Your DNS queries, which make the internet work for you are prone to security exploits like DNS hijacking, man-in-the-middle attacks, and pose privacy risks, as they are being monitored by your DNS provider.
By default, your devices are configured to use the DNS resolver provided by your ISP aka Internet Service Provider — which not only is usually slow and insecure, but also logs all the DNS queries your devices make, to connect to the website or online service.
The DNS or Domain Name System is kinda like the phone book of the Internet. We access websites via domain names, like google.com or techcorpus.com, but web browsers use IP addresses to connect — this is where the DNS comes into play and translates domain names to IP addresses so that your browsers can load the website you want to visit.
DNS servers eliminate the need to memorize IP addresses such as 22.214.171.124 (IPv4) or 2a01:4f8:1c1c:6b4b::1 (IPv6) in order to use the Internet. I will be explaining how DNS works in the later section.
You should switch to an encrypted DNS Resolver that respects your privacy and does not log your DNS queries.
Table of Contents
- How to choose an Encrypted DNS Resolver?
- Encrypted DNS Resolvers
- Encrypted DNS Clients
- DNS Protocols Explained
- Why use an Encrypted DNS Resolver?
- What is DNS?
- How DNS Works?
- DNS Privacy and Security
- Additional Resources
- Encrypted DNS Resolver Summary
How to choose an Encrypted DNS Resolver?
There are lots of DNS resolver service providers, here are a few things I look for before choosing a DNS provider:
- Open sourceness: An open source DNS resolver allows anyone to look around the code to find security vulnerabilities and privacy holes.
- Server Locations & Jurisdictions: You should look for DNS resolvers that have servers close to your location, and are based in locations that have stricter privacy and security laws.
- Business Model: The business model or sources of revenue tells a lot more about the company behind the DNS resolver. Look for ones that don’t rely on collection and monetization of your data.
- Security Protocols: The DNS resolver should have support for security protocols like DNS over HTTPS (DoH), DNS over TLS (DoT), DNSCrypt, DNSCurve, etc.
- DNSSEC Support: Domain Name System Security Extensions or DNSSEC allow registrants to digitally sign information they put into the Domain Name System (DNS). This protects you from DNS data that has been corrupted, accidentally or maliciously.
- QNAME Minimization: QNAME minimization changes the DNS queries to minimize the amount of data sent from the DNS resolver to the authoritative name server.
- DNS Filtering: DNS Filtering allows you to use the Domain Name System (DNS) to block malicious websites and filter out ads, trackers, and harmful or inappropriate content.
Encrypted DNS Resolvers
Alright, here are my recommendations for Encrypted DNS Resolvers:
|DNS Filtering||Hosting Provider|
|No Logging||Commercial||DoH, DoT, DNSCrypt||Yes||Yes||Ads, Trackers, Malwares, Adult content||Choopa, Serveroid|
|Blah DNS||Yes||Finland, Germany, Japan||No Logging||Hobby Project||DoH, DoT, DNSCrypt||Yes||Yes||Ads, Trackers, Malwares||Choopa, Data Center Light, Hetzner|
|Libre DNS||Yes||Germany||No Logging||Informal Collective||DoH, DoT||Yes||Yes||Ads, Trackers, Malwares (on DoH)||Hetzner|
|NixNet DNS||Yes||US, Luxembourg (Anycast)||No Logging||Informal Collective||DoH, DoT||Yes||Yes||Ads||Frantech Solutions|
|Power DNS||Yes||The Netherlands||No Logging||Hobby Project||DoH||Yes||No||No||TransIP|
|Cloudflare DNS||?||US (Anycast)||Some||Commercial||DoH, DoT||Yes||Yes||Malwares, Adult content||Self|
|Foundation for Applied Privacy DNS||?||Austria||Some||Non-Profit||DoH, DoT||Yes||Yes||No||IPAX|
|Quad9 DNS||?||US (Anycast)||Some||Non-Profit||DoH, DoT, DNSCrypt||Yes||Yes||Malwares||Self, Packet Clearing House|
|Snopyta DNS||?||Finland||No Logging||Informal Collective||DoH, DoT||Yes||Yes||No||Hetzner|
|NextDNS||?||US (Anycast)||No Logging||Commercial||DoH, DoT, DNSCrypt||Yes||Yes||Ads, Trackers, Malwares||Self|
|CZ.NIC DNS||?||Czech Republic||No Logging||Association||DoH, DoT||Yes||Yes||No||Self|
|UncensoredDNS||?||Denmark, US (Anycast)||No Logging||Hobby Project||DoT||Yes||No||No||Self, Telia Company|
Encrypted DNS Resolvers
A Note on Encrypted DNS Resolvers
An encrypted DNS that use DNS-over-HTTPS, DNS-over-TLS, and DNSCrypt won’t make you anonymous, neither will it hide your internet traffic from your Internet Service Provider — they only hide your DNS traffic from your ISP
This applies to you even if you are using anonymized DNS via Anonymized DNSCrypt — it instead of directly reaching the DNS server, an Anonymized DNS client encrypts the query, but sends it to a relay to forward the query to the actual DNS server.
However, using an encrypted DNS resolver that uses these protocols will prevent DNS hijacking, Man-in-the-middle attacks, and make your DNS queries harder to eavesdrop and tamper with — These attacks can redirect you to a fake copy of the website, collecting sensitive user information and exposing businesses to major liability.
Verify DNS Leak Test
You can verify that your browser and operating system is using the DNS resolver, you have switched to using any of these options:
- BrowserLeaks.com DNS Test
- DNS Provider’s Website: You can also check the website of the DNS provider you are using, they may have a page for telling “you are using our DNS.”
Encrypted DNS Clients
There are many encrypted DNS clients that you can install and run on your device, here are some of the best ones for both desktop and phones:
- dnscrypt-proxy: A free and open source command-line DNS proxy with support for DNS over HTTPS, DNSCrypt, and Anonymized DNSCrypt that is available for Windows, macOS, Linux, Android, NetBSD, OpenBSD, etc.
- Unbound: A free and open source validating, recursive, caching DNS resolver by NLnetLabs with support for DNS over TLS that has been independently audited.
- Simple DNSCrypt: A free and open source simple management tool with GUI to easily configure dnscrypt-proxy on Windows.
- SecureDNS: A free and open source all-in-one cross-platform DNS Server with support for DoH, DoT, DNSCrypt, DoU, ENS, and Anonymized DNSCrypt. It is fairly new, and is available for Windows, macOS, and Linux.
- Stubby: An open source application that acts as a local DNS over TLS stub resolver, available for Windows, macOS, and Linux.
- Firefox built-in DoH resolver: Mozilla Firefox comes with built-in DNS over HTTPS for Cloudflare and NextDNS, you can choose other DoH resolvers too.
- Android built-in DoT resolver: Android 9 (Pie) comes with built-in support for DNS-over-TLS without any 3rd-party app.
- Nebulo: A free, open-source, non-root DNS changer for Android with support for both DNS over HTTPS and DNS over TLS.
- DNSCloak: A free and open source iOS GUI and wrapper for dnscrypt-proxy with support for DNS over HTTPS, & DNSCrypt.
There are standalone native apps also available by different public DNS providers like Cloudflare’s 126.96.36.199, Quad9 Connect, etc. You can check out this page on DNSCrypt’s website for other great clients.
DNS Protocols Explained
I have talked about lots of DNS protocols like DNSSEC, DoH, DoT, etc here’s what they mean, what they do, and how these protocols work:
DNSSEC stands for “Domain Name System Security Extensions”, it allows registrants to digitally sign information they put into the Domain Name System, protecting you from DNS data that has been corrupted, accidentally or maliciously.
DNSSEC adds a layer of protection by providing authentication as all answers from DNSSEC protected zones are digitally signed:
By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect any data published in the DNS, including text records (TXT) and mail exchange records (MX), and can be used to bootstrap other security systems that publish references to cryptographic certificates stored in the DNS such as Certificate Records, SSH fingerprints, IPSec public keys, and TLS Trust Anchors.DNSSEC on Wikipedia
It’s a great tool created by engineers at Internet Engineering Task Force (IETF) to solve the lack of stronger authentication in DNS. You can learn more about DNSSEC on this ICANN page.
DNS over TLS
DNS over TLS or DoT is the security protocol that encrypts your DNS queries and answers via the Transport Layer Security (TLS) protocol, with the goal of increasing user privacy and security by preventing eavesdropping and manipulation of DNS data.
It uses a dedicated port 853, some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls. DoT adds a layer of protection by providing confidentiality, by doing TLS encryption of UDP DNS queries.
DNS over HTTPS
DNS over HTTPS or DoH, similar to DoT is the security protocol that encrypts your DNS queries and answers via the Hyper Text Transfer Protocol (HTTPS), with the goal of increasing user privacy and security by preventing eavesdropping and manipulation of DNS data.
It uses port 443 making it indistinguishable from the normal HTTPS traffic, hence more difficult to block. DoH adds a layer of protection by providing confidentiality, by doing HTTPS encryption of DNS queries.
DoT encrypts your normal UDP (User Datagram Protocol) DNS queries via TLS, while DoH camouflages your DNS queries as encrypted web queries over HTTPS.
DNSCrypt is another security protocol just like DoT and DoH, designed to protect user privacy and security by preventing eavesdropping and manipulation of DNS data.
It is an older technology and uses the port 443, just like DoH.
Anonymized DNSCrypt is a new lightweight protocol that hides your IP address by using relays to forward encrypted DNS data — it instead of directly reaching the DNS server, encrypts the query, and sends it to a relay to forward the query to the actual DNS server. It is a relatively new protocol created in 2019 currently only supported by dnscrypt-proxy and a limited number of relays.
DNSCurve is a proposed alternative to DNSSEC — it uses Curve25519 elliptic curve cryptography to establish keys used by Salsa20, paired with the Message Authentication Code function Poly1305, to encrypt and authenticate DNS packets B/W resolvers and authoritative servers.
It is a very fast protocol designed by Daniel J. Bernstein, with the goal of drastically improve every dimension of DNS security:
- Confidentiality: encrypts all DNS packets
- Integrity: cryptographically authenticates all DNS responses, eliminating forged DNS packets
- Availability: recognizes and discards forged packets, so attackers can’t prevent your DNS data from getting through
In Anycast unlike Unicast, many servers can have a single IP address, allowing for many-to-one instead of one-to-one transmission. There are other routing schemes like Multicast, Broadcast, and Geocast.
Anycast DNS Servers allows your device to get DNS query responses from the DNS Server that is geographically close to your device, hence reducing latency, improving uptime for the DNS resolving service, and protection against DNS flood DDoS attacks.
You can think of Anycast DNS resolvers as CDNs or Content Delivery Networks for your DNS resolver, they spread up the load, and serve your device from the closest server.
It’s not a necessity but a great feature to have in a DNS resolver.
Why use an Encrypted DNS Resolver?
Switching from your ISP’s DNS resolver is much recommended as this not only boosts your internet speed, but also hides your DNS queries from your Internet Service Provider.
By default, your DNS queries and responses are sent in plaintext via UDP — which means they can be read by networks, ISPs, or anyone able to monitor transmissions. Even if a website uses HTTPS, the DNS query required to navigate to that website is exposed.
Here are a few reasons why I recommend using a privacy-respecting encrypted DNS resolver:
An encrypted DNS resolver like the ones mentioned above use a variety of security protocols like DNSSEC, DoH, DoT, DNSCrypt, etc to encrypt your DNS queries, providing authenticity, confidentiality, and integrity.
A privacy-respecting DNS resolver does not log your DNS queries, providing you with better privacy. DNS protocols like DoH, DoT, and DNSCrypt protects you from surveillance by encrypting your DNS queries.
Most of the DNS resolvers mentioned above provide you with the ability to filter malicious websites, you can use these filtering options to block ads, trackers and even make your internet family friendly.
What is DNS?
Alrighty, you might still be wondering what the heck is DNS and how does DNS work? Here’s pretty much everything you need to know:
DNS or Domain Name System is a system (duh) of computers all around the world with the goal of converting Domain Names like google.com into their respective IP Addresses.What is DNS?
You can think of Domain Name System as a computer version of phone book or yellow pages — your browser does not know how to open a website just by the domain name; it needs to know the IP Address of that website to open.
Everything connected to the Internet has a unique IP address which other devices use to connect and find the device — You can check your IP address by clicking here.
To visit a website, you can either type in the IP address like 188.8.131.52 (IPv4) or 2a01:4f8:1c1c:6b4b::1 (IPv6), or just put in the domain name like google.com or techcorpus.com and press enter so that your browser can go find the IP address by using the DNS.
DNS eliminates the need to memorize IP addresses. Everything on the Internet starts with a DNS request — Open a website, an app, send an email, your device first tries to find the IP address of that service.
The program to convert domain names into IP addresses and vice versa is called, “DNS,” or Domain Name System, and the computers that run DNS are called, “DNS servers.” Without DNS, we’d have to remember the IP address of all the websites we wanted to connect to — no fun.
How DNS Works?
Domain Name System (DNS) is all about converting a domain name into its IP address, lets follow the path of a DNS lookup as it travels from a web browser, through the DNS lookup process, and back again:
The complete process of querying and connecting to the desired website is a 10-step process, as explained in the diagram above:
Step 1: Everything starts when you type in a URL like example.com or open an app, and the query request is received by the configured DNS Resolver aka Resolving Name Server
Your OS may have the IP address of the URL you are trying to connect in its memory cache or may have been configured already, but we have assumed that’s not the case here so that your OS can make the query request to the configured Resolving Name Server or DNS Resolver.
Step 2: The Resolving Name Server then queries the Root Name Server — the enigmatic (.) at the end of the URL you are trying to connect
Your Resolving Name Server may have the IP address of the URL you are trying to connect in its memory cache, but we have assumed that’s not the case here so that it can make the query to the Root Name Server.
Step 3: The Root Name Server responds to the Resolving Name Server with the address of the Top Level Domain (TLD) Name Servers (such as .com or .net) — which stores information for its domains
Step 4: The Resolving Name Server then queries the TLD Name Server (.com)
Step 5: The TLD Name Server responds to the Resolving Name Server with the address of the Domain’s Name Server aka Authoritative Name Server — example.com.
Step 6: Now, The Resolving Name Server queries the Authoritative Name Server for the IP address of the particular domain (example.com)
Step 7: The Authoritative Name Server responds to the Resolving Name Server with the IP address of that particular website.
Step 8: Now, Your DNS Resolver of Resolving Name Server will respond to the web browser with the IP address of the website.
The DNS lookup is complete here, and now your web browser just needs to connect with the website or the service to receive & send data.
Step 9: Your web browser now makes a HTTP request to the IP address provided by the Resolving Name Server.
Step 10: The Server of the concerned website responds with the web page to be rendered by your web browser.
Woah! — that’s a lot of querying and responding just to open a website, but it all happens in just a few milliseconds. DNS was designed to be extremely fast and efficient, but not for privacy and security. Newer protocols like DNSSEC, DoH, DoT, etc try to solve this problem.
Here’s a cool explainer on DNS I found by DNSMadeEasy:
DNS Server Types
There are basically 4 kinds of DNS servers that are needed to do a DNS lookup, apart from your device and the main server to fetch data:
Resolving Name Server
Resolving Name Server or DNS Resolver or DNS Recursor or Recursive Resolver is the workhorse and the first step of the DNS lookup, it does all the querying and responding for you — you have control over this DNS Server only.
All Resolving Name Servers have the address of Root Name Servers, and they query the Root, TLD, and the Authoritative Name Server and stores all of that information in its cache so that next time it can respond quickly to your DNS queries.
Resolving Name Servers are an integral part of DNS lookup that’s why it’s recommended to use a privacy-respecting encrypted DNS Resolver like the ones recommended in this article.
Root Name Server
Root Name Servers are the ones that have IP addresses of all the TLD name servers like .com, .org, .net, etc — there are 13 root name servers all around the world that are known to each and every DNS Resolver:
These root name servers responds the query with a TLD nameserver, based on the extension of that domain name (.com, .net, .org, etc.). There are multiple copies of each one of the 13 root name servers all over the world, which use Anycast routing for speedy responses.
Root Name Servers are overseen by a non-profit called Internet Corporation for Assigned Names and Numbers (ICANN), and are maintained by various other organizations like Verisign, NASA, etc.
TLD Name Server
TLD Name Servers are the ones that have IP address of the Authoritative Name Servers of all the domain names that share a common domain name extension, such as .com, .net, .org or whatever that comes after the last (.) dot of the URL.
For Example, a query for techcorpus.com will be queried to a .com TLD name server which will then respond with the authoritative name server of that domain (techcorpus.com).
TLD Name Server are maintained by Internet Assigned Numbers Authority (IANA), a branch of ICANN, which breaks up TLD servers into two main groups:
- Generic Top-Level Domains (gTLDs): Domains that are not country specific, like .com, .org, .net, .edu, and .gov, etc.
- Country Code Top-Level Domains (ccTLDs): Domains that are specific to a country or state, like .uk, .us, .ru, and .jp, etc.
There are over 1500 Top-Level domains that anyone can purchase from domain registrars like GoDaddy or Namecheap.
Authoritative Name Servers
Authoritative Name Servers are the ones that have IP addresses of the actual website you are trying to connect, it is the last step of DNS lookup.
These Authoritative Name Servers have all the DNS records like A, NS, CNAME, TXT, etc and the IP address where the website is located.
Authoritative Name Servers are usually maintained either by the domain registrar or the web server provider for the website.
DNS Query Types
DNS queries are classified into 3 types, recursive, non-recursive, and iterative. A DNS lookup may use a combination of these methods for optimized process.
Usually, a DNS client (your device) issue a Recursive Query to a caching recursive DNS server, which then issues Non-Recursive or Iterative Queries to find and send the answer back to the client.
Recursive Queries are made by your device (DNS Client) to the DNS resolver (Resolving Name Server) — the first step of DNS lookup.
In a recursive query, your device wants the answer or the confirmation that the DNS resolver doesn’t know the answer.
Since all the queries made between your device (DNS Client) and the DNS Resolver (Resolving Name Server) are recursive in nature, the DNS Resolvers are also called DNS Recursive Resolver.
Non-Recursive Queries happen when the DNS resolver has the answer of the query made by your device, and responds immediately without querying any other name servers.
This happens when the DNS resolver has the IP address stored in its local cache or because it is the authoritative name server. Usually, DNS resolvers cache name server records to prevent additional bandwidth consumption and load on upstream servers.
In a non-recursive query, your device gets the answer from the DNS resolver directly from its cache.
Iterative Queries happen when the DNS Resolver does not have the answers of the query made by your device in its cache. So, it makes a request to the Root name server, and the Root name servers knows where to find the particular TLD name server, and the TLD name server knows where to find the Authoritative name server.
This is what happens in a typical scenario, as explained in the 10-step DNS lookup process above.
In an iterative query, your device gets the answer from the DNS resolver, which in turn has got the information by querying other name servers iteratively.
DNS Caching, Why, Where?
The whole point of caching (storing) the IP address and other DNS results locally on the browser, or on the operating system, or on the DNS resolver is so that your device doesn’t have to ask for the IP address every time, hence improved performance, and efficiency.
DNS Caching is done for a set amount of time determined by a time-to-live (TTL), and it can be done at 3 levels:
Browser DNS Caching
All modern browsers have built-in caching capability to store or cache DNS records. This is the first place where your browser checks for the IP address of the concerned domain name.
In chrome, you can check your DNS cache by going to chrome://net-internals/#dns
In Firefox, you can check your DNS cache by going to about:networking#dns
Operating System (OS) DNS Caching
Your operating system also caches DNS records — this is the second and last place where your browser checks for the IP address, before sending the query to the resolving name server.
In Windows, you can check your DNS cache by opening command prompt (CMD), and entering ipconfig /displaydns
In macOS, you can check your DNS cache by opening the Console app, selecting your device, and entering: any:mdnsresponder into the search bar. Then, enter: sudo killall -INFO mDNSResponder
In Linux, you can check your DNS cache by opening the command terminal, and running: service nscd status or sudo service nscd status
DNS Resolver DNS Caching
All DNS resolvers have a DNS cache for storing DNS records it knows to use for the next request.
DNS Privacy and Security
DNS was not designed with the goal of privacy and security, but speed and efficiency. Most of these DNS exploits can be resolved via newer DNS security protocols like DNSSEC, DoH, DoT, DNSCurve, etc.
Here are some of the most common DNS exploits:
- DNS Cache Poisoning / Spoofing: In DNS Spoofing, Attackers try to inject malicious data into your DNS resolvers’ cache to redirect victims to a malicious website. It can be avoided via DNSSEC or DNSCurve.
- DNS Hijacking / Domain Theft: In DNS Hijacking, Attackers try to redirect DNS queries to a different authoritative name server, hence redirecting victims to a malicious website. ICANN imposes a 60-day waiting period b/w a change in registration information & a transfer to another registrar to mitigate this issue.
- DNS Flood Attack: In DNS Flood Attack, Attackers floods your DNS servers with requests, in an attempt to cause a denial of service for legitimate traffic. You can use a DDoS mitigation provider like Cloudflare or Akamai to mitigate this attack.
- DNS Tunneling: In DNS Tunneling, Attackers use DNS as camouflage to bypass firewalls to pass malware or stolen information into DNS queries.
- NXDOMAIN Attack: In NXDOMAIN Attack, similar to DNS flood attack is also a DDoS attack where attackers flood your DNS servers with requests for records that don’t exist, in an attempt to cause a denial-of-service for legitimate traffic.
- Random Subdomain Attack: In Random Subdomain Attack, Attacker sends DNS queries for several random, non-existent subdomains of your legitimate site with the goal of creating a denial-of-service for the domain’s authoritative nameserver.
- Phantom Domain Attack: In Phantom Domain Attack, similar to NXDOMAIN attack, attackers flood your DNS resolver with “phantom domains” that either respond very slowly or not at all.
- Botnet-based CPE Attack: In this attack, Attacker use compromised devices like CPE switches, routers (botnets) to do Random Subdomain attacks that target all traffic to the site.
These are some better known DNS vulnerabilities, of which most can be mitigated via DNSSEC, Anycast routing, DNS firewalls, and other DNS security protocols.
There are basically two major approaches to try to mediate these DNS privacy and security issues using security protocols like DNSSEC, DoH, DoT, DNSCrypt, and DNSCurve:
Make it Harder to Eavesdrop
Making it harder to eavesdrop on DNS queries by using encryption is the easiest way to prevent most of the security issues. There are encryption protocols like DNS-over-TLS (DoT) and DNS-over-HTTP (DoH) that can be used on the DNS resolver.
Reduce the Information Sent
The other approach is to reduce the information exposure by reducing the amount of information sent in each DNS query. The IETF (Internet Engineering Task Force) proposed an approach to achieve this using a technique called Query Name Minimisation or QNAME minimisation.
- How DNS works: It is a comic that explains what happens when you browse on the internet, how the DNS works, and everything in between.
- A Cartoon intro to DNS over HTTPS: It is a great comic by Lin Clark on Mozilla Hacks blog about why you should be using DNS over HTTPS.
Encrypted DNS Resolver
Switching to an encrypted DNS resolver is a great way to increase your privacy and get your DNS queries faster. I hope you enjoyed reading about these password managers.
That’s all folks!
I would be updating this list frequently with more encrypted DNS resolvers and information. You can check out most secure and private web browsers here.
Do let me know of any feedback, tips, or suggestions based on privacy and security tools you are using, feel free to drop a comment below!