privacyguides.org/pages/providers/dns.html

---
layout: page
permalink: /providers/dns/
title: "Encrypted DNS Resolvers"
description: "Don't let Google see all your DNS traffic. Discover privacy-centric alternatives to the traditional DNS providers."
breadcrumb: "DNS"
---

{% include sections/dns.html %}

<h1 id="dns-desktop-clients" class="anchor">
  <a href="#dns-desktop-clients">
    <i class="fas fa-link anchor-icon"></i>
  </a> Encrypted DNS Client Recommendations for Desktop
</h1>

{%
	include cardv2.html
	title="Unbound"
	image="/assets/img/svg/3rd-party/unbound.svg"
	description='A validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been <a href="https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/">independently audited</a>.'
	website="https://nlnetlabs.nl/projects/unbound/about/"
	forum="https://forum.privacytools.io/t/discussion-unbound/3563"
	github="https://github.com/NLnetLabs/unbound"
%}

{%
	include cardv2.html
	title="dnscrypt-proxy"
	image="/assets/img/svg/3rd-party/dnscrypt-proxy.svg"
	description='A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and <a href="https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt">Anonymized DNSCrypt</a>, a <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS">relay-based protocol that the hides client IP address.</a>'
	website="https://github.com/DNSCrypt/dnscrypt-proxy/wiki"
	forum="https://forum.privacytools.io/t/discussion-dnscrypt-proxy/1498"
	github="https://github.com/DNSCrypt/dnscrypt-proxy"
%}

{%
	include cardv2.html
	title="Stubby"
	image="/assets/img/png/3rd-party/stubby.png"
	description='An application that acts as a local DNS-over-TLS stub resolver. Stubby can be used in <a href="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound/Stubbycombination">combination with Unbound</a> by managing the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections) with Unbound providing a local cache.'
	website="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby"
	forum="https://forum.privacytools.io/t/discussion-stubby/3582"
	github="https://github.com/getdnsapi/stubby"
%}

{%
	include cardv2.html
	title="Firefox's built-in DNS-over-HTTPS resolver"
	image="/assets/img/svg/3rd-party/firefox_browser.svg"
	description='Firefox comes with built-in DNS-over-HTTPS support for <a href="https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/">NextDNS and Cloudflare</a> but users can manually any other DoH resolver.'
	labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.cloudflare.com/1.1.1.1/privacy/firefox::text==Warning::tooltip==Cloudflare logs a limited amount of data about the DNS requests that are sent to their custom resolver for Firefox."
	website="https://support.mozilla.org/en-US/kb/firefox-dns-over-https"
	privacy-policy="https://wiki.mozilla.org/Security/DOH-resolver-policy"
	forum="https://forum.privacytools.io/t/discussion-firefox-s-built-in-dns-over-https-resolver/3564"
%}

<h1 id="dns-android-clients" class="anchor">
	<a href="#dns-android-clients">
		<i class="fas fa-link anchor-icon"></i>
	</a> Encrypted DNS Client Recommendations for Android
</h1>

{%
	include cardv2.html
	title="Android 9's built-in DNS-over-TLS resolver"
	image="/assets/img/svg/3rd-party/android.svg"
	description="Android 9 (Pie) comes with built-in DNS-over-TLS support without the need for a 3rd-party application."
	labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.google.com/speed/public-dns/docs/using#android_9_pie_or_later::text==Warning::tooltip==Android 9's DoT settings have no effect when used concurrently with VPN-based apps which override the DNS."
	website="https://support.google.com/android/answer/9089903#private_dns"
	forum="https://forum.privacytools.io/t/discussion-android-9s-built-in-dns-over-tls-resolver/3562"
%}

{%
	include cardv2.html
	title="Nebulo"
	image="/assets/img/png/3rd-party/nebulo.png"
	description='An open-source Android client supporting DNS-over-HTTPS and DNS-over-TLS, caching DNS responses, and locally logging DNS queries.'
	website="https://git.frostnerd.com/PublicAndroidApps/smokescreen/-/blob/master/README.md"
	privacy-policy="https://smokescreen.app/privacypolicy"
	forum="https://forum.privacytools.io/t/discussion-nebulo/3565"
	fdroid="https://git.frostnerd.com/PublicAndroidApps/smokescreen#f-droid"
	googleplay="https://play.google.com/store/apps/details?id=com.frostnerd.smokescreen"
	source="https://git.frostnerd.com/PublicAndroidApps/smokescreen"
%}

<h1 id="dns-ios-clients" class="anchor">
	<a href="#dns-ios-clients">
		<i class="fas fa-link anchor-icon"></i>
	</a> Encrypted DNS Client Recommendations for iOS
</h1>

{%
	include cardv2.html
	title="DNSCloak"
	image="/assets/img/png/3rd-party/dnscloak.png"
	description='An open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki">dnscrypt-proxy</a> options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can <a href="https://blog.privacytools.io/adding-custom-dns-over-https-resolvers-to-dnscloak/">add custom resolvers by DNS stamp</a>.'
	website="https://github.com/s-s/dnscloak/blob/master/README.md"
	privacy-policy="https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view"
	forum="https://forum.privacytools.io/t/discussion-dnscloak/3566"
	ios="https://apps.apple.com/app/id1452162351"
	github="https://github.com/s-s/dnscloak"
%}

<h2 id="dns-definitions" class="anchor">
	<a href="#dns-definitions">
		<i class="fas fa-link anchor-icon"></i>
	</a> Definitions
</h2>

<h4>DNS-over-TLS (DoT)</h4>
<p>
  A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.
</p>

<h4>DNS-over-HTTPS (DoH)</h4>
<p>
  Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443 and more difficult to block. {% include badge.html color="warning" text="Warning" tooltip="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server." link="https://tools.ietf.org/html/rfc8484#section-8.2" icon="fas fa-exclamation-triangle" %}
</p>

<h4>DNSCrypt</h4>
<p>
  With an <a href="https://dnscrypt.info/protocol/">open specification</a>, DNSCrypt is an older, yet robust method for encrypting DNS.
</p>

<h4>Anonymized DNSCrypt</h4>
<p>
  A <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS">lightweight protocol</a> that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by <a href="#dns-desktop-clients">dnscrypt-proxy</a> and a limited number of <a href="https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/relays.md">relays</a>.
</p>
Split All Services into Individual Pages (#807) * Split sections into pages Preliminary work * Separate everything into their own pages + Permalinks! * Navbar Link Updates * Change all asset links Assets are served from the root. Hope nobody is serving this site in a subfolder for some reason! :) * Point all navbar links to pages * Make the layouts more modular * Remove unnecessary div containers * Adjust footer and headers layout * Add link to various privacy subpages to homepage * Remove test script * Add titles and descriptions to all pages * Fix links and layouts * Adjust header margins * Create master pages * Finalize master pages * Add services page * Add Javascript redirects Okay I'm pretty garbage at Javascript so this is basically hacked together. If someone who knows what they're doing wants to do this, be my guest. 2019-04-01 20:42:34 -04:00			`---`
			`layout: page`
			`permalink: /providers/dns/`
dns: cleanup legacy parts (#1372) 2019-11-25 17:15:04 -05:00			`title: "Encrypted DNS Resolvers"`
Split All Services into Individual Pages (#807) * Split sections into pages Preliminary work * Separate everything into their own pages + Permalinks! * Navbar Link Updates * Change all asset links Assets are served from the root. Hope nobody is serving this site in a subfolder for some reason! :) * Point all navbar links to pages * Make the layouts more modular * Remove unnecessary div containers * Adjust footer and headers layout * Add link to various privacy subpages to homepage * Remove test script * Add titles and descriptions to all pages * Fix links and layouts * Adjust header margins * Create master pages * Finalize master pages * Add services page * Add Javascript redirects Okay I'm pretty garbage at Javascript so this is basically hacked together. If someone who knows what they're doing wants to do this, be my guest. 2019-04-01 20:42:34 -04:00			`description: "Don't let Google see all your DNS traffic. Discover privacy-centric alternatives to the traditional DNS providers."`
Make breadcrumbs nicer looking (#1555) 2019-12-02 03:13:55 -05:00			`breadcrumb: "DNS"`
Split All Services into Individual Pages (#807) * Split sections into pages Preliminary work * Separate everything into their own pages + Permalinks! * Navbar Link Updates * Change all asset links Assets are served from the root. Hope nobody is serving this site in a subfolder for some reason! :) * Point all navbar links to pages * Make the layouts more modular * Remove unnecessary div containers * Adjust footer and headers layout * Add link to various privacy subpages to homepage * Remove test script * Add titles and descriptions to all pages * Fix links and layouts * Adjust header margins * Create master pages * Finalize master pages * Add services page * Add Javascript redirects Okay I'm pretty garbage at Javascript so this is basically hacked together. If someone who knows what they're doing wants to do this, be my guest. 2019-04-01 20:42:34 -04:00			`---`

			`{% include sections/dns.html %}`
Rearrange some sections and correct grammatical errors (#1548) Co-Authored-By: djoate <56777051+djoate@users.noreply.github.com> 2019-12-01 15:36:48 -05:00
Update DNS page with card-based client recommendations (#1900) * WIP: Add icons * Add Google Play and App Store links * Add tentative Android logo * Update Unbound logo, text cleanup, formatting * Add banner for anonymized dns, more cleanup * Some text clarification * Add "https:" for local development * Update terms formatting and include anonymized dnscrypt * Move terms section to bottom of page * Add LibreDNS * Update AdGuard hosting provider * Add forum links * Reword "terms" to "definitions" * Add card for Stubby * Add warning link to Android 9 card * LibreDNS supports QNAME min 2020-06-04 12:00:31 -04:00			`<h1 id="dns-desktop-clients" class="anchor">`
			`<a href="#dns-desktop-clients">`
			`<i class="fas fa-link anchor-icon"></i>`
			`</a> Encrypted DNS Client Recommendations for Desktop`
			`</h1>`

			`{%`
			`include cardv2.html`
			`title="Unbound"`
			`image="/assets/img/svg/3rd-party/unbound.svg"`
			`description='A validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been <a href="https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/">independently audited</a>.'`
			`website="https://nlnetlabs.nl/projects/unbound/about/"`
			`forum="https://forum.privacytools.io/t/discussion-unbound/3563"`
			`github="https://github.com/NLnetLabs/unbound"`
			`%}`

			`{%`
			`include cardv2.html`
			`title="dnscrypt-proxy"`
			`image="/assets/img/svg/3rd-party/dnscrypt-proxy.svg"`
			`description='A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and <a href="https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt">Anonymized DNSCrypt</a>, a <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS">relay-based protocol that the hides client IP address.</a>'`
			`website="https://github.com/DNSCrypt/dnscrypt-proxy/wiki"`
			`forum="https://forum.privacytools.io/t/discussion-dnscrypt-proxy/1498"`
			`github="https://github.com/DNSCrypt/dnscrypt-proxy"`
			`%}`

			`{%`
			`include cardv2.html`
			`title="Stubby"`
			`image="/assets/img/png/3rd-party/stubby.png"`
			`description='An application that acts as a local DNS-over-TLS stub resolver. Stubby can be used in <a href="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound/Stubbycombination">combination with Unbound</a> by managing the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections) with Unbound providing a local cache.'`
			`website="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby"`
			`forum="https://forum.privacytools.io/t/discussion-stubby/3582"`
			`github="https://github.com/getdnsapi/stubby"`
			`%}`

			`{%`
			`include cardv2.html`
			`title="Firefox's built-in DNS-over-HTTPS resolver"`
			`image="/assets/img/svg/3rd-party/firefox_browser.svg"`
			`description='Firefox comes with built-in DNS-over-HTTPS support for <a href="https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/">NextDNS and Cloudflare</a> but users can manually any other DoH resolver.'`
			`labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.cloudflare.com/1.1.1.1/privacy/firefox::text==Warning::tooltip==Cloudflare logs a limited amount of data about the DNS requests that are sent to their custom resolver for Firefox."`
			`website="https://support.mozilla.org/en-US/kb/firefox-dns-over-https"`
			`privacy-policy="https://wiki.mozilla.org/Security/DOH-resolver-policy"`
			`forum="https://forum.privacytools.io/t/discussion-firefox-s-built-in-dns-over-https-resolver/3564"`
			`%}`

			`<h1 id="dns-android-clients" class="anchor">`
			`<a href="#dns-android-clients">`
			`<i class="fas fa-link anchor-icon"></i>`
			`</a> Encrypted DNS Client Recommendations for Android`
			`</h1>`

			`{%`
			`include cardv2.html`
			`title="Android 9's built-in DNS-over-TLS resolver"`
			`image="/assets/img/svg/3rd-party/android.svg"`
			`description="Android 9 (Pie) comes with built-in DNS-over-TLS support without the need for a 3rd-party application."`
			`labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.google.com/speed/public-dns/docs/using#android_9_pie_or_later::text==Warning::tooltip==Android 9's DoT settings have no effect when used concurrently with VPN-based apps which override the DNS."`
			`website="https://support.google.com/android/answer/9089903#private_dns"`
			`forum="https://forum.privacytools.io/t/discussion-android-9s-built-in-dns-over-tls-resolver/3562"`
			`%}`

			`{%`
			`include cardv2.html`
			`title="Nebulo"`
			`image="/assets/img/png/3rd-party/nebulo.png"`
			`description='An open-source Android client supporting DNS-over-HTTPS and DNS-over-TLS, caching DNS responses, and locally logging DNS queries.'`
			`website="https://git.frostnerd.com/PublicAndroidApps/smokescreen/-/blob/master/README.md"`
			`privacy-policy="https://smokescreen.app/privacypolicy"`
			`forum="https://forum.privacytools.io/t/discussion-nebulo/3565"`
			`fdroid="https://git.frostnerd.com/PublicAndroidApps/smokescreen#f-droid"`
			`googleplay="https://play.google.com/store/apps/details?id=com.frostnerd.smokescreen"`
			`source="https://git.frostnerd.com/PublicAndroidApps/smokescreen"`
			`%}`

			`<h1 id="dns-ios-clients" class="anchor">`
			`<a href="#dns-ios-clients">`
			`<i class="fas fa-link anchor-icon"></i>`
			`</a> Encrypted DNS Client Recommendations for iOS`
			`</h1>`

			`{%`
			`include cardv2.html`
			`title="DNSCloak"`
			`image="/assets/img/png/3rd-party/dnscloak.png"`
			`description='An open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki">dnscrypt-proxy</a> options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can <a href="https://blog.privacytools.io/adding-custom-dns-over-https-resolvers-to-dnscloak/">add custom resolvers by DNS stamp</a>.'`
			`website="https://github.com/s-s/dnscloak/blob/master/README.md"`
			`privacy-policy="https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view"`
			`forum="https://forum.privacytools.io/t/discussion-dnscloak/3566"`
			`ios="https://apps.apple.com/app/id1452162351"`
			`github="https://github.com/s-s/dnscloak"`
			`%}`

			`<h2 id="dns-definitions" class="anchor">`
			`<a href="#dns-definitions">`
			`<i class="fas fa-link anchor-icon"></i>`
			`</a> Definitions`
			`</h2>`

			`<h4>DNS-over-TLS (DoT)</h4>`
			`<p>`
			`A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.`
			`</p>`

			`<h4>DNS-over-HTTPS (DoH)</h4>`
			`<p>`
			`Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443 and more difficult to block. {% include badge.html color="warning" text="Warning" tooltip="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server." link="https://tools.ietf.org/html/rfc8484#section-8.2" icon="fas fa-exclamation-triangle" %}`
			`</p>`

			`<h4>DNSCrypt</h4>`
			`<p>`
			`With an <a href="https://dnscrypt.info/protocol/">open specification</a>, DNSCrypt is an older, yet robust method for encrypting DNS.`
			`</p>`

			`<h4>Anonymized DNSCrypt</h4>`
			`<p>`
			`A <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS">lightweight protocol</a> that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by <a href="#dns-desktop-clients">dnscrypt-proxy</a> and a limited number of <a href="https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/relays.md">relays</a>.`
			`</p>`