Encrypted DNS with third-party servers should only be used to get around basic DNS blocking when you can be sure there won't be any consequences. Encrypted DNS will not help you hide any of your browsing activity.
|Some1||No||Based on server choice. Filter list being used can be found here.|
|Some2||No||Based on server choice.|
|Optional3||No||Based on server choice.|
|No4||No||Based on server choice. Filter list being used can be found here.|
|Optional5||Optional||Based on server choice.|
|Some6||Optional||Based on server choice, Malware blocking by default.|
Please note we are not affiliated with any of the projects we recommend. In addition to our standard criteria, we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
This section is new
We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please ask on our forum and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress.
- Must support DNSSEC.
- QNAME Minimization.
- Allow for ECS to be disabled.
- Prefer anycast support or geo-steering support.
Native Operating System Support¶
Android 9 and above support DNS over TLS. The settings can be found in: Settings → Network & Internet → Private DNS.
The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via configuration profiles or through the DNS Settings API.
After installation of either a configuration profile or an app that uses the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings.
Apple does not provide a native interface for creating encrypted DNS profiles. Secure DNS profile creator is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see About Code Signing. Signed profiles are offered by AdGuard, NextDNS, and Quad9.
systemd-resolved, which many Linux distributions use to do their DNS lookups, doesn't yet support DoH. If you want to use DoH, you'll need to install a proxy like dnscrypt-proxy and configure it to take all the DNS queries from your system resolver and forward them over HTTPS.
Encrypted DNS Proxies¶
Encrypted DNS proxy software provides a local proxy for the unencrypted DNS resolver to forward to. Typically it is used on platforms that don't natively support encrypted DNS.
RethinkDNS is an open-source Android client supporting DNS-over-HTTPS, DNS-over-TLS, DNSCrypt and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.
dnscrypt-proxy is a DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and Anonymized DNS.
The anonymized DNS feature does not anonymize other network traffic.
A self-hosted DNS solution is useful for providing filtering on controlled platforms, such as Smart TVs and other IoT devices, as no client-side software is needed.
AdGuard Home is an open-source DNS-sinkhole which uses DNS filtering to block unwanted web content, such as advertisements.
AdGuard Home features a polished web interface to view insights and manage blocked content.
Pi-hole is an open-source DNS-sinkhole which uses DNS filtering to block unwanted web content, such as advertisements.
Pi-hole is designed to be hosted on a Raspberry Pi, but it is not limited to such hardware. The software features a friendly web interface to view insights and manage blocked content.
AdGuard stores aggregated performance metrics of their DNS servers, namely the number of complete requests to a particular server, the number of blocked requests, and the speed of processing requests. They also keep and store the database of domains requested in within last 24 hours. "We need this information to identify and block new trackers and threats." "We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters." https://adguard.com/en/privacy/dns.html ↩
Cloudflare collects and stores only the limited DNS query data that is sent to the 18.104.22.168 resolver. The 22.214.171.124 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is stored only for 25 hours. https://developers.cloudflare.com/126.96.36.199/privacy/public-dns-resolver/ ↩
Control D only logs for Premium resolvers with custom DNS profiles. Free resolvers do not log data. https://controld.com/privacy ↩
NextDNS can provide insights and logging features on an opt-in basis. You can choose retention times and log storage locations for any logs you choose to keep. If it's not specifically requested, no data is logged. https://nextdns.io/privacy ↩
Quad9 collects some data for the purposes of threat monitoring and response. That data may then be remixed and shared, such as for the purpose of security research. Quad9 does not collect or record IP addresses or other data they deem personally identifiable. https://www.quad9.net/privacy/policy/ ↩