Secure DNS Resolvers
Don't let Google, Microsoft, etc, spy on what you're doing via DNS traffic. Discover privacy-focused alternatives.
|AdGuard||Anycast (based in Cyprus)||Commercial||Some||DoH, DoT, DNSCrypt||Yes||Yes||Based on server choice||Choopa, LLC, Serveroid, LLC|
|BlahDNS||Finland, Germany, Japan Singapore||Hobby Project||No||DoH, DoT , DNSCrypt||Yes||Yes||Ads, trackers, malicious domains Based on server choice only for DoH||Choopa, LLC, Hetzner Online GmbH|
|Cloudflare||Anycast (based in US)||Commercial||Some||DoH, DoT||Yes||Yes||Based on server choice||?||Self|
|CZ.NIC||Czech Republic||Association||No||DoH, DoT||Yes||Yes||?||?||Self|
|Foundation for Applied Privacy||Austria||Non-Profit||Some||DoH, DoT||Yes||Yes||No||?||IPAX OG|
|LibreDNS||Germany||Informal collective||No||DoH, DoT||No||Yes||Based on server choice only for DoH||Hetzner Online GmbH|
|NextDNS||Anycast (based in US)||Commercial||Based on user choice||DoH, DoT, DNSCrypt||Yes||Yes||Based on server choice||?||Self|
|PowerDNS||The Netherlands||Hobby Project||No||DoH||Yes||No||No||TransIP B.V. Admin|
|Quad9||Anycast (based in Switzerland)||Non-Profit||Some||DoH, DoT, DNSCrypt||Yes||Yes||Malicious domains||?||Self, Packet Clearing House|
|Snopyta||Finland||Informal collective||No||DoH, DoT||Yes||Yes||No||?||Hetzner Online GmbH|
|UncensoredDNS||Anycast (based in Denmark), Denmark, US||Hobby Project||No||DoH, DoT||Yes||No||No||?||Self, Telia Company AB|
A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and Anonymized DNSCrypt, a relay-based protocol that the hides client IP address.
Firefox's built-in DNS-over-HTTPS resolver
Android 9's built-in DNS-over-TLS resolver
While using iOS is NO LONGER RECOMMENDED (see appleprivacyletter.com), DNSCloak is an open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and dnscrypt-proxy options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can add custom resolvers by DNS stamp.
In iOS, iPadOS, tvOS 14 and macOS 11, DoT and DoH were introduced. DoT and DoH are supported natively by installation of profiles (through mobileconfig files opened in Safari). After installation, the encrypted DNS server can be selected in Settings → General → VPN and Network → DNS.
- Signed profiles are offered by AdGuard and NextDNS.
- User contributed unsigned profiles for several DNS providers are hosted by encrypted-dns.party.
A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.
Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443 and more difficult to block. Warning
With an open specification, DNSCrypt is an older, yet robust & very common method for encrypting DNS traffic.
A lightweight protocol that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by dnscrypt-proxy and a limited number of relays.