahDNS||Finland, Germany, Japan||Hobby Project||No||DoH, DoT , DNSCrypt||Yes||Yes||Ads, trackers, malicious domains||Choopa, LLC, Data Center Light, Hetzner Online GmbH|
|Cloudflare||Anycast (based in US)||Commercial||Some||DoH, DoT||Yes||Yes||No||?||Self|
|CZ.NIC||Czech Republic||Association||No||DoH, DoT||Yes||Yes||?||?||Self|
|Foundation for Applied Privacy||Austria||Non-Profit||Some||DoH, DoT||Yes||Yes||No||?||IPAX OG|
|NextDNS||Anycast (based in US)||Commercial||Based on user choice||DoH, DoT, DNSCrypt||Yes||Yes||Based on server choice||?||Self|
|NixNet||Anycast (based in US), US, Luxembourg||Informal collective||No||DoH, DoT||Yes||Yes||Based on server choice||FranTech Solutions|
|PowerDNS||The Netherlands||Hobby Project||No||DoH||Yes||No||No||TransIP B.V. Admin|
|Quad9||Anycast (based in US)||Non-Profit||Some||DoH, DoT, DNSCrypt||Yes||Yes||Malicious domains||?||Self, Packet Clearing House|
|SecureDNS||The Netherlands||Hobby Project||No||DoH, DoT, DNSCrypt||Yes||Yes||Based on server choice||?||DigitalOcean, Inc.|
|Snopyta||Finland||Informal collective||No||DoH, DoT||Yes||Yes||No||?||Hetzner Online GmbH|
|UncensoredDNS||Anycast (based in Denmark), Denmark, US||Hobby Project||No||DoT||Yes||No||No||?||Self, Telia Company AB|
- DNS-over-TLS (DoT) - A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls. DoT has two modes:
- Oppurtunistic mode: the client attempts to form a DNS-over-TLS connection to the server on port 853 without performing certificate validation. If it fails, it will use unencrypted DNS.
- Strict mode: the client connects to a specific hostname and performs certificate validation for it. If it fails, no DNS queries are made until it succeeds.
- DNS-over-HTTPS (DoH) - Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443.
- DNSCrypt - An older yet robust method of encrypting DNS.
How to verify DNS is encrypted
- DoH / DoT
- Check DNSLeakTest.com.
- Check the website of your DNS provider. They may have a page for telling "you are using our DNS." Examples include AdGuard and Cloudflare.
- If using Firefox's trusted recursive resolver (TRR), navigate to
about:networking#dns. If the TRR column says "true" for some fields, you are using DoH.
- dnscrypt-proxy - Check dnscrypt-proxy's wiki on how to verify that your DNS is encrypted.
- DNSSEC - Check DNSSEC Resolver Test by Matthäus Wander.
- QNAME Minimization - Run
dig +short txt qnamemintest.internet.nlfrom the command-line (taken from this NLnet Labs presentation). If you are on Windows 10, run
Resolve-DnsName -Type TXT -Name qnamemintest.internet.nlfrom the PowerShell. You should see this display:
"HOORAY - QNAME minimisation is enabled on your resolver :)!"
Software suggestions and Additional Information
- Encrypted DNS clients for desktop:
- Firefox comes with built-in DoH support with Cloudflare set as the default resolver, but can be configured to use any DoH resolver. Currently Mozilla is conducting studies before enabling DoH by default for all US-based Firefox users.
- DNS over HTTPS can be enabled in Menu -> Preferences (
about:preferences) -> Network Settings -> Enable DNS over HTTPS. Set "Use Provider" to "Custom", and enter your DoH provider's address.
- Advanced users may enable it in
network.trr.urias the address you find from the documentation of your DoH provider and
2. It may also be desirable to set
Truein order to enable encrypted SNI and make sites supporting ESNI a bit more difficult to track.
- Encrypted DNS clients for mobile:
- Android 9 comes with a DoT client by default.
- We recommend selecting Private DNS provider hostname and entering the DoT address from documentation of your DoT provider to enable strict mode (see Terms above).
- DNSCloak - An open-source DNSCrypt and DoH client for iOS by
the Center for the Cultivation of Technology gemeinnuetzige GmbH.
- Nebulo - An open-source application for Android supporting DoH and DoT. It also supports caching DNS responses and locally logging DNS queries.
- Local DNS servers:
- Stubby - An open-source application for Linux, macOS, and Windows that acts as a local DNS Privacy stub resolver using DoT.
- Unbound - a validating, recursive, caching DNS resolver. It can also be ran network-wide and has supported DNS-over-TLS since version 1.7.3.
- Network wide DNS servers:
- Further reading:
- On Firefox, DoH and ESNI
- Trusted Recursive Resolver (DoH) on MozillaWiki
- Firefox bug report requesting the ability to use ESNI without DoH
- Firefox bug report requesting the ability to use Android 9+'s Private DNS (DoT) and benefit from encrypted SNI without having to enable DoH
- Encrypt it or lose it: how encrypted SNI works on Cloudflare blog
- QNAME Minimization and Your Privacy by the Internet Systems Consortium (ISC)
- DNSSEC and BIND 9 by the ISC