Encrypted DNS Resolvers
DNS-over-HTTPS, DNS-over-TLS, and DNSCrypt resolvers will not make you anonymous. Using Anonymized DNSCrypt hides
only your DNS traffic from your Internet Service Provider. However, using any of these protocols will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here. See the
definitions below.
| DNS Provider |
Server Locations |
Privacy Policy |
Type |
Logging |
Protocols |
DNSSEC |
QNAME Minimization |
Filtering |
Source Code |
Hosting Provider |
|
AdGuard
|
Anycast (based in
Cyprus)
|
|
Commercial |
Some |
DoH, DoT, DNSCrypt |
Yes |
Yes |
Based on server choice
|
|
Choopa, LLC,
Serveroid, LLC
|
|
BlahDNS
|
Finland,
Germany,
Japan
Singapore
|
|
Hobby Project |
No |
DoH,
DoT ,
DNSCrypt
|
Yes |
Yes |
Ads, trackers,
malicious domains
Based on server choice only for DoH
|
|
Choopa, LLC,
Hetzner Online GmbH
|
|
Cloudflare
|
Anycast (based in
US)
|
|
Commercial |
Some |
DoH, DoT |
Yes |
Yes |
Based on server choice
|
? |
Self |
|
CZ.NIC
|
Czech Republic
|
|
Association |
No |
DoH, DoT |
Yes |
Yes |
? |
? |
Self |
|
Foundation for Applied Privacy
|
Austria
|
|
Non-Profit |
Some |
DoH,
DoT
|
Yes |
Yes |
No |
? |
IPAX OG
|
|
LibreDNS
|
Germany
|
|
Informal collective
|
No |
DoH, DoT |
Yes |
Yes |
Based on server choice only for DoH
|
|
Hetzner Online GmbH
|
|
NextDNS
|
Anycast (based in
US)
|
|
Commercial |
Based on user choice
|
DoH, DoT, DNSCrypt |
Yes |
Yes |
Based on server choice
|
? |
Self |
|
NixNet
|
Anycast (based in
US),
US,
Luxembourg
|
|
Informal collective
|
No |
DoH, DoT |
Yes |
Yes |
Based on server choice
|
|
FranTech Solutions
|
|
PowerDNS
|
The Netherlands
|
|
Hobby Project |
No |
DoH |
Yes |
No |
No |
|
TransIP B.V. Admin
|
|
Quad9
|
Anycast (based in
US)
|
|
Non-Profit |
Some |
DoH, DoT, DNSCrypt |
Yes |
Yes |
Malicious domains
|
? |
Self,
Packet Clearing House
|
|
Snopyta
|
Finland
|
|
Informal collective
|
No |
DoH, DoT |
Yes |
Yes |
No
|
? |
Hetzner Online GmbH
|
|
UncensoredDNS
|
Anycast (based in
Denmark),
Denmark,
US
|
|
Hobby Project |
No |
DoT |
Yes |
No |
No |
? |
Self,
Telia Company AB
|
Encrypted DNS Client Recommendations for Desktop
{%
include cardv2.html
title="Unbound"
image="/assets/img/svg/3rd-party/unbound.svg"
description='A validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been independently audited.'
website="https://nlnetlabs.nl/projects/unbound/about/"
forum="https://forum.privacytools.io/t/discussion-unbound/3563"
github="https://github.com/NLnetLabs/unbound"
%}
{%
include cardv2.html
title="dnscrypt-proxy"
image="/assets/img/svg/3rd-party/dnscrypt-proxy.svg"
description='A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and Anonymized DNSCrypt, a relay-based protocol that the hides client IP address.'
website="https://github.com/DNSCrypt/dnscrypt-proxy/wiki"
forum="https://forum.privacytools.io/t/discussion-dnscrypt-proxy/1498"
github="https://github.com/DNSCrypt/dnscrypt-proxy"
%}
{%
include cardv2.html
title="Stubby"
image="/assets/img/png/3rd-party/stubby.png"
description='An application that acts as a local DNS-over-TLS stub resolver. Stubby can be used in combination with Unbound by managing the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections) with Unbound providing a local cache.'
website="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby"
forum="https://forum.privacytools.io/t/discussion-stubby/3582"
github="https://github.com/getdnsapi/stubby"
%}
{%
include cardv2.html
title="Firefox's built-in DNS-over-HTTPS resolver"
image="/assets/img/svg/3rd-party/firefox_browser.svg"
description='Firefox comes with built-in DNS-over-HTTPS support for NextDNS and Cloudflare but users can manually use any other DoH resolver.'
labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.cloudflare.com/1.1.1.1/privacy/firefox::text==Warning::tooltip==Cloudflare logs a limited amount of data about the DNS requests that are sent to their custom resolver for Firefox."
website="https://support.mozilla.org/en-US/kb/firefox-dns-over-https"
privacy-policy="https://wiki.mozilla.org/Security/DOH-resolver-policy"
forum="https://forum.privacytools.io/t/discussion-firefox-s-built-in-dns-over-https-resolver/3564"
%}
Encrypted DNS Client Recommendations for Android
{%
include cardv2.html
title="Android 9's built-in DNS-over-TLS resolver"
image="/assets/img/svg/3rd-party/android.svg"
description="Android 9 (Pie) comes with built-in DNS-over-TLS support without the need for a 3rd-party application."
labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.google.com/speed/public-dns/docs/using#android_9_pie_or_later::text==Warning::tooltip==Android 9's DoT settings have no effect when used concurrently with VPN-based apps which override the DNS."
website="https://support.google.com/android/answer/9089903#private_dns"
forum="https://forum.privacytools.io/t/discussion-android-9s-built-in-dns-over-tls-resolver/3562"
%}
{%
include cardv2.html
title="Nebulo"
image="/assets/img/png/3rd-party/nebulo.png"
description='An open-source Android client supporting DNS-over-HTTPS and DNS-over-TLS, caching DNS responses, and locally logging DNS queries.'
website="https://git.frostnerd.com/PublicAndroidApps/smokescreen/-/blob/master/README.md"
privacy-policy="https://smokescreen.app/privacypolicy"
forum="https://forum.privacytools.io/t/discussion-nebulo/3565"
fdroid="https://git.frostnerd.com/PublicAndroidApps/smokescreen#f-droid"
googleplay="https://play.google.com/store/apps/details?id=com.frostnerd.smokescreen"
source="https://git.frostnerd.com/PublicAndroidApps/smokescreen"
%}
Encrypted DNS Client Recommendations for iOS
{%
include cardv2.html
title="DNSCloak"
image="/assets/img/png/3rd-party/dnscloak.png"
description='An open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and dnscrypt-proxy options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can add custom resolvers by DNS stamp.'
website="https://github.com/s-s/dnscloak/blob/master/README.md"
privacy-policy="https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view"
forum="https://forum.privacytools.io/t/discussion-dnscloak/3566"
ios="https://apps.apple.com/app/id1452162351"
github="https://github.com/s-s/dnscloak"
%}
Apple's native support
In iOS, iPadOS, tvOS 14 and macOS 11, DoT and DoH were introduced. DoT and DoH are supported natively by installation of profiles (through mobileconfig files opened in Safari).
After installation, the encrypted DNS server can be selected in Settings → General → VPN and Network → DNS.
Definitions
DNS-over-TLS (DoT)
A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.
DNS-over-HTTPS (DoH)
Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443 and more difficult to block. {% include badge.html color="warning" text="Warning" tooltip="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server." link="https://tools.ietf.org/html/rfc8484#section-8.2" icon="fas fa-exclamation-triangle" %}
DNSCrypt
With an open specification, DNSCrypt is an older, yet robust method for encrypting DNS.
Anonymized DNSCrypt
A lightweight protocol that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by dnscrypt-proxy and a limited number of relays.