What should I prioritise while picking an encrypted DNS resolver?

The first thing I did while picking out an encrypted DNS resolver from PrivacyTools’ list was filter out all of the DNS providers that log traffic and the DNS providers that have servers in the US.

That leaves me with five DNS providers – BlahDNS, CZ.NIC, LibreDNS, PowerDNS, and Snopyta. PowerDNS has servers in the Netherlands, a member of the Nine Eyes, and BlahDNS and LibreDNS have servers in Germany, a member of the Fourteen Eyes.

If I were to filter out BlahDNS, LibreDNS, and PowerDNS I would be left with CZ.NIC and Snopyta. The problem with those two is that they don’t have public source code, but the alternative would be using a provider based in either the Nine Eyes or the Fourteen Eyes. Which should I prioritise – the public availability of source code or server locations?

Furthermore, how important is QNAME minimisation, filtering, and the resolver’s hosting provider? Does the type of provider (commercial, nonprofit, informal collective, etc.) matter at all? Is there anything else I should be considering when deciding on an encrypted DNS resolver?

1 Like

PTIO plans to shift away from the “eyes thing” because basically every country has intelligence and law enforcement agencies that cooperate to a certain degree.

While some people argue that seeing the source code makes a service more trustworthy, others argue you can’t prove that the server is actually running the published source code. This is up to you.

This feature only affects DNS requests that can’t be answered by the DNS resolver without asking upstream DNS servers. So, if many people use the same DNS resolver, there should be some caching to minimize the risk of being identified as a single user of this resolver.

However, this scenario is only relevant if you assume that a party can observe upstream DNS servers but not the DNS resolver itself.

This is again up to you. Some people like unfiltered DNS replies, others don’t want getting pornography, ads, etc. resolved.

As written above, you can assume that every hosting provider (or DNS resolver) is subject to some laws that require cooperation with law enforcement or intelligence agencies.

In our experience, “hobby projects” can be more insecure as they lack frequent maintenance.

You should at least check if your software or operating system supports the features of these servers.

For instance, do you run local DNS software that is able to check authenticity via DNSSEC? Do you have DNS software that can speak DNS-over-TLS or DNS-over-HTTPS?

If your software or operating system doesn’t support this, you can’t use these features.


before i read, by “encrypted” what you mean ?

I’ve been playing around with setting up Stubby and Unbound, which are recommendations here. The neat thing about Stubby is you can define many DNS over TLS servers, and it will “round robin” among all of them spreading your DNS queries out so there isn’t one server that can be used to track all your queries. Of course you are spreading your footprints around farther, so that’s a trade-off you will need to consider.

DoT is new so finding working servers may be a challenge, but I found a large list here at this forum post:

Unbound is useful because it caches DNS results making calls faster and you aren’t conecting to external servers as often.

1 Like