Encrypted DNS Resolvers
Don’t let Google see all your DNS traffic. Discover privacy-centric alternatives to the traditional DNS providers.
| DNS Provider | Server Locations | Privacy Policy | Type | Protocols | Logging | DNSSEC | QNAME Minimization | Filtering | Source Code | Hosting Provider |
|---|---|---|---|---|---|---|---|---|---|---|
| AdGuard | Anycast
|
Commercial |
|
Some | Yes | Yes | Based on server choice | |||
| Cloudflare | Anycast
|
Commercial |
|
Some | Yes | Yes | Based on server choice. |
|
||
| ControlD | Anycast
|
Commercial |
|
Optional | Yes | Yes | Based on server choice |
|
||
| NextDNS | Anycast
|
Commercial |
|
Optional | Yes | Yes | Based on server choice |
|
||
| Quad9 | Anycast (Map)
|
Non-Profit |
|
No | Yes | Yes | Based on server choice, Malware blocking by default |
Encrypted DNS Clients for Desktop
Unbound
A validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been independently audited.
dnscrypt-proxy
A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and Anonymized DNSCrypt, a relay-based protocol that the hides client IP address.
Stubby
An application that acts as a local DNS-over-TLS stub resolver. Stubby can be used in combination with Unbound by managing the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections) with Unbound providing a local cache.
Firefox's built-in DNS-over-HTTPS resolver
Firefox comes with built-in DNS-over-HTTPS support for NextDNS and Cloudflare but users can manually use any other DoH resolver.
Warning
Encrypted DNS Clients for Android
Android 9's built-in DNS-over-TLS resolver
Android 9 (Pie) comes with built-in DNS-over-TLS support without the need for a 3rd-party application.
Nebulo
An open-source Android client supporting DNS-over-HTTPS and DNS-over-TLS, caching DNS responses, and locally logging DNS queries.
Encrypted DNS Clients for iOS
DNSCloak
An open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and dnscrypt-proxy options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can add custom resolvers by DNS stamp.
Native Operating System Support
In iOS, iPadOS, tvOS 14 and macOS 11, DoT and DoH were introduced. DoT and DoH are supported natively by installation of profiles (through mobileconfig files opened in Safari). After installation, the encrypted DNS server can be selected in Settings → General → VPN and Network → DNS.
Definitions
DNS-over-TLS (DoT): A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.
DNS-over-HTTPS (DoH): Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443 and more difficult to block. Warning
DNSCrypt: With an open specification, DNSCrypt is an older, yet robust method for encrypting DNS.
Anonymized DNSCrypt: A lightweight protocol that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by dnscrypt-proxy and a limited number of relays.
Privacy Guides is a socially motivated website that provides information for protecting your data security and privacy.
Unless otherwise noted, the original content on this website is made available under a CC0 1.0 Universal Public Domain Dedication.
This content was made available by the Privacy Guides team and contributors. Get involved! | Open an Issue | Privacy Policy | Website Terms & Notices