privacyguides.org/_includes/sections/dns.html
2020-12-13 20:37:35 +00:00

669 lines
26 KiB
HTML

<h1 id="dns" class="anchor">
<a href="#dns"><i class="fas fa-link anchor-icon"></i></a> Encrypted DNS Resolvers
</h1>
<div class="alert alert-warning" role="alert">
DNS-over-HTTPS, DNS-over-TLS, and DNSCrypt resolvers will not make you anonymous. Using Anonymized DNSCrypt hides <i>only</i> your DNS traffic from your Internet Service Provider. However, using any of these protocols will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here. See the <a href="#dns-definitions">definitions</a> below.
</div>
<div id="dns-table" class="table-responsive">
<table class="table sortable-theme-bootstrap" data-sortable>
<thead>
<tr>
<th data-sorted="true" data-sorted-direction="ascending">DNS Provider</th>
<th data-sortable="true">Server Locations</th>
<th data-sortable="false">Privacy Policy</th>
<th data-sortable="true">Type</th>
<th data-sortable="true">Logging</th>
<th data-sortable="true">Protocols</th>
<th data-sortable="true">DNSSEC</th>
<th data-sortable="true">QNAME Minimization</th>
<th data-sortable="true">Filtering</th>
<th data-sortable="true">Source Code</th>
<th data-sortable="true">Hosting Provider</th>
</tr>
</thead>
<tbody>
<tr>
<td data-value="AdGuard">
<a href="https://adguard.com/en/adguard-dns/overview.html">AdGuard</a>
</td>
<td>Anycast (based in
<span class="no-text-wrap">
<span class="flag-icon flag-icon-cy"></span>
Cyprus)
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://adguard.com/en/privacy/dns.html">
<span class="fas fa-globe"></span>
</a>
</td>
<td>Commercial</td>
<td><a data-toggle="tooltip" data-placement="bottom" data-original-title='"We store aggregated performance metrics of our DNS server, namely the number of complete requests to a particular server, the number of blocked requests, the speed of processing requests.
We keep and store the database of domains requested in the last 24 hours. We need this information to identify and block new trackers and threats.
We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters."' href="https://adguard.com/en/privacy/dns.html">Some</a></td>
<td>DoH, DoT, DNSCrypt</td>
<td>Yes</td>
<td>Yes</td>
<td>
<span class="no-text-wrap">
Based on server choice
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://github.com/AdguardTeam/AdGuardDNS/">
<span class="fas fa-globe"></span>
</a>
</td>
<td>
<span class="no-text-wrap">
<a href="https://www.choopa.com/">Choopa, LLC</a>,
</span>
<span class="no-text-wrap">
<a href="https://flops.ru/en/about.html">Serveroid, LLC</a>
</span>
</td>
</tr>
<tr>
<td data-value="BlahDNS">
<a href="https://blahdns.com/">BlahDNS</a>
</td>
<td>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-fi"></span>
Finland,
</span>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-de"></span>
Germany,
</span>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-jp"></span>
Japan
</span>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-sg"></span>
Singapore
</span>
</td>
<td>
<div
class="btn-secondary btn-icon"
data-original-title="&quot;No logs.&quot;"
data-toggle="tooltip"
data-placement="bottom">
<span class="fas fa-globe"></span>
</div>
</td>
<td>Hobby Project</td>
<td>No</td>
<td data-value="dot/443">
<span class="no-text-wrap">
DoH,
<span data-toggle="tooltip" data-placement="bottom" data-original-title="Supports port 443 in addition to 853">
DoT <span class="fas fa-info-circle fa-sm text-secondary"></span>,
</span>
</span>
DNSCrypt
</td>
<td>Yes</td>
<td>Yes</td>
<td>
<span class="no-text-wrap">
Ads, trackers,
</span>
<span class="no-text-wrap">
malicious domains
</span>
<span class="no-text-wrap">
Based on server choice only for DoH
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://github.com/ookangzheng/blahdns/">
<span class="fas fa-globe"></span>
</a>
</td>
<td>
<span class="no-text-wrap">
<a href="https://www.choopa.com/">Choopa, LLC</a>,
</span>
<span class="no-text-wrap">
<a href="https://www.hetzner.com/">Hetzner Online GmbH</a>
</span>
</td>
</tr>
<tr>
<td data-value="Cloudflare">
<a href="https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/">Cloudflare</a>
</td>
<td>Anycast (based in
<span class="no-text-wrap">
<span class="flag-icon flag-icon-us"></span>
US)
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://www.cloudflare.com/privacypolicy/">
<span class="fas fa-globe"></span>
</a>
</td>
<td>Commercial</td>
<td><a data-toggle="tooltip" data-placement="bottom" data-original-title="Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver. The 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is only stored for 25 hours." href="https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/">Some</a></td>
<td>DoH, DoT</td>
<td>Yes</td>
<td>Yes</td>
<td>
<span class="no-text-wrap">
Based on server choice
</span>
</td>
<td>?</td>
<td>Self</td>
</tr>
<tr>
<td data-value="CZ.NIC">
<a href="https://www.nic.cz/odvr/">CZ.NIC</a>
</td>
<td>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-cz"></span>
Czech Republic
</span>
</td>
<td>
<div
class="btn-secondary btn-icon"
data-original-title="&quot;CZ.NIC resolvers neither collect any personal data nor gather information on pages where your computer sends personal data.&quot;"
data-toggle="tooltip"
data-placement="bottom">
<span class="fas fa-globe"></span>
</a>
</td>
<td><a data-toggle="tooltip" data-placement="bottom" data-original-title='"CZ.NIC is an interest association of legal entities, founded in 1998 by leading providers of Internet services."' href="https://www.nic.cz/page/351/about-association/">Association</a></td>
<td>No</td>
<td>DoH, DoT</td>
<td>Yes</td>
<td>Yes</td>
<td data-value="No">?</td>
<td>?</td>
<td>Self</td>
</tr>
<tr>
<td data-value="Foundation for Applied Privacy">
<a href="https://appliedprivacy.net/services/dns/">Foundation for Applied Privacy</a>
</td>
<td>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-at"></span>
Austria
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://appliedprivacy.net/privacy-policy">
<span class="fas fa-globe"></span>
</a>
</td>
<td>Non-Profit</td>
<td><a data-toggle="tooltip" data-placement="bottom" data-original-title='"We do NOT log your IP address or DNS queries during normal operations. We do NOT share query data with third parties that are not directly involved with resolving the query (i.e. sending queries to authoritative nameservers for resolution)."' href="https://appliedprivacy.net/privacy-policy/">Some</a></td>
<td data-value="dot/443">
<span class="no-text-wrap">
DoH,
<span data-toggle="tooltip" data-placement="bottom" data-original-title="Supports port 443 in addition to 853">
DoT <span class="fas fa-info-circle fa-sm text-secondary"></span>
</span>
</span>
</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
<td>?</td>
<td>
<span class="no-text-wrap">
<a href="https://www.ipax.at/">IPAX OG</a>
</span>
</td>
</tr>
<tr>
<td data-value="LibreDNS">
<a href="https://libredns.gr/">LibreDNS</a>
</td>
<td>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-de"></span>
Germany
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://libreops.cc/terms.html">
<span class="fas fa-globe"></span>
</a>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="Part of LibreHosters, &quot;a network of cooperation and solidarity that uses free software to encourage decentralisation through federation and distributed platforms.&quot;" href="https://libreho.st/">
Informal collective
</a>
</td>
<td>No</td>
<td>DoH, DoT</td>
<td>Yes</td>
<td>Yes</td>
<td>
<span class="no-text-wrap">
Based on server choice only for DoH
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://gitlab.com/libreops/libredns">
<span class="fas fa-globe"></span>
</a>
</td>
<td>
<span class="no-text-wrap">
<a href="https://www.hetzner.com/">Hetzner Online GmbH</a>
</span>
</td>
</tr>
<tr>
<td data-value="nextdns">
<a href="https://www.nextdns.io/">NextDNS</a>
</td>
<td>Anycast (based in
<span class="no-text-wrap">
<span class="flag-icon flag-icon-us"></span>
US)
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://www.nextdns.io/privacy">
<span class="fas fa-globe"></span>
</a>
</td>
<td>Commercial</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title='"Some of the features require some sort of data retention. In that case, we give our users the choice to granularly or completely disable those features (and associated data retention), and we follow up immediately on that promise"' href="https://www.nextdns.io/privacy">Based on user choice</a>
</td>
<td>DoH, DoT, DNSCrypt</td>
<td>Yes</td>
<td>Yes</td>
<td>
<span class="no-text-wrap">
Based on server choice
</span>
</td>
<td>?</td>
<td>Self</td>
</tr>
<tr>
<td data-value="NixNet">
<a href="https://nixnet.xyz/dns/">NixNet</a>
</td>
<td>
<span class="no-text-wrap">
Anycast (based in
<span class="flag-icon flag-icon-us"></span>
US),
</span>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-us"></span>
US,
</span>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-lu"></span>
Luxembourg
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://nixnet.xyz/privacy/">
<span class="fas fa-globe"></span>
</a>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title='Part of LibreHosters, "a network of cooperation and solidarity that uses free software to encourage decentralisation through federation and distributed platforms."' href="https://libreho.st/">
Informal collective
</a>
</td>
<td>No</td>
<td>DoH, DoT</td>
<td>Yes</td>
<td>Yes</td>
<td>
<span class="no-text-wrap">
Based on server choice
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://git.nixnet.xyz/NixNet/dns">
<span class="fas fa-globe"></span>
</a>
</td>
<td>
<span class="no-text-wrap">
<a href="https://frantech.ca/">FranTech Solutions</a>
</span>
</td>
</tr>
<tr>
<td data-value="PowerDNS">
<a href="https://powerdns.org/">PowerDNS</a>
</td>
<td>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-nl"></span>
The Netherlands
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://powerdns.org/doh/privacy.html">
<span class="fas fa-globe"></span>
</a>
</td>
<td>Hobby Project</td>
<td>No</td>
<td>DoH</td>
<td>Yes</td>
<td>No</td>
<td>No</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://github.com/PowerDNS/pdns">
<span class="fas fa-globe"></span>
</a>
</td>
<td>
<span class="no-text-wrap">
<a href="https://www.transip.nl/">TransIP B.V. Admin</a>
</span>
</td>
</tr>
<tr>
<td data-value="Quad9">
<a href="https://quad9.net/">Quad9</a>
</td>
<td>Anycast (based in
<span class="no-text-wrap">
<span class="flag-icon flag-icon-us"></span>
US)
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://quad9.net/policy/">
<span class="fas fa-globe"></span>
</a>
</td>
<td>Non-Profit</td>
<td><a data-toggle="tooltip" data-placement="bottom" data-original-title='"Our normal course of data management does not have any IP address information or other PII logged to disk or transmitted out of the location in which the query was received."' href="https://quad9.net/policy/">Some</a></td>
<td>DoH, DoT, DNSCrypt</td>
<td>Yes</td>
<td>Yes</td>
<td>
<span class="no-text-wrap">
Malicious domains
</span>
</td>
<td>?</td>
<td>
Self,
<span class="no-text-wrap">
<a href="https://www.pch.net/">Packet Clearing House</a>
</span>
</td>
</tr>
<tr>
<td data-value="Snopyta">
<a href="https://snopyta.org/service/dns/index.html">Snopyta</a>
</td>
<td>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-fi"></span>
Finland
</span>
</td>
<td>
<a
class="btn-secondary btn-icon"
href="https://snopyta.org/privacy_policy/">
<span class="fas fa-globe"></span>
</a>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="Part of LibreHosters, &quot;a network of cooperation and solidarity that uses free software to encourage decentralisation through federation and distributed platforms.&quot;" href="https://libreho.st/">
Informal collective
</a>
</td>
<td>No</td>
<td>DoH, DoT</td>
<td>Yes</td>
<td>Yes</td>
<td>
<span class="no-text-wrap">
No
</span>
</td>
<td>?</td>
<td>
<span class="no-text-wrap">
<a href="https://www.hetzner.com/">Hetzner Online GmbH</a>
</span>
</td>
</tr>
<tr>
<td data-value="UncensoredDNS">
<a href="https://blog.uncensoreddns.org/">UncensoredDNS</a>
</td>
<td>Anycast (based in
<span class="no-text-wrap">
<span class="flag-icon flag-icon-dk"></span>
Denmark),
</span>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-dk"></span>
Denmark,
</span>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-us"></span>
US
</span>
</td>
<td>
<div
class="btn-secondary btn-icon"
data-original-title="&quot;Absolutely nothing is being logged, neither about the users nor the usage of this service. I do keep graphs of the total number of queries, but no personally identifiable information is saved. The data that is saved will never be sold or used for anything except capacity planning of the service.&quot;"
data-toggle="tooltip"
data-placement="bottom">
<span class="fas fa-globe"></span>
</div>
</td>
<td>Hobby Project</td>
<td>No</td>
<td data-value="doh">DoT</td> <!-- "hack" to group "DoT" values (when sorted) with "DoH" values -->
<td>Yes</td>
<td>No</td>
<td>No</td>
<td>?</td>
<td>
Self,
<span class="no-text-wrap">
<a href="https://www.teliacompany.com">Telia Company AB</a>
</span>
</td>
</tr>
</tbody>
</table>
</div>
<h1 id="dns-desktop-clients" class="anchor">
<a href="#dns-desktop-clients">
<i class="fas fa-link anchor-icon"></i>
</a> Encrypted DNS Client Recommendations for Desktop
</h1>
{%
include cardv2.html
title="Unbound"
image="/assets/img/svg/3rd-party/unbound.svg"
description='A validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been <a href="https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/">independently audited</a>.'
website="https://nlnetlabs.nl/projects/unbound/about/"
forum="https://forum.privacytools.io/t/discussion-unbound/3563"
github="https://github.com/NLnetLabs/unbound"
%}
{%
include cardv2.html
title="dnscrypt-proxy"
image="/assets/img/svg/3rd-party/dnscrypt-proxy.svg"
description='A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and <a href="https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt">Anonymized DNSCrypt</a>, a <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS">relay-based protocol that the hides client IP address.</a>'
website="https://github.com/DNSCrypt/dnscrypt-proxy/wiki"
forum="https://forum.privacytools.io/t/discussion-dnscrypt-proxy/1498"
github="https://github.com/DNSCrypt/dnscrypt-proxy"
%}
{%
include cardv2.html
title="Stubby"
image="/assets/img/png/3rd-party/stubby.png"
description='An application that acts as a local DNS-over-TLS stub resolver. Stubby can be used in <a href="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound/Stubbycombination">combination with Unbound</a> by managing the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections) with Unbound providing a local cache.'
website="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby"
forum="https://forum.privacytools.io/t/discussion-stubby/3582"
github="https://github.com/getdnsapi/stubby"
%}
{%
include cardv2.html
title="Firefox's built-in DNS-over-HTTPS resolver"
image="/assets/img/svg/3rd-party/firefox_browser.svg"
description='Firefox comes with built-in DNS-over-HTTPS support for <a href="https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/">NextDNS and Cloudflare</a> but users can manually use any other DoH resolver.'
labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.cloudflare.com/1.1.1.1/privacy/firefox::text==Warning::tooltip==Cloudflare logs a limited amount of data about the DNS requests that are sent to their custom resolver for Firefox."
website="https://support.mozilla.org/en-US/kb/firefox-dns-over-https"
privacy-policy="https://wiki.mozilla.org/Security/DOH-resolver-policy"
forum="https://forum.privacytools.io/t/discussion-firefox-s-built-in-dns-over-https-resolver/3564"
%}
<h1 id="dns-android-clients" class="anchor">
<a href="#dns-android-clients">
<i class="fas fa-link anchor-icon"></i>
</a> Encrypted DNS Client Recommendations for Android
</h1>
{%
include cardv2.html
title="Android 9's built-in DNS-over-TLS resolver"
image="/assets/img/svg/3rd-party/android.svg"
description="Android 9 (Pie) comes with built-in DNS-over-TLS support without the need for a 3rd-party application."
labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.google.com/speed/public-dns/docs/using#android_9_pie_or_later::text==Warning::tooltip==Android 9's DoT settings have no effect when used concurrently with VPN-based apps which override the DNS."
website="https://support.google.com/android/answer/9089903#private_dns"
forum="https://forum.privacytools.io/t/discussion-android-9s-built-in-dns-over-tls-resolver/3562"
%}
{%
include cardv2.html
title="Nebulo"
image="/assets/img/png/3rd-party/nebulo.png"
description='An open-source Android client supporting DNS-over-HTTPS and DNS-over-TLS, caching DNS responses, and locally logging DNS queries.'
website="https://git.frostnerd.com/PublicAndroidApps/smokescreen/-/blob/master/README.md"
privacy-policy="https://smokescreen.app/privacypolicy"
forum="https://forum.privacytools.io/t/discussion-nebulo/3565"
fdroid="https://git.frostnerd.com/PublicAndroidApps/smokescreen#f-droid"
googleplay="https://play.google.com/store/apps/details?id=com.frostnerd.smokescreen"
source="https://git.frostnerd.com/PublicAndroidApps/smokescreen"
%}
<h1 id="dns-ios-clients" class="anchor">
<a href="#dns-ios-clients">
<i class="fas fa-link anchor-icon"></i>
</a> Encrypted DNS Client Recommendations for iOS
</h1>
{%
include cardv2.html
title="DNSCloak"
image="/assets/img/png/3rd-party/dnscloak.png"
description='An open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki">dnscrypt-proxy</a> options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can <a href="https://blog.privacytools.io/adding-custom-dns-over-https-resolvers-to-dnscloak/">add custom resolvers by DNS stamp</a>.'
website="https://github.com/s-s/dnscloak/blob/master/README.md"
privacy-policy="https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view"
forum="https://forum.privacytools.io/t/discussion-dnscloak/3566"
ios="https://apps.apple.com/app/id1452162351"
github="https://github.com/s-s/dnscloak"
%}
<h2 id="appledns" class="anchor">
<a href="#appledns">
<i class="fas fa-link anchor-icon"></i>
</a>Apple's native support
</h2>
<p>
In iOS, iPadOS, tvOS 14 and macOS 11, DoT and DoH were introduced. DoT and DoH are supported natively by installation of profiles (through mobileconfig files opened in <em>Safari</em>).
After installation, the encrypted DNS server can be selected in <em>Settings &rarr; General &rarr; VPN and Network &rarr; DNS</em>.
</p>
<ul>
<li><strong>Signed profiles</strong> are offered by <a href="https://adguard.com/en/blog/encrypted-dns-ios-14.html">AdGuard</a> and <a href="https://apple.nextdns.io/">NextDNS</a>.</li>
<li>User contributed <strong>unsigned profiles</strong> for several DNS providers are hosted by <a href="https://encrypted-dns.party/">encrypted-dns.party</a>.</li>
</ul>
<h2 id="dns-definitions" class="anchor">
<a href="#dns-definitions">
<i class="fas fa-link anchor-icon"></i>
</a> Definitions
</h2>
<h4>DNS-over-TLS (DoT)</h4>
<p>
A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.
</p>
<h4>DNS-over-HTTPS (DoH)</h4>
<p>
Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443 and more difficult to block. {% include badge.html color="warning" text="Warning" tooltip="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server." link="https://tools.ietf.org/html/rfc8484#section-8.2" icon="fas fa-exclamation-triangle" %}
</p>
<h4>DNSCrypt</h4>
<p>
With an <a href="https://dnscrypt.info/protocol/">open specification</a>, DNSCrypt is an older, yet robust method for encrypting DNS.
</p>
<h4>Anonymized DNSCrypt</h4>
<p>
A <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS">lightweight protocol</a> that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by <a href="#dns-desktop-clients">dnscrypt-proxy</a> and a limited number of <a href="https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/relays.md">relays</a>.
</p>