Categories
Resources

Encrypted DNS Resolvers

This post is about Resolving Name Servers. Learn More.

Your DNS queries, which make the internet work for you are prone to security exploits like DNS hijacking, man-in-the-middle attacks, and pose privacy risks, as they are being monitored by your DNS provider.

By default, your devices are configured to use the DNS resolver provided by your ISP aka Internet Service Provider — which not only is usually slow and insecure, but also logs all the DNS queries your devices make, to connect to the website or online service.

Table of Contents

  1. What is DNS?
  2. How to choose an Encrypted DNS Resolver?
  3. Encrypted DNS Resolvers
  4. Encrypted DNS Clients
  5. DNS Protocols Explained
  6. Why Use an Encrypted DNS Resolver?
  7. Additional Resources
  8. Encrypted DNS Resolver Summary

What is DNS?

The DNS or Domain Name System is kinda like the phone book of the Internet. We access websites via domain names, like google.com or techcorpus.com, but web browsers use IP addresses to connect — this is where the DNS comes into play and translates domain names to IP addresses, so that your browsers can load the website you want to visit.

How DNS Works: DNS Lookup Explained (DNS Resolver aka Resolving Name Server)
How DNS Works: DNS Lookup Explained (DNS Resolver aka Resolving Name Server)

DNS servers eliminate the need to memorize IP addresses such as 159.69.198.101 (IPv4) or 2a01:4f8:1c1c:6b4b::1 (IPv6) in order to use the Internet. I will be explaining how DNS works in the later section.

You should switch to an encrypted DNS Resolver that respects your privacy and does not log your DNS queries. Learn more about how the whole process works, and what other DNS servers do in this guide.

How to Choose an Encrypted DNS Resolver?

There are lots of DNS resolver service providers, here are a few things I look for before choosing a DNS provider:

  • Open sourceness: An open source DNS resolver allows anyone to look around the code to find security vulnerabilities and privacy holes.
  • Server Locations & Jurisdictions: You should look for DNS resolvers that have servers close to your location, and are based in locations that have stricter privacy and security laws.
  • Privacy Policy: Look for DNS resolvers that don’t log your queries, and don’t collect your personal data. Check if they have clear and easy-to-understand privacy policies stating what data they collect and why?
  • Business Model: The business model or sources of revenue tells a lot more about the company behind the DNS resolver. Look for ones that don’t rely on collection and monetization of your data.
  • Security Protocols: The DNS resolver should have support for security protocols like DNS over HTTPS (DoH), DNS over TLS (DoT), DNSCrypt, DNSCurve, etc.
  • DNSSEC Support: Domain Name System Security Extensions or DNSSEC allow registrants to digitally sign information they put into the Domain Name System (DNS). This protects you from DNS data that has been corrupted, accidentally or maliciously.
  • QNAME Minimization: QNAME minimization changes the DNS queries to minimize the amount of data sent from the DNS resolver to the authoritative name server.
  • DNS Filtering: DNS Filtering allows you to use the Domain Name System (DNS) to block malicious websites and filter out ads, trackers, and harmful or inappropriate content.

Encrypted DNS Resolvers

Alright, here are my recommendations for Encrypted DNS Resolvers:

DNS ProviderOpen SourceServer LocationsPrivacy PolicyBusiness ModelProtocolsDNSSECQNAME
Minimization
DNS FilteringHosting Provider
AdGuard DNSYesCyprus
(Anycast)
No LoggingCommercialDoH, DoT, DNSCryptYesYesAds, Trackers, Malwares, Adult contentChoopa, Serveroid
Blah DNSYesFinland, Germany, JapanNo LoggingHobby ProjectDoH, DoT, DNSCryptYesYesAds, Trackers, MalwaresChoopa, Data Center Light, Hetzner
Libre DNSYesGermanyNo LoggingInformal CollectiveDoH, DoTYesYesAds, Trackers, Malwares (on DoH)Hetzner
NixNet DNSYesUS, Luxembourg (Anycast)No LoggingInformal CollectiveDoH, DoTYesYesAdsFrantech Solutions
Power DNSYesThe NetherlandsNo LoggingHobby ProjectDoHYesNoNoTransIP
Cloudflare DNS?US (Anycast)SomeCommercialDoH, DoTYesYesMalwares, Adult contentSelf
Foundation for Applied Privacy DNS?AustriaSomeNon-ProfitDoH, DoTYesYesNoIPAX
Quad9 DNS?US (Anycast)SomeNon-ProfitDoH, DoT, DNSCryptYesYesMalwaresSelf, Packet Clearing House
Snopyta DNS?FinlandNo LoggingInformal CollectiveDoH, DoTYesYesNoHetzner
NextDNS?US (Anycast)No LoggingCommercialDoH, DoT, DNSCryptYesYesAds, Trackers, MalwaresSelf
CZ.NIC DNS?Czech RepublicNo LoggingAssociationDoH, DoTYesYesNoSelf
UncensoredDNS?Denmark, US (Anycast)No LoggingHobby ProjectDoTYesNoNoSelf, Telia Company
Encrypted DNS Resolvers

A Note on Encrypted DNS Resolvers

An encrypted DNS that uses DNS-over-HTTPS, DNS-over-TLS, and DNSCrypt won’t make you anonymous, neither will it hide your internet traffic from your Internet Service Provider — they only hide your DNS traffic from your ISP

This applies to you even if you are using anonymized DNS via Anonymized DNSCrypt — which instead of directly reaching the DNS server, encrypts the query, and sends it to a relay to forward the query to the actual DNS server.

However, using an encrypted DNS resolver that uses these protocols will prevent DNS hijacking, Man-in-the-middle attacks, and make your DNS queries harder to eavesdrop and tamper with — These attacks can redirect you to a fake copy of the website, collecting sensitive user information and exposing businesses to major liability.

Verify DNS Leak Test

You can verify that your browser and operating system is using the DNS resolver, you have switched to using any of these options:

Encrypted DNS Clients

There are many encrypted DNS clients that you can install and run on your device, here are some of the best ones for both desktop and phones:

For Desktop

  • dnscrypt-proxy: A free and open source command-line DNS proxy with support for DNS over HTTPS, DNSCrypt, and Anonymized DNSCrypt that is available for Windows, macOS, Linux, Android, NetBSD, OpenBSD, etc.
  • Unbound: A free and open source validating, recursive, caching DNS resolver by NLnetLabs with support for DNS over TLS that has been independently audited.
  • Simple DNSCrypt: A free and open source simple management tool with GUI to easily configure dnscrypt-proxy on Windows.
  • SecureDNS: A free and open source all-in-one cross-platform DNS Server with support for DoH, DoT, DNSCrypt, DoU, ENS, and Anonymized DNSCrypt. It is fairly new, and is available for Windows, macOS, and Linux.
  • Stubby: An open source application that acts as a local DNS over TLS stub resolver, available for Windows, macOS, and Linux.

For Android

  • Android built-in DoT resolver: Android 9 (Pie) comes with built-in support for DNS-over-TLS without any 3rd-party app.
  • Nebulo: A free, open-source, non-root DNS changer for Android with support for both DNS over HTTPS and DNS over TLS.

For iOS

  • DNSCloak: A free and open source iOS GUI and wrapper for dnscrypt-proxy with support for DNS over HTTPS, & DNSCrypt.

There are standalone native apps also available by different public DNS providers like Cloudflare’s 1.1.1.1, Quad9 Connect, etc. You can check out this page on DNSCrypt’s website for other great clients.

DNS Protocols Explained

I have talked about lots of DNS protocols like DNSSEC, DoH, DoT, etc here’s what they mean, what they do, and how these protocols work:

DNSSEC

DNSSEC stands for “Domain Name System Security Extensions”, it allows registrants to digitally sign information they put into the Domain Name System, protecting you from DNS data that has been corrupted, accidentally or maliciously.

DNS over TLS

DNS over TLS or DoT is the security protocol that encrypts your DNS queries and answers via the Transport Layer Security (TLS) protocol, with the goal of increasing user privacy and security by preventing eavesdropping and manipulation of DNS data.

DNS over HTTPS

DNS over HTTPS or DoH, similar to DoT is the security protocol that encrypts your DNS queries and answers via the Hyper Text Transfer Protocol (HTTPS), with the goal of increasing user privacy and security by preventing eavesdropping and manipulation of DNS data.

DNSCrypt

DNSCrypt is another security protocol just like DoT and DoH, designed to protect user privacy and security by preventing eavesdropping and manipulation of DNS data.

Anonymized DNSCrypt

Anonymized DNSCrypt is a new lightweight protocol that hides your IP address by using relays to forward encrypted DNS data — it instead of directly reaching the DNS server, encrypts the query, and sends it to a relay to forward the query to the actual DNS server.

DNSCurve

DNSCurve is a proposed alternative to DNSSEC — it uses Curve25519 elliptic curve cryptography to establish keys used by Salsa20, paired with the Message Authentication Code function Poly1305, to encrypt and authenticate DNS packets B/W resolvers and authoritative servers.

Anycast DNS

In Anycast unlike Unicast, many servers can have a single IP address, allowing for many-to-one instead of one-to-one transmission. An Anycast DNS Servers allows your device to get DNS query responses from the DNS Server that is geographically close to your device, hence reducing latency.

Why Use an Encrypted DNS Resolver?

Switching from your ISP’s DNS resolver is much recommended as this not only boosts your internet speed, but also hides your DNS queries from your Internet Service Provider.

By default, your DNS queries and responses are sent in plaintext via UDP — which means they can be read by networks, ISPs, or anyone able to monitor transmissions. Even if a website uses HTTPS, the DNS query required to navigate to that website is exposed.

Here are a few reasons why I recommend using a privacy-respecting encrypted DNS resolver:

Better Security

An encrypted DNS resolver like the ones mentioned above use a variety of security protocols like DNSSEC, DoH, DoT, DNSCrypt, etc to encrypt your DNS queries, providing authenticity, confidentiality, and integrity.

Better Privacy

A privacy-respecting DNS resolver does not log your DNS queries, providing you with better privacy. DNS protocols like DoH, DoT, and DNSCrypt protects you from surveillance by encrypting your DNS queries.

Filtering Options

Most of the DNS resolvers mentioned above provide you with the ability to filter malicious websites, you can use these filtering options to block ads, trackers and even make your internet family friendly.

Additional Information

  • DNS Explained: A comprehensive deep-dive into Domain Name System, explaining everything you need to know about DNS.

Encrypted DNS Resolvers

Switching to an encrypted DNS resolver is a great way to increase your privacy and get your DNS queries faster. I hope you enjoyed reading about these password managers.

That’s all folks!

I would be updating this list frequently with more encrypted DNS resolvers and information. You can check out secure browsers that make your online activities private.

Do let me know of any feedback, tips, or suggestions based on privacy and security tools you are using, feel free to drop a comment below!

Leave a Reply

Your email address will not be published. Required fields are marked *