DNSCrypt can lock that down. The official Windows and Mac DNSCrypt apps both work similar to VPN services that you can toggle on and off when you want the added security. DNSCrypt would wrap DNS traffic and DNSSEC would sign and validate a subset of that traffic, according to the FAQ. Currently available only for Mac OS X, OpenDNS also released DNSCrypt's source code. DNSCrypt is a piece of lightweight software that everyone should use to boost online privacy and security. It works by encrypting all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks. How can I use DNSCrypt today?
Don't let Google see all your DNS traffic. Discover privacy-centric alternatives to the traditional DNS providers.
| DNS Provider | Server Locations | Privacy Policy | Type | Logging | Protocols | DNSSEC | QNAME Minimization | Filtering | Source Code | Hosting Provider |
|---|---|---|---|---|---|---|---|---|---|---|
| AdGuard | Anycast (based in Cyprus) | Commercial | Some | DoH, DoT, DNSCrypt | Yes | Yes | Based on server choice | Choopa, LLC, Serveroid, LLC | ||
| BlahDNS | Finland, Germany, Japan Singapore | Hobby Project | No | DoH, DoT , DNSCrypt | Yes | Yes | Ads, trackers, malicious domains Based on server choice only for DoH | Choopa, LLC, Hetzner Online GmbH | ||
| Cloudflare | Anycast (based in US) | Commercial | Some | DoH, DoT | Yes | Yes | Based on server choice | ? | Self | |
| CZ.NIC | Czech Republic | Association | No | DoH, DoT | Yes | Yes | ? | ? | Self | |
| Foundation for Applied Privacy | Austria | Non-Profit | Some | DoH, DoT | Yes | Yes | No | ? | IPAX OG | |
| LibreDNS | Germany | Informal collective | No | DoH, DoT | Yes | Yes | Based on server choice only for DoH | Hetzner Online GmbH | ||
| NextDNS | Anycast (based in US) | Commercial | Based on user choice | DoH, DoT, DNSCrypt | Yes | Yes | Based on server choice | ? | Self | |
| NixNet | Anycast (based in US), US, Luxembourg | Informal collective | No | DoH, DoT | Yes | Yes | Based on server choice | FranTech Solutions | ||
| PowerDNS | The Netherlands | Hobby Project | No | DoH | Yes | No | No | TransIP B.V. Admin | ||
| Quad9 | Anycast (based in US) | Non-Profit | Some | DoH, DoT, DNSCrypt | Yes | Yes | Malicious domains | ? | Self, Packet Clearing House | |
| Snopyta | Finland | Informal collective | No | DoH, DoT | Yes | Yes | No | ? | Hetzner Online GmbH | |
| UncensoredDNS | Anycast (based in Denmark), Denmark, US | Hobby Project | No | DoT | Yes | No | No | ? | Self, Telia Company AB |
A validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been independently audited.
A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and Anonymized DNSCrypt, a relay-based protocol that the hides client IP address.
An application that acts as a local DNS-over-TLS stub resolver. Stubby can be used in combination with Unbound by managing the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections) with Unbound providing a local cache.
Firefox comes with built-in DNS-over-HTTPS support for NextDNS and Cloudflare but users can manually use any other DoH resolver. Warning
Android 9 (Pie) comes with built-in DNS-over-TLS support without the need for a 3rd-party application. Warning
An open-source Android client supporting DNS-over-HTTPS and DNS-over-TLS, caching DNS responses, and locally logging DNS queries.
An open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and dnscrypt-proxy options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can add custom resolvers by DNS stamp.
Apple's native support
In iOS, iPadOS, tvOS 14 and macOS 11, DoT and DoH were introduced. DoT and DoH are supported natively by installation of profiles (through mobileconfig files opened in Safari). After installation, the encrypted DNS server can be selected in Settings → General → VPN and Network → DNS.
- Signed profiles are offered by AdGuard and NextDNS.
- User contributed unsigned profiles for several DNS providers are hosted by encrypted-dns.party.
Definitions
DNS-over-TLS (DoT)
A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.
DNS-over-HTTPS (DoH)
Similar to DoT, but uses HTTPS instead, being indistinguishable from 'normal' HTTPS traffic on port 443 and more difficult to block. Warning
DNSCrypt
With an open specification, DNSCrypt is an older, yet robust method for encrypting DNS.
Anonymized DNSCrypt
A lightweight protocol that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by dnscrypt-proxy and a limited number of relays.
While I usually use a VPN in public places like cafes, I don't always do on networks I trust more, like my home or University. Nearly all of my network traffic is encrypted thanks to HTTPS, so my DNS requests are the only plaintext data I sent out in the wild.
I've been using DNS-over-TLS (DoT) on my Android phone for nearly 2 years thanks to Android's native DoT support since version 9. After doing a little bit of research a while ago, I thought it would be a hassle to use an encrypted DNS protocol on my MacBook, but it turns out to be very simple.
Since macOS does not natively support DoH or DoT, I use dnscrypt-proxy, a DNS proxy written in Go by the great Frank Denis, which support DoH and DNSCrypt as you would expect.
It is available via Homebrew:
Once that's done you'll want to edit /usr/local/etc/dnscrypt-proxy.toml. Well, it will work out of the box, but I wanted to use a different resolver.
I want to filters ads and trackers at the DNS level so I use AdGuard. The id of this resolver is adguard-dns-doh. The whole list is available on the DNSCrypt website.
Let's see if dnscrypt-proxy can resolve domains:
Now let's start the service and register it so that it will automatically start during the next boot:
If you're using Wi-Fi, you can set the resolver from the command line:
Otherwise, go the the system preferences and set it yourself.
Now, by issuing a simple dig we can see that 127.0.0.1 is able to resolve DNS queries.
To see if all the queries are going through dnscrypt-proxy, you can stop the service and check that you're not able to resolve anything.
Dnscrypt For Macular Degeneration
Congrats, your DNS queries are a little more private now.