Domain Name System (DNS)
{% include cardv2.html
title="OpenNIC - Service"
image="/assets/img/tools/OpenNIC.png"
description="OpenNIC is an alternate network information center/alternative DNS root which lists itself as an alternative to ICANN and its registries. Like all alternative root DNS systems, OpenNIC-hosted domains are unreachable to the vast majority of the Internet."
website="https://www.opennic.org/"
forum="https://forum.privacytools.io/t/discussion-opennic/338"
github="https://github.com/OpenNIC"
%}
{% include cardv2.html
title="Njalla - Domain Registration"
image="/assets/img/provider/Njalla.png"
description="Njalla only needs your email or jabber address in order to register a domain name for you. Created by people from The Pirate Bay and IPredator VPN. Accepted Payments: Bitcoin, Litecoin, Monero, DASH, Bitcoin Cash and PayPal. A privacy-aware domain registration service."
website="https://njal.la/"
tor="http://njalladnspotetti.onion"
forum="https://forum.privacytools.io/t/discussion-njalla/339"
%}
{% include cardv2.html
title="DNSCrypt - Tool"
image="/assets/img/tools/DNSCrypt.png"
description="A protocol for securing communications between a client and a DNS resolver. The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver."
website="https://dnscrypt.info/"
forum="https://forum.privacytools.io/t/discussion-dnscrypt/340"
github="https://github.com/jedisct1/dnscrypt-proxy"
%}
Encrypted ICANN DNS Providers
Note: Using an encrypted DNS resolver will not make you anonymous, nor hide your internet traffic from your Internet Service Provider. But it will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here.
ICANN DNS Provider |
Server Locations |
Privacy Policy |
Type |
Logging |
Protocols |
DNSSEC |
QNAME Minimization |
Filtering |
Source Code |
AdGuard
|
Anycast (based in
Cyprus)
|
|
Commercial |
No |
DoH, DoT, DNSCrypt |
Yes |
Yes |
Ads, trackers, malicious domains |
|
BlahDNS
|
Switzerland,
Japan,
Germany
|
|
Hobby Project |
No |
DoH,
DoT ,
DNSCrypt
|
Yes |
Yes |
Ads, trackers, malicious domains |
|
Cloudflare
|
Anycast (based in
US)
|
|
Commercial |
Some |
DoH, DoT, DNSCrypt |
Yes |
Yes |
No |
|
CZ.NIC
|
Czech Republic
|
|
Association |
No |
DoH, DoT |
Yes |
Yes |
? |
? |
dnswarden
|
Germany
|
|
Hobby Project |
No |
DoH,
DoT ,
DNSCrypt
|
Yes |
Yes |
Based on server choice |
? |
Foundation for Applied Privacy
|
Austria
|
|
Non-Profit |
Some |
DoH,
DoT
|
Yes |
Yes |
No |
? |
nextdns
|
Anycast (based in
US)
|
|
Commercial |
Based on user choice |
DoH, DoT, DNSCrypt |
Yes |
Yes |
Based on user choice |
? |
NixNet
|
Anycast (based in
US),
US,
Luxembourg
|
|
Informal collective
|
No |
DoT |
Yes |
Yes |
Based on server choice |
|
PowerDNS
|
The Netherlands
|
|
Hobby Project |
No |
DoH |
Yes |
No |
No |
|
Quad9
|
Anycast (based in
US)
|
|
Non-Profit |
Some |
DoH, DoT, DNSCrypt |
Yes |
Yes |
Malicious domains |
? |
SecureDNS
|
The Netherlands
|
|
Hobby Project |
No |
DoH, DoT, DNSCrypt |
Yes |
Yes |
Based on server choice |
? |
UncensoredDNS
|
Anycast (based in
Denmark)
|
|
Hobby Project |
No |
DoT |
Yes |
No |
No |
? |
Terms
- DNS-over-TLS (DoT) - A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls. DoT has two modes:
- Oppurtunistic mode: the client attempts to form a DNS-over-TLS connection to the server on port 853 without performing certificate validation. If it fails, it will use unencrypted DNS.
- Strict mode: the client connects to a specific hostname and performs certificate validation for it. If it fails, no DNS queries are made until it succeeds.
- DNS-over-HTTPS (DoH) - Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443.
- DNSCrypt - An older yet robust method of encrypting DNS.
How to verify DNS is encrypted
Worth Mentioning and Additional Information
- Encrypted DNS clients for desktop:
- Firefox comes with built-in DoH support with Cloudflare set as the default resolver, but can be configured to use any DoH resolver. Currently Mozilla is conducting studies before enabling DoH by default for all US-based Firefox users.
- DNS over HTTPS can be enabled in Menu -> Preferences (
about:preferences
) -> Network Settings -> Enable DNS over HTTPS. Set "Use Provider" to "Custom", and enter your DoH provider's address.
- Advanced users may enable it in
about:config
by setting network.trr.custom_uri
and network.trr.uri
as the address you find from the documentation of your DoH provider and network.trr.mode
as 2
. It may also be desirable to set network.security.esni.enabled
to True
in order to enable encrypted SNI and make sites supporting ESNI a bit more difficult to track.
- Encrypted DNS clients for mobile:
- Android 9 comes with a DoT client by default.
- We recommend selecting Private DNS provider hostname and entering the DoT address from documentation of your DoT provider to enable strict mode (see Terms above).
- DNSCloak - An open-source DNSCrypt and DoH client for iOS by
the Center for the Cultivation of Technology gemeinnuetzige GmbH.
- Nebulo - An open-source application for Android supporting DoH and DoT. It also supports caching DNS responses and locally logging DNS queries.
- Local DNS servers:
- Namecoin - A decentralized DNS open-source information registration and transfer system based on the Bitcoin cryptocurrency.
- Stubby - An open-source application for Linux, macOS, and Windows that acts as a local DNS Privacy stub resolver using DoT.
- Network wide DNS servers:
- Pi-hole - A network-wide DNS server mainly for the Raspberry Pi. Blocks ads, tracking, and malicious domains for all devices on your network.
- NoTrack - A network-wide DNS server like Pi-hole for blocking ads, tracking, and malicious domains.
- Further reading:
|