- Note: Using an encrypted DNS resolver will not make you anonymous, nor hide your internet traffic from your Internet Service Provider. But, it will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here.
+ DNS-over-HTTPS, DNS-over-TLS, and DNSCrypt resolvers will not make you anonymous. Using Anonymized DNSCrypt hides only your DNS traffic from your Internet Service Provider. However, using any of these protocols will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here. See the definitions below.
-
+
@@ -46,10 +48,7 @@
Yes
- Ads, trackers,
-
-
- malicious domains
+ Based on server choice
NextDNS
diff --git a/assets/img/png/3rd-party/dnscloak.png b/assets/img/png/3rd-party/dnscloak.png
new file mode 100644
index 00000000..ecb9ca87
Binary files /dev/null and b/assets/img/png/3rd-party/dnscloak.png differ
diff --git a/assets/img/png/3rd-party/nebulo.png b/assets/img/png/3rd-party/nebulo.png
new file mode 100644
index 00000000..69f084c3
Binary files /dev/null and b/assets/img/png/3rd-party/nebulo.png differ
diff --git a/assets/img/png/3rd-party/stubby.png b/assets/img/png/3rd-party/stubby.png
new file mode 100644
index 00000000..0f7ea7b7
Binary files /dev/null and b/assets/img/png/3rd-party/stubby.png differ
diff --git a/assets/img/svg/3rd-party/android.svg b/assets/img/svg/3rd-party/android.svg
new file mode 100644
index 00000000..f5349180
--- /dev/null
+++ b/assets/img/svg/3rd-party/android.svg
@@ -0,0 +1,19 @@
+
+
\ No newline at end of file
diff --git a/assets/img/svg/3rd-party/unbound.svg b/assets/img/svg/3rd-party/unbound.svg
new file mode 100644
index 00000000..91a1a492
--- /dev/null
+++ b/assets/img/svg/3rd-party/unbound.svg
@@ -0,0 +1,2 @@
+
+
diff --git a/pages/providers/dns.html b/pages/providers/dns.html
index 3c8718d9..34a8f7dc 100644
--- a/pages/providers/dns.html
+++ b/pages/providers/dns.html
@@ -8,121 +8,122 @@ breadcrumb: "DNS"
{% include sections/dns.html %}
-
Terms
+
+
+
+ Encrypted DNS Client Recommendations for Desktop
+
-
-
DNS-over-TLS (DoT) - A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls. DoT has two modes:
-
-
Oppurtunistic mode: the client attempts to form a DNS-over-TLS connection to the server on port 853 without performing certificate validation. If it fails, it will use unencrypted DNS.
- {% include badge.html
- color="warning"
- icon="fas fa-exclamation-triangle"
- tooltip="In other words automatic mode leaves your DNS traffic vulnerable to SSL strip and MITM attacks."
- %}
-
Strict mode: the client connects to a specific hostname and performs certificate validation for it. If it fails, no DNS queries are made until it succeeds.
-
-
DNS-over-HTTPS (DoH) - Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443.
- {% include badge.html
- color="warning"
- icon="fas fa-exclamation-triangle"
- link="https://tools.ietf.org/html/rfc8484#section-8.2"
- tooltip="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server."
- %}
-
DNSCrypt - An older yet robust method of encrypting DNS.
-
+{%
+ include cardv2.html
+ title="Unbound"
+ image="/assets/img/svg/3rd-party/unbound.svg"
+ description='A validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been independently audited.'
+ website="https://nlnetlabs.nl/projects/unbound/about/"
+ forum="https://forum.privacytools.io/t/discussion-unbound/3563"
+ github="https://github.com/NLnetLabs/unbound"
+%}
-
How to verify DNS is encrypted
+{%
+ include cardv2.html
+ title="dnscrypt-proxy"
+ image="/assets/img/svg/3rd-party/dnscrypt-proxy.svg"
+ description='A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and Anonymized DNSCrypt, a relay-based protocol that the hides client IP address.'
+ website="https://github.com/DNSCrypt/dnscrypt-proxy/wiki"
+ forum="https://forum.privacytools.io/t/discussion-dnscrypt-proxy/1498"
+ github="https://github.com/DNSCrypt/dnscrypt-proxy"
+%}
-
-
DoH / DoT
-
-
Check DNSLeakTest.com.
- {% include badge.html
- color="warning"
- icon="fas fa-exclamation-triangle"
- tooltip="Your DNS provider may not appear with their own name, so compare the responses to what you know or can find about your DNS provider. Just ensure you don't see your ISP or old unencrypted DNS provider."
- %}
-
Check the website of your DNS provider. They may have a page for telling "you are using our DNS." Examples include AdGuard and Cloudflare.
-
If using Firefox's trusted recursive resolver (TRR), navigate to about:networking#dns. If the TRR column says "true" for some fields, you are using DoH.
- {% include badge.html
- color="warning"
- icon="fas fa-exclamation-triangle"
- link="https://wiki.mozilla.org/Trusted_Recursive_Resolver"
- tooltip="Some fields will say 'false' depending on the the value of network.trr.mode in about:config"
- %}
QNAME Minimization - Run dig +short txt qnamemintest.internet.nl from the command-line (taken from this NLnet Labs presentation). If you are on Windows 10, run Resolve-DnsName -Type TXT -Name qnamemintest.internet.nl from the PowerShell. You should see this display: "HOORAY - QNAME minimisation is enabled on your resolver :)!"
-
+{%
+ include cardv2.html
+ title="Stubby"
+ image="/assets/img/png/3rd-party/stubby.png"
+ description='An application that acts as a local DNS-over-TLS stub resolver. Stubby can be used in combination with Unbound by managing the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections) with Unbound providing a local cache.'
+ website="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby"
+ forum="https://forum.privacytools.io/t/discussion-stubby/3582"
+ github="https://github.com/getdnsapi/stubby"
+%}
-
Software suggestions and Additional Information
+{%
+ include cardv2.html
+ title="Firefox's built-in DNS-over-HTTPS resolver"
+ image="/assets/img/svg/3rd-party/firefox_browser.svg"
+ description='Firefox comes with built-in DNS-over-HTTPS support for NextDNS and Cloudflare but users can manually any other DoH resolver.'
+ labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.cloudflare.com/1.1.1.1/privacy/firefox::text==Warning::tooltip==Cloudflare logs a limited amount of data about the DNS requests that are sent to their custom resolver for Firefox."
+ website="https://support.mozilla.org/en-US/kb/firefox-dns-over-https"
+ privacy-policy="https://wiki.mozilla.org/Security/DOH-resolver-policy"
+ forum="https://forum.privacytools.io/t/discussion-firefox-s-built-in-dns-over-https-resolver/3564"
+%}
-
-
Encrypted DNS clients for desktop:
-
-
Firefox comes with built-in DoH support with Cloudflare set as the default resolver, but can be configured to use any DoH resolver.
- {% include badge.html
- color="warning"
- icon="fas fa-exclamation-triangle"
- link="https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/"
- tooltip=""Cloudflare has agreed to collect only a limited amount of data about the DNS requests that are sent to the Cloudflare Resolver for Firefox via the Firefox browser.""
- %}
- Currently Mozilla is conducting studies before enabling DoH by default for all US-based Firefox users.
-
-
DNS over HTTPS can be enabled in Menu -> Preferences (about:preferences) -> Network Settings -> Enable DNS over HTTPS. Set "Use Provider" to "Custom", and enter your DoH provider's address.
-
Advanced users may enable it in about:config by setting network.trr.custom_uri and network.trr.uri as the address you find from the documentation of your DoH provider and network.trr.mode as 2. It may also be desirable to set network.security.esni.enabled to True in order to enable encrypted SNI and make sites supporting ESNI a bit more difficult to track.
-
-
-
-
Encrypted DNS clients for mobile:
-
-
Android 9 comes with a DoT client by default.
- {% include badge.html
- color="warning"
- icon="fas fa-exclamation-triangle"
- link="https://www.quad9.net/private-dns-quad9-android9/"
- tooltip="...but with some caveats"
- %}
-
-
We recommend selecting Private DNS provider hostname and entering the DoT address from documentation of your DoT provider to enable strict mode (see Terms above).
- {% include badge.html
- color="warning"
- icon="fas fa-exclamation-triangle"
- tooltip="If you are on a network blocking access to port 853, Android will error about the network not having internet connectivity."
- %}
+
+
+ Encrypted DNS Client Recommendations for Android
+
+
+{%
+ include cardv2.html
+ title="Android 9's built-in DNS-over-TLS resolver"
+ image="/assets/img/svg/3rd-party/android.svg"
+ description="Android 9 (Pie) comes with built-in DNS-over-TLS support without the need for a 3rd-party application."
+ labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.google.com/speed/public-dns/docs/using#android_9_pie_or_later::text==Warning::tooltip==Android 9's DoT settings have no effect when used concurrently with VPN-based apps which override the DNS."
+ website="https://support.google.com/android/answer/9089903#private_dns"
+ forum="https://forum.privacytools.io/t/discussion-android-9s-built-in-dns-over-tls-resolver/3562"
+%}
+
+{%
+ include cardv2.html
+ title="Nebulo"
+ image="/assets/img/png/3rd-party/nebulo.png"
+ description='An open-source Android client supporting DNS-over-HTTPS and DNS-over-TLS, caching DNS responses, and locally logging DNS queries.'
+ website="https://git.frostnerd.com/PublicAndroidApps/smokescreen/-/blob/master/README.md"
+ privacy-policy="https://smokescreen.app/privacypolicy"
+ forum="https://forum.privacytools.io/t/discussion-nebulo/3565"
+ fdroid="https://git.frostnerd.com/PublicAndroidApps/smokescreen#f-droid"
+ googleplay="https://play.google.com/store/apps/details?id=com.frostnerd.smokescreen"
+ source="https://git.frostnerd.com/PublicAndroidApps/smokescreen"
+%}
+
+
+
+
+ Encrypted DNS Client Recommendations for iOS
+
+
+{%
+ include cardv2.html
+ title="DNSCloak"
+ image="/assets/img/png/3rd-party/dnscloak.png"
+ description='An open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and dnscrypt-proxy options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can add custom resolvers by DNS stamp.'
+ website="https://github.com/s-s/dnscloak/blob/master/README.md"
+ privacy-policy="https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view"
+ forum="https://forum.privacytools.io/t/discussion-dnscloak/3566"
+ ios="https://apps.apple.com/app/id1452162351"
+ github="https://github.com/s-s/dnscloak"
+%}
+
+
+ A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.
+
+
+
DNS-over-HTTPS (DoH)
+
+ Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443 and more difficult to block. {% include badge.html color="warning" text="Warning" tooltip="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server." link="https://tools.ietf.org/html/rfc8484#section-8.2" icon="fas fa-exclamation-triangle" %}
+
+
+
DNSCrypt
+
+ With an open specification, DNSCrypt is an older, yet robust method for encrypting DNS.
+
+
+
Anonymized DNSCrypt
+
+ A lightweight protocol that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by dnscrypt-proxy and a limited number of relays.
+