Update DNS page with card-based client recommendations (#1900)

* WIP: Add icons

* Add Google Play and App Store links

* Add tentative Android logo

* Update Unbound logo, text cleanup, formatting

* Add banner for anonymized dns, more cleanup

* Some text clarification

* Add "https:" for local development

* Update terms formatting and include anonymized dnscrypt

* Move terms section to bottom of page

* Add LibreDNS

* Update AdGuard hosting provider

* Add forum links

* Reword "terms" to "definitions"

* Add card for Stubby

* Add warning link to Android 9 card

* LibreDNS supports QNAME min
This commit is contained in:
nitrohorse 2020-06-04 09:00:31 -07:00 committed by GitHub
parent 93b3b611f0
commit 607b9d73d5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 194 additions and 121 deletions

View File

@ -1,10 +1,12 @@
<h1 id="dns" class="anchor"><a href="#dns"><i class="fas fa-link anchor-icon"></i></a> Encrypted Domain Name System (DNS) Resolvers</h1> <h1 id="dns" class="anchor">
<a href="#dns"><i class="fas fa-link anchor-icon"></i></a> Encrypted DNS Resolvers
</h1>
<div class="alert alert-warning" role="alert"> <div class="alert alert-warning" role="alert">
<strong>Note: Using an encrypted DNS resolver will not make you anonymous, nor hide your internet traffic from your Internet Service Provider. But, it will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here.</strong> DNS-over-HTTPS, DNS-over-TLS, and DNSCrypt resolvers will not make you anonymous. Using Anonymized DNSCrypt hides <i>only</i> your DNS traffic from your Internet Service Provider. However, using any of these protocols will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here. See the <a href="#dns-definitions">definitions</a> below.
</div> </div>
<div class="table-responsive"> <div id="dns-table" class="table-responsive">
<table class="table sortable-theme-bootstrap" data-sortable> <table class="table sortable-theme-bootstrap" data-sortable>
<thead> <thead>
<tr> <tr>
@ -46,10 +48,7 @@
<td>Yes</td> <td>Yes</td>
<td> <td>
<span class="no-text-wrap"> <span class="no-text-wrap">
Ads, trackers, Based on server choice
</span>
<span class="no-text-wrap">
malicious domains
</span> </span>
</td> </td>
<td> <td>
@ -60,6 +59,9 @@
</a> </a>
</td> </td>
<td> <td>
<span class="no-text-wrap">
<a href="https://www.choopa.com/">Choopa, LLC</a>,
</span>
<span class="no-text-wrap"> <span class="no-text-wrap">
<a href="https://flops.ru/en/about.html">Serveroid, LLC</a> <a href="https://flops.ru/en/about.html">Serveroid, LLC</a>
</span> </span>
@ -168,7 +170,11 @@
<td>DoH, DoT</td> <td>DoH, DoT</td>
<td>Yes</td> <td>Yes</td>
<td>Yes</td> <td>Yes</td>
<td>No</td> <td>
<span class="no-text-wrap">
Based on server choice
</span>
</td>
<td>?</td> <td>?</td>
<td>Self</td> <td>Self</td>
</tr> </tr>
@ -240,6 +246,51 @@
</td> </td>
</tr> </tr>
<tr>
<td data-value="LibreDNS">
<a href="https://libredns.gr/">LibreDNS</a>
</td>
<td>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-de"></span>
Germany
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://libreops.cc/terms.html">
<span class="fas fa-globe"></span>
</a>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="Part of LibreHosters, &quot;a network of cooperation and solidarity that uses free software to encourage decentralisation through federation and distributed platforms.&quot;" href="https://libreho.st/">
Informal collective
</a>
</td>
<td>No</td>
<td>DoH, DoT</td>
<td>Yes</td>
<td>Yes</td>
<td>
<span class="no-text-wrap">
Based on server choice only for DoH
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://gitlab.com/libreops/libredns">
<span class="fas fa-globe"></span>
</a>
</td>
<td>
<span class="no-text-wrap">
<a href="https://www.hetzner.com/">Hetzner Online GmbH</a>
</span>
</td>
</tr>
<tr> <tr>
<td data-value="nextdns"> <td data-value="nextdns">
<a href="https://www.nextdns.io/">NextDNS</a> <a href="https://www.nextdns.io/">NextDNS</a>

BIN
assets/img/png/3rd-party/dnscloak.png vendored Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 24 KiB

BIN
assets/img/png/3rd-party/nebulo.png vendored Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 86 KiB

BIN
assets/img/png/3rd-party/stubby.png vendored Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

19
assets/img/svg/3rd-party/android.svg vendored Normal file
View File

@ -0,0 +1,19 @@
<?xml version="1.0"?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="-147 -70 294 345">
<g fill="#a4c639">
<use stroke-width="14.4" xlink:href="#b" stroke="#FFF"/>
<use xlink:href="#a" transform="scale(-1,1)"/>
<g id="a" stroke="#FFF" stroke-width="7.2">
<rect rx="6.5" transform="rotate(29)" height="86" width="13" y="-86" x="14"/>
<rect id="c" rx="24" height="133" width="48" y="41" x="-143"/>
<use y="97" x="85" xlink:href="#c"/>
</g>
<g id="b">
<ellipse cy="41" rx="91" ry="84"/>
<rect rx="22" height="182" width="182" y="20" x="-91"/>
</g>
</g>
<g stroke="#FFF" stroke-width="7.2" fill="#FFF">
<path d="m-95 44.5h190"/><circle cx="-42" r="4"/><circle cx="42" r="4"/>
</g>
</svg>

After

Width:  |  Height:  |  Size: 728 B

2
assets/img/svg/3rd-party/unbound.svg vendored Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="1.4142" version="1.1" xml:space="preserve" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.83711 0 0 .83711 16.201 .088026)" stroke-width="1.1946"><g stroke-width="1.1946"><g fill-rule="nonzero" stroke-width="1.1946"><path d="m87.5 6.548v86.4l-29.5 17c-0.597 0.299-1.303 0.299-1.9 0l-29.5-17v-86.4l-20.9 12.1c-3.528 2.042-5.706 5.824-5.7 9.9v86.4c0.021 4.07 2.191 7.839 5.7 9.9l45.7 26.4c3.533 1.998 7.867 1.998 11.4 0l45.7-26.4c3.528-2.042 5.706-5.824 5.7-9.9v-86.4c-0.021-4.07-2.191-7.839-5.7-9.9z" fill="#2d2e83"/><path d="m87.5 6.548v86.4l-29.5 17c-0.597 0.299-1.303 0.299-1.9 0l-29.5-17v-86.4l-20.9 12.1c-3.528 2.042-5.706 5.824-5.7 9.9v86.4c0.021 4.07 2.191 7.839 5.7 9.9l45.7 26.4c3.533 1.998 7.867 1.998 11.4 0l45.7-26.4c3.528-2.042 5.706-5.824 5.7-9.9v-86.4c-0.021-4.07-2.191-7.839-5.7-9.9z" fill="url(#_Linear1)"/><path d="m114.2 28.548c-0.021-4.07-2.191-7.839-5.7-9.9l-30.4-17.6c-2.337-1.398-5.263-1.398-7.6 0-2.354 1.359-3.807 3.882-3.8 6.6v66.6c0.021 4.07 2.191 7.839 5.7 9.9l36.1 20.9c3.528 2.042 5.706 5.824 5.7 9.9z" fill="#1fc2d7"/><path d="m0 28.548c0.021-4.07 2.191-7.839 5.7-9.9l30.5-17.6c2.337-1.398 5.263-1.398 7.6 0 2.354 1.359 3.807 3.882 3.8 6.6v66.6c-0.021 4.07-2.191 7.839-5.7 9.9l-36.1 20.9c-3.528 2.042-5.706 5.824-5.7 9.9z" fill="#1fc2d7"/></g></g></g><defs><linearGradient id="_Linear1" x2="1" gradientTransform="matrix(136.42 0 0 136.42 -19.353 95.041)" gradientUnits="userSpaceOnUse"><stop stop-color="#0d0d27" offset="0"/><stop stop-color="#10102f" offset=".02"/><stop stop-color="#1a1b4d" offset=".1"/><stop stop-color="#232365" offset=".19"/><stop stop-color="#282976" offset=".28"/><stop stop-color="#2c2d80" offset=".38"/><stop stop-color="#2d2e83" offset=".5"/><stop stop-color="#2c2d80" offset=".62"/><stop stop-color="#282976" offset=".72"/><stop stop-color="#232365" offset=".81"/><stop stop-color="#1a1b4d" offset=".9"/><stop stop-color="#10102f" offset=".98"/><stop stop-color="#0d0d27" offset="1"/></linearGradient></defs></svg>

After

Width:  |  Height:  |  Size: 2.1 KiB

View File

@ -8,121 +8,122 @@ breadcrumb: "DNS"
{% include sections/dns.html %} {% include sections/dns.html %}
<h4>Terms</h4> <h1 id="dns-desktop-clients" class="anchor">
<a href="#dns-desktop-clients">
<i class="fas fa-link anchor-icon"></i>
</a> Encrypted DNS Client Recommendations for Desktop
</h1>
<ul> {%
<li>DNS-over-TLS (DoT) - A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls. DoT has two modes:</li> include cardv2.html
<ul> title="Unbound"
<li>Oppurtunistic mode: the client attempts to form a DNS-over-TLS connection to the server on port 853 without performing certificate validation. If it fails, it will use unencrypted DNS. image="/assets/img/svg/3rd-party/unbound.svg"
{% include badge.html description='A validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been <a href="https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/">independently audited</a>.'
color="warning" website="https://nlnetlabs.nl/projects/unbound/about/"
icon="fas fa-exclamation-triangle" forum="https://forum.privacytools.io/t/discussion-unbound/3563"
tooltip="In other words automatic mode leaves your DNS traffic vulnerable to SSL strip and MITM attacks." github="https://github.com/NLnetLabs/unbound"
%}</li> %}
<li>Strict mode: the client connects to a specific hostname and performs certificate validation for it. If it fails, no DNS queries are made until it succeeds.</li>
</ul>
<li>DNS-over-HTTPS (DoH) - Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443.
{% include badge.html
color="warning"
icon="fas fa-exclamation-triangle"
link="https://tools.ietf.org/html/rfc8484#section-8.2"
tooltip="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server."
%}</li>
<li>DNSCrypt - An older yet robust method of encrypting DNS.</li>
</ul>
<h4>How to verify DNS is encrypted</h4> {%
include cardv2.html
title="dnscrypt-proxy"
image="/assets/img/svg/3rd-party/dnscrypt-proxy.svg"
description='A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and <a href="https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt">Anonymized DNSCrypt</a>, a <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS">relay-based protocol that the hides client IP address.</a>'
website="https://github.com/DNSCrypt/dnscrypt-proxy/wiki"
forum="https://forum.privacytools.io/t/discussion-dnscrypt-proxy/1498"
github="https://github.com/DNSCrypt/dnscrypt-proxy"
%}
<ul> {%
<li>DoH / DoT include cardv2.html
<ul> title="Stubby"
<li>Check <a href="https://www.dnsleaktest.com/">DNSLeakTest.com</a>. image="/assets/img/png/3rd-party/stubby.png"
{% include badge.html description='An application that acts as a local DNS-over-TLS stub resolver. Stubby can be used in <a href="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound/Stubbycombination">combination with Unbound</a> by managing the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections) with Unbound providing a local cache.'
color="warning" website="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby"
icon="fas fa-exclamation-triangle" forum="https://forum.privacytools.io/t/discussion-stubby/3582"
tooltip="Your DNS provider may not appear with their own name, so compare the responses to what you know or can find about your DNS provider. Just ensure you don't see your ISP or old unencrypted DNS provider." github="https://github.com/getdnsapi/stubby"
%}</li> %}
<li>Check the website of your DNS provider. They may have a page for telling "you are using our DNS." Examples include <a href="https://adguard.com/en/adguard-dns/overview.html">AdGuard</a> and <a href="https://1.1.1.1/help">Cloudflare</a>.</li>
<li>If using Firefox's trusted recursive resolver (TRR), navigate to <code>about:networking#dns</code>. If the TRR column says "true" for some fields, you are using DoH.
{% include badge.html
color="warning"
icon="fas fa-exclamation-triangle"
link="https://wiki.mozilla.org/Trusted_Recursive_Resolver"
tooltip="Some fields will say 'false' depending on the the value of network.trr.mode in about:config"
%}</li>
</ul>
</li>
<li>dnscrypt-proxy - Check <a href="https://github.com/jedisct1/dnscrypt-proxy/wiki/Checking">dnscrypt-proxy's wiki on how to verify that your DNS is encrypted</a>.</li>
<li>DNSSEC - Check <a href="https://dnssec.vs.uni-due.de/">DNSSEC Resolver Test by Matthäus Wander</a>.</li>
<li>QNAME Minimization - Run <code>dig +short txt qnamemintest.internet.nl</code> from the command-line (taken from <a href="https://nlnetlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf">this NLnet Labs presentation</a>). If you are on Windows 10, run <code>Resolve-DnsName -Type TXT -Name qnamemintest.internet.nl</code> from the PowerShell. You should see this display: <code>"HOORAY - QNAME minimisation is enabled on your resolver :)!"</code></li>
</ul>
<h3 id="clients">Software suggestions and Additional Information</h3> {%
include cardv2.html
title="Firefox's built-in DNS-over-HTTPS resolver"
image="/assets/img/svg/3rd-party/firefox_browser.svg"
description='Firefox comes with built-in DNS-over-HTTPS support for <a href="https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/">NextDNS and Cloudflare</a> but users can manually any other DoH resolver.'
labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.cloudflare.com/1.1.1.1/privacy/firefox::text==Warning::tooltip==Cloudflare logs a limited amount of data about the DNS requests that are sent to their custom resolver for Firefox."
website="https://support.mozilla.org/en-US/kb/firefox-dns-over-https"
privacy-policy="https://wiki.mozilla.org/Security/DOH-resolver-policy"
forum="https://forum.privacytools.io/t/discussion-firefox-s-built-in-dns-over-https-resolver/3564"
%}
<ul> <h1 id="dns-android-clients" class="anchor">
<li><strong>Encrypted DNS clients for desktop:</strong> <a href="#dns-android-clients">
<ul> <i class="fas fa-link anchor-icon"></i>
<li><em>Firefox</em> comes with built-in DoH support with Cloudflare set as the default resolver, but can be configured to use any DoH resolver. </a> Encrypted DNS Client Recommendations for Android
{% include badge.html </h1>
color="warning"
icon="fas fa-exclamation-triangle" {%
link="https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/" include cardv2.html
tooltip="&quot;Cloudflare has agreed to collect only a limited amount of data about the DNS requests that are sent to the Cloudflare Resolver for Firefox via the Firefox browser.&quot;" title="Android 9's built-in DNS-over-TLS resolver"
%} image="/assets/img/svg/3rd-party/android.svg"
Currently Mozilla is <a href="https://blog.mozilla.org/futurereleases/2019/07/31/dns-over-https-doh-update-detecting-managed-networks-and-user-choice/">conducting studies</a> before enabling DoH by default for all US-based Firefox users.</li> description="Android 9 (Pie) comes with built-in DNS-over-TLS support without the need for a 3rd-party application."
<ul> labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.google.com/speed/public-dns/docs/using#android_9_pie_or_later::text==Warning::tooltip==Android 9's DoT settings have no effect when used concurrently with VPN-based apps which override the DNS."
<li>DNS over HTTPS can be enabled in Menu -> Preferences (<code>about:preferences</code>) -> Network Settings -> Enable DNS over HTTPS. Set "Use Provider" to "Custom", and enter your DoH provider's address.</li> website="https://support.google.com/android/answer/9089903#private_dns"
<li>Advanced users may enable it in <code>about:config</code> by setting <code>network.trr.custom_uri</code> and <code>network.trr.uri</code> as the address you find from the documentation of your DoH provider and <code>network.trr.mode</code> as <code>2</code>. It may also be desirable to set <code>network.security.esni.enabled</code> to <code>True</code> in order to enable encrypted SNI and make sites supporting ESNI a bit more difficult to track.</li> forum="https://forum.privacytools.io/t/discussion-android-9s-built-in-dns-over-tls-resolver/3562"
</ul> %}
</ul>
</li> {%
<li><strong>Encrypted DNS clients for mobile:</strong> include cardv2.html
<ul> title="Nebulo"
<li><em>Android 9</em> comes with a DoT client by <a href="https://support.google.com/android/answer/9089903">default</a>. image="/assets/img/png/3rd-party/nebulo.png"
{% include badge.html description='An open-source Android client supporting DNS-over-HTTPS and DNS-over-TLS, caching DNS responses, and locally logging DNS queries.'
color="warning" website="https://git.frostnerd.com/PublicAndroidApps/smokescreen/-/blob/master/README.md"
icon="fas fa-exclamation-triangle" privacy-policy="https://smokescreen.app/privacypolicy"
link="https://www.quad9.net/private-dns-quad9-android9/" forum="https://forum.privacytools.io/t/discussion-nebulo/3565"
tooltip="...but with some caveats" fdroid="https://git.frostnerd.com/PublicAndroidApps/smokescreen#f-droid"
%}</li> googleplay="https://play.google.com/store/apps/details?id=com.frostnerd.smokescreen"
<ul> source="https://git.frostnerd.com/PublicAndroidApps/smokescreen"
<li>We recommend selecting <em>Private DNS provider hostname</em> and entering the DoT address from documentation of your DoT provider to enable strict mode (see Terms above). %}
{% include badge.html
color="warning" <h1 id="dns-ios-clients" class="anchor">
icon="fas fa-exclamation-triangle" <a href="#dns-ios-clients">
tooltip="If you are on a network blocking access to port 853, Android will error about the network not having internet connectivity." <i class="fas fa-link anchor-icon"></i>
%}</li> </a> Encrypted DNS Client Recommendations for iOS
</ul> </h1>
<li><em><a href="https://apps.apple.com/app/id1452162351">DNSCloak</a></em> - An <a href="https://github.com/s-s/dnscloak">open-source</a> DNSCrypt and DoH client for iOS by <td><a data-toggle="tooltip" data-placement="bottom" data-original-title='"A charitable non-profit host organization for international Free Software projects."' href="https://techcultivation.org/">the Center for the Cultivation of Technology gemeinnuetzige GmbH</a>.</li>
<li><em><a href="https://git.frostnerd.com/PublicAndroidApps/smokescreen/blob/master/README.md">Nebulo</a></em> - An open-source application for Android supporting DoH and DoT. It also supports caching DNS responses and locally logging DNS queries.</li> {%
</ul> include cardv2.html
</li> title="DNSCloak"
<li><strong>Local DNS servers:</strong> image="/assets/img/png/3rd-party/dnscloak.png"
<ul> description='An open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki">dnscrypt-proxy</a> options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can <a href="https://blog.privacytools.io/adding-custom-dns-over-https-resolvers-to-dnscloak/">add custom resolvers by DNS stamp</a>.'
<li><em><a href="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby">Stubby</a></em> - An open-source application for Linux, macOS, and Windows that acts as a local DNS Privacy stub resolver using DoT.</li> website="https://github.com/s-s/dnscloak/blob/master/README.md"
<li><em><a href="https://nlnetlabs.nl/projects/unbound/about/">Unbound</a></em> - a validating, recursive, caching DNS resolver. It can also be ran network-wide and has supported DNS-over-TLS since version 1.7.3.</li> privacy-policy="https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view"
<ul> forum="https://forum.privacytools.io/t/discussion-dnscloak/3566"
<li>See also <a href="https://www.ctrl.blog/entry/unbound-tls-forwarding.html">Actually secure DNS over TLS in Unbound on ctrl.blog</a>.</li> ios="https://apps.apple.com/app/id1452162351"
</ul> github="https://github.com/s-s/dnscloak"
</ul> %}
</li>
<li><strong>Network wide DNS servers:</strong> <h2 id="dns-definitions" class="anchor">
<ul> <a href="#dns-definitions">
<li><em><a href="https://pi-hole.net/">Pi-hole</a></em> - A network-wide DNS server mainly for the Raspberry Pi. Blocks ads, tracking, and malicious domains for all devices on your network.</li> <i class="fas fa-link anchor-icon"></i>
<li><em><a href="https://gitlab.com/quidsup/notrack">NoTrack</a></em> - A network-wide DNS server like Pi-hole for blocking ads, tracking, and malicious domains.</li> </a> Definitions
</ul> </h2>
</li>
<li><strong>Further reading:</strong> <h4>DNS-over-TLS (DoT)</h4>
<ul> <p>
<li>On Firefox, DoH and ESNI</li> A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.
<ul> </p>
<li><a href="https://wiki.mozilla.org/Trusted_Recursive_Resolver">Trusted Recursive Resolver (DoH) on MozillaWiki</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1500289">Firefox bug report requesting the ability to use ESNI without DoH</a></li> <h4>DNS-over-HTTPS (DoH)</h4>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1542754">Firefox bug report requesting the ability to use Android 9+'s Private DNS (DoT) and benefit from encrypted SNI without having to enable DoH</a></li> <p>
<li><a href="https://blog.cloudflare.com/encrypted-sni/">Encrypt it or lose it: how encrypted SNI works on Cloudflare blog</a></li> Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443 and more difficult to block. {% include badge.html color="warning" text="Warning" tooltip="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server." link="https://tools.ietf.org/html/rfc8484#section-8.2" icon="fas fa-exclamation-triangle" %}
</ul> </p>
<li><a href="https://www.isc.org/blogs/qname-minimization-and-privacy/">QNAME Minimization and Your Privacy</a> by the Internet Systems Consortium (ISC)</li>
<li><a href="https://www.isc.org/dnssec/">DNSSEC and BIND 9</a> by the ISC</li> <h4>DNSCrypt</h4>
</ul> <p>
</li> With an <a href="https://dnscrypt.info/protocol/">open specification</a>, DNSCrypt is an older, yet robust method for encrypting DNS.
</ul> </p>
<h4>Anonymized DNSCrypt</h4>
<p>
A <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS">lightweight protocol</a> that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by <a href="#dns-desktop-clients">dnscrypt-proxy</a> and a limited number of <a href="https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/relays.md">relays</a>.
</p>