Encrypted DNS Resolvers

Don't let Google see all your DNS traffic. Discover privacy-centric alternatives to the traditional DNS providers.

Encrypted DNS Resolvers

DNS Provider Server Locations Privacy Policy Type Logging Protocols DNSSEC QNAME Minimization Filtering Source Code Hosting Provider
AdGuard Anycast (based in Cyprus) Commercial Some DoH, DoT, DNSCrypt Yes Yes Based on server choice Choopa, LLC, Serveroid, LLC
BlahDNS Finland, Germany, Japan
Hobby Project No DoH, DoT , DNSCrypt Yes Yes Ads, trackers, malicious domains Choopa, LLC, Data Center Light, Hetzner Online GmbH
Cloudflare Anycast (based in US) Commercial Some DoH, DoT Yes Yes Based on server choice ? Self
CZ.NIC Czech Republic
Association No DoH, DoT Yes Yes ? ? Self
Foundation for Applied Privacy Austria Non-Profit Some DoH, DoT Yes Yes No ? IPAX OG
LibreDNS Germany Informal collective No DoH, DoT Yes Yes Based on server choice only for DoH Hetzner Online GmbH
NextDNS Anycast (based in US) Commercial Based on user choice DoH, DoT, DNSCrypt Yes Yes Based on server choice ? Self
NixNet Anycast (based in US), US, Luxembourg Informal collective No DoH, DoT Yes Yes Based on server choice FranTech Solutions
PowerDNS The Netherlands Hobby Project No DoH Yes No No TransIP B.V. Admin
Quad9 Anycast (based in US) Non-Profit Some DoH, DoT, DNSCrypt Yes Yes Malicious domains ? Self, Packet Clearing House
Snopyta Finland Informal collective No DoH, DoT Yes Yes No ? Hetzner Online GmbH
UncensoredDNS Anycast (based in Denmark), Denmark, US
Hobby Project No DoT Yes No No ? Self, Telia Company AB

Encrypted DNS Client Recommendations for Desktop

Unbound

Unbound logo A validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been independently audited.


dnscrypt-proxy

dnscrypt-proxy logo A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and Anonymized DNSCrypt, a relay-based protocol that the hides client IP address.


Stubby

Stubby logo An application that acts as a local DNS-over-TLS stub resolver. Stubby can be used in combination with Unbound by managing the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections) with Unbound providing a local cache.


Firefox's built-in DNS-over-HTTPS resolver

Firefox's built-in DNS-over-HTTPS resolver logo Firefox comes with built-in DNS-over-HTTPS support for NextDNS and Cloudflare but users can manually any other DoH resolver. Warning


Encrypted DNS Client Recommendations for Android

Android 9's built-in DNS-over-TLS resolver

Android 9's built-in DNS-over-TLS resolver logo Android 9 (Pie) comes with built-in DNS-over-TLS support without the need for a 3rd-party application. Warning


Nebulo

Nebulo logo An open-source Android client supporting DNS-over-HTTPS and DNS-over-TLS, caching DNS responses, and locally logging DNS queries.


Encrypted DNS Client Recommendations for iOS

DNSCloak

DNSCloak logo An open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and dnscrypt-proxy options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can add custom resolvers by DNS stamp.


Definitions

DNS-over-TLS (DoT)

A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.

DNS-over-HTTPS (DoH)

Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443 and more difficult to block. Warning

DNSCrypt

With an open specification, DNSCrypt is an older, yet robust method for encrypting DNS.

Anonymized DNSCrypt

A lightweight protocol that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by dnscrypt-proxy and a limited number of relays.