This post is about Resolving Name Servers. Learn More.
Your DNS queries, which make the internet work for you are prone to security exploits like DNS hijacking, man-in-the-middle attacks, and pose privacy risks, as they are being monitored by your DNS provider.
By default, your devices are configured to use the DNS resolver provided by your ISP aka Internet Service Provider — which not only is usually slow and insecure, but also logs all the DNS queries your devices make, to connect to the website or online service.
Table of Contents
- What is DNS?
- How to choose an Encrypted DNS Resolver?
- Encrypted DNS Resolvers
- Encrypted DNS Clients
- DNS Protocols Explained
- Why Use an Encrypted DNS Resolver?
- Additional Resources
- Encrypted DNS Resolver Summary
What is DNS?
The DNS or Domain Name System is kinda like the phone book of the Internet. We access websites via domain names, like google.com or techcorpus.com, but web browsers use IP addresses to connect — this is where the DNS comes into play and translates domain names to IP addresses, so that your browsers can load the website you want to visit.
DNS servers eliminate the need to memorize IP addresses such as 184.108.40.206 (IPv4) or 2a01:4f8:1c1c:6b4b::1 (IPv6) in order to use the Internet. I will be explaining how DNS works in the later section.
You should switch to an encrypted DNS Resolver that respects your privacy and does not log your DNS queries. Learn more about how the whole process works, and what other DNS servers do in this guide.
How to Choose an Encrypted DNS Resolver?
There are lots of DNS resolver service providers, here are a few things I look for before choosing a DNS provider:
- Open sourceness: An open source DNS resolver allows anyone to look around the code to find security vulnerabilities and privacy holes.
- Server Locations & Jurisdictions: You should look for DNS resolvers that have servers close to your location, and are based in locations that have stricter privacy and security laws.
- Business Model: The business model or sources of revenue tells a lot more about the company behind the DNS resolver. Look for ones that don’t rely on collection and monetization of your data.
- Security Protocols: The DNS resolver should have support for security protocols like DNS over HTTPS (DoH), DNS over TLS (DoT), DNSCrypt, DNSCurve, etc.
- DNSSEC Support: Domain Name System Security Extensions or DNSSEC allow registrants to digitally sign information they put into the Domain Name System (DNS). This protects you from DNS data that has been corrupted, accidentally or maliciously.
- QNAME Minimization: QNAME minimization changes the DNS queries to minimize the amount of data sent from the DNS resolver to the authoritative name server.
- DNS Filtering: DNS Filtering allows you to use the Domain Name System (DNS) to block malicious websites and filter out ads, trackers, and harmful or inappropriate content.
Encrypted DNS Resolvers
Alright, here are my recommendations for Encrypted DNS Resolvers:
|DNS Filtering||Hosting Provider|
|No Logging||Commercial||DoH, DoT, DNSCrypt||Yes||Yes||Ads, Trackers, Malwares, Adult content||Choopa, Serveroid|
|Blah DNS||Yes||Finland, Germany, Japan||No Logging||Hobby Project||DoH, DoT, DNSCrypt||Yes||Yes||Ads, Trackers, Malwares||Choopa, Data Center Light, Hetzner|
|Libre DNS||Yes||Germany||No Logging||Informal Collective||DoH, DoT||Yes||Yes||Ads, Trackers, Malwares (on DoH)||Hetzner|
|NixNet DNS||Yes||US, Luxembourg (Anycast)||No Logging||Informal Collective||DoH, DoT||Yes||Yes||Ads||Frantech Solutions|
|Power DNS||Yes||The Netherlands||No Logging||Hobby Project||DoH||Yes||No||No||TransIP|
|Cloudflare DNS||?||US (Anycast)||Some||Commercial||DoH, DoT||Yes||Yes||Malwares, Adult content||Self|
|Foundation for Applied Privacy DNS||?||Austria||Some||Non-Profit||DoH, DoT||Yes||Yes||No||IPAX|
|Quad9 DNS||?||US (Anycast)||Some||Non-Profit||DoH, DoT, DNSCrypt||Yes||Yes||Malwares||Self, Packet Clearing House|
|Snopyta DNS||?||Finland||No Logging||Informal Collective||DoH, DoT||Yes||Yes||No||Hetzner|
|NextDNS||?||US (Anycast)||No Logging||Commercial||DoH, DoT, DNSCrypt||Yes||Yes||Ads, Trackers, Malwares||Self|
|CZ.NIC DNS||?||Czech Republic||No Logging||Association||DoH, DoT||Yes||Yes||No||Self|
|UncensoredDNS||?||Denmark, US (Anycast)||No Logging||Hobby Project||DoT||Yes||No||No||Self, Telia Company|
A Note on Encrypted DNS Resolvers
An encrypted DNS that uses DNS-over-HTTPS, DNS-over-TLS, and DNSCrypt won’t make you anonymous, neither will it hide your internet traffic from your Internet Service Provider — they only hide your DNS traffic from your ISP
This applies to you even if you are using anonymized DNS via Anonymized DNSCrypt — which instead of directly reaching the DNS server, encrypts the query, and sends it to a relay to forward the query to the actual DNS server.
However, using an encrypted DNS resolver that uses these protocols will prevent DNS hijacking, Man-in-the-middle attacks, and make your DNS queries harder to eavesdrop and tamper with — These attacks can redirect you to a fake copy of the website, collecting sensitive user information and exposing businesses to major liability.
Verify DNS Leak Test
You can verify that your browser and operating system is using the DNS resolver, you have switched to using any of these options:
- BrowserLeaks.com DNS Test
- DNS Provider’s Website: You can also check the website of the DNS provider you are using, they may have a page for telling “you are using our DNS.”
Encrypted DNS Clients
There are many encrypted DNS clients that you can install and run on your device, here are some of the best ones for both desktop and phones:
- dnscrypt-proxy: A free and open source command-line DNS proxy with support for DNS over HTTPS, DNSCrypt, and Anonymized DNSCrypt that is available for Windows, macOS, Linux, Android, NetBSD, OpenBSD, etc.
- Unbound: A free and open source validating, recursive, caching DNS resolver by NLnetLabs with support for DNS over TLS that has been independently audited.
- Simple DNSCrypt: A free and open source simple management tool with GUI to easily configure dnscrypt-proxy on Windows.
- SecureDNS: A free and open source all-in-one cross-platform DNS Server with support for DoH, DoT, DNSCrypt, DoU, ENS, and Anonymized DNSCrypt. It is fairly new, and is available for Windows, macOS, and Linux.
- Stubby: An open source application that acts as a local DNS over TLS stub resolver, available for Windows, macOS, and Linux.
- Firefox built-in DoH resolver: Mozilla Firefox comes with built-in DNS over HTTPS for Cloudflare and NextDNS, you can choose other DoH resolvers too.
- Android built-in DoT resolver: Android 9 (Pie) comes with built-in support for DNS-over-TLS without any 3rd-party app.
- Nebulo: A free, open-source, non-root DNS changer for Android with support for both DNS over HTTPS and DNS over TLS.
- DNSCloak: A free and open source iOS GUI and wrapper for dnscrypt-proxy with support for DNS over HTTPS, & DNSCrypt.
There are standalone native apps also available by different public DNS providers like Cloudflare’s 220.127.116.11, Quad9 Connect, etc. You can check out this page on DNSCrypt’s website for other great clients.
DNS Protocols Explained
I have talked about lots of DNS protocols like DNSSEC, DoH, DoT, etc here’s what they mean, what they do, and how these protocols work:
DNSSEC stands for “Domain Name System Security Extensions”, it allows registrants to digitally sign information they put into the Domain Name System, protecting you from DNS data that has been corrupted, accidentally or maliciously.
DNS over TLS
DNS over TLS or DoT is the security protocol that encrypts your DNS queries and answers via the Transport Layer Security (TLS) protocol, with the goal of increasing user privacy and security by preventing eavesdropping and manipulation of DNS data.
DNS over HTTPS
DNS over HTTPS or DoH, similar to DoT is the security protocol that encrypts your DNS queries and answers via the Hyper Text Transfer Protocol (HTTPS), with the goal of increasing user privacy and security by preventing eavesdropping and manipulation of DNS data.
DNSCrypt is another security protocol just like DoT and DoH, designed to protect user privacy and security by preventing eavesdropping and manipulation of DNS data.
Anonymized DNSCrypt is a new lightweight protocol that hides your IP address by using relays to forward encrypted DNS data — it instead of directly reaching the DNS server, encrypts the query, and sends it to a relay to forward the query to the actual DNS server.
DNSCurve is a proposed alternative to DNSSEC — it uses Curve25519 elliptic curve cryptography to establish keys used by Salsa20, paired with the Message Authentication Code function Poly1305, to encrypt and authenticate DNS packets B/W resolvers and authoritative servers.
In Anycast unlike Unicast, many servers can have a single IP address, allowing for many-to-one instead of one-to-one transmission. An Anycast DNS Servers allows your device to get DNS query responses from the DNS Server that is geographically close to your device, hence reducing latency.
Why Use an Encrypted DNS Resolver?
Switching from your ISP’s DNS resolver is much recommended as this not only boosts your internet speed, but also hides your DNS queries from your Internet Service Provider.
By default, your DNS queries and responses are sent in plaintext via UDP — which means they can be read by networks, ISPs, or anyone able to monitor transmissions. Even if a website uses HTTPS, the DNS query required to navigate to that website is exposed.
Here are a few reasons why I recommend using a privacy-respecting encrypted DNS resolver:
An encrypted DNS resolver like the ones mentioned above use a variety of security protocols like DNSSEC, DoH, DoT, DNSCrypt, etc to encrypt your DNS queries, providing authenticity, confidentiality, and integrity.
A privacy-respecting DNS resolver does not log your DNS queries, providing you with better privacy. DNS protocols like DoH, DoT, and DNSCrypt protects you from surveillance by encrypting your DNS queries.
Most of the DNS resolvers mentioned above provide you with the ability to filter malicious websites, you can use these filtering options to block ads, trackers and even make your internet family friendly.
- DNS Explained: A comprehensive deep-dive into Domain Name System, explaining everything you need to know about DNS.
- A Cartoon intro to DNS over HTTPS: A great comic by Lin Clark on Mozilla Hacks blog about why you should use DNS over HTTPS.
Encrypted DNS Resolvers
Switching to an encrypted DNS resolver is a great way to increase your privacy and get your DNS queries faster. I hope you enjoyed reading about these password managers.
That’s all folks!
I would be updating this list frequently with more encrypted DNS resolvers and information. You can check out secure browsers that make your online activities private.
Do let me know of any feedback, tips, or suggestions based on privacy and security tools you are using, feel free to drop a comment below!