Encrypted DNS Resolvers

Don't let Google see all your DNS traffic. Discover privacy-centric alternatives to the traditional DNS providers.

Encrypted DNS Resolvers

DNS-over-HTTPS, DNS-over-TLS, and DNSCrypt resolvers will not make you anonymous. Using Anonymized DNSCrypt hides only your DNS traffic from your Internet Service Provider. However, using any of these protocols will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here. See the definitions below.

DNS Provider	Server Locations	Type	Logging	Protocols	DNSSEC	QNAME Minimization	Filtering	Source Code	Hosting Provider
AdGuard	Anycast (based in Cyprus)	Commercial	Some	DoH, DoT, DNSCrypt	Yes	Yes	Based on server choice		Choopa, LLC, Serveroid, LLC
BlahDNS	Finland, Germany, Japan Singapore	Hobby Project	No	DoH, DoT , DNSCrypt	Yes	Yes	Ads, trackers, malicious domains Based on server choice only for DoH		Choopa, LLC, Hetzner Online GmbH
Cloudflare	Anycast (based in US)	Commercial	Some	DoH, DoT	Yes	Yes	Based on server choice	?	Self
CZ.NIC	Czech Republic	Association	No	DoH, DoT	Yes	Yes	?	?	Self
Foundation for Applied Privacy	Austria	Non-Profit	Some	DoH, DoT	Yes	Yes	No	?	IPAX OG
LibreDNS	Germany	Informal collective	No	DoH, DoT	Yes	Yes	Based on server choice only for DoH		Hetzner Online GmbH
NextDNS	Anycast (based in US)	Commercial	Based on user choice	DoH, DoT, DNSCrypt	Yes	Yes	Based on server choice	?	Self
NixNet	Anycast (based in US), US, Luxembourg	Informal collective	No	DoH, DoT	Yes	Yes	Based on server choice		FranTech Solutions
PowerDNS	The Netherlands	Hobby Project	No	DoH	Yes	No	No		TransIP B.V. Admin
Quad9	Anycast (based in US)	Non-Profit	Some	DoH, DoT, DNSCrypt	Yes	Yes	Malicious domains	?	Self, Packet Clearing House
Snopyta	Finland	Informal collective	No	DoH, DoT	Yes	Yes	No	?	Hetzner Online GmbH
UncensoredDNS	Anycast (based in Denmark), Denmark, US	Hobby Project	No	DoT	Yes	No	No	?	Self, Telia Company AB

Encrypted DNS Client Recommendations for Desktop

Unbound

Unbound logo A validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been independently audited.

Website Forum

dnscrypt-proxy

dnscrypt-proxy logo A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and Anonymized DNSCrypt, a relay-based protocol that the hides client IP address.

Website Forum

Stubby

Stubby logo An application that acts as a local DNS-over-TLS stub resolver. Stubby can be used in combination with Unbound by managing the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections) with Unbound providing a local cache.

Website Forum

Firefox's built-in DNS-over-HTTPS resolver

Firefox's built-in DNS-over-HTTPS resolver logo Firefox comes with built-in DNS-over-HTTPS support for NextDNS and Cloudflare but users can manually use any other DoH resolver. Warning

Website Privacy Policy Forum

Encrypted DNS Client Recommendations for Android

Android 9's built-in DNS-over-TLS resolver

Android 9's built-in DNS-over-TLS resolver logo Android 9 (Pie) comes with built-in DNS-over-TLS support without the need for a 3rd-party application. Warning

Website Forum

Nebulo

Nebulo logo An open-source Android client supporting DNS-over-HTTPS and DNS-over-TLS, caching DNS responses, and locally logging DNS queries.

Website Privacy Policy Forum

Encrypted DNS Client Recommendations for iOS

DNSCloak

DNSCloak logo An open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and dnscrypt-proxy options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can add custom resolvers by DNS stamp.

Website Privacy Policy Forum

Apple's native support

In iOS, iPadOS, tvOS 14 and macOS 11, DoT and DoH were introduced. DoT and DoH are supported natively by installation of profiles (through mobileconfig files opened in Safari). After installation, the encrypted DNS server can be selected in Settings → General → VPN and Network → DNS.

Signed profiles are offered by AdGuard and NextDNS.
User contributed unsigned profiles for several DNS providers are hosted by encrypted-dns.party.

Definitions

DNS-over-TLS (DoT)

A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.

DNS-over-HTTPS (DoH)

Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443 and more difficult to block. Warning

DNSCrypt

With an open specification, DNSCrypt is an older, yet robust method for encrypting DNS.

Anonymized DNSCrypt

A lightweight protocol that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by dnscrypt-proxy and a limited number of relays.