DNS Privacy Clients


Operating systems

As of release 239 systemd-resolved now supports opportunistic DNS-over-TLS - see   the resolved.conf man page. The release notes say:

systemd-resolved now supports DNS-over-TLS. It’s still turned off by default, use DNSOverTLS=opportunistic to turn it on in resolved.conf. We intend to make this the default as soon as couple of additional techniques for optimizing the initial latency caused by establishing a TLS/TCP connection are implemented.

However see this ISOC article on some issues with this implementation.

Local forwarders


Recommended: See the DNS Privacy Daemon - Stubby web page for how to use Stubby as a local DNS Privacy stub resolver on your desktop or laptop!


Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet send several of the privacy related options (padding, ECS privacy) etc. The 1.7.1 release of Unbound supports authentication of upstream recursive resolvers using an authentication domain name (i.e. PKIX authentication) if a certificate bundle is configured. The 1.13.1 release can re-use upstream connections. An example minimal config is given below.


  • This uses Cloudflare for simplicity and testing purposes, modify this to the resolver of your choice from e.g. the stubby config file!
  • Update the path to the cert bundle to a locally installed cert.pem file so that connections can be authenticated. The path will depend on your OS and installation.
    directory: "/etc/unbound"
    username: unbound
    chroot: "/etc/unbound"
    # logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
    pidfile: "/etc/unbound/unbound.pid"
    # verbosity: 1      ## uncomment and increase to get more logging.
    # listen on local host, port 53
    interface: 0::1@53
    prefetch: yes
    hide-identity: yes
    hide-version: yes
    do-not-query-localhost: no
    # specifiy a path to a local certificate bundle to authenticate connections
    tls-cert-bundle: "/etc/ssl/cert.pem"
        name: "."
        forward-tls-upstream: yes

Unbound/Stubby combination

Some user combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as fully featured TLS forwarder).

Or, if you want to set this up yourself, an example config for this is:

Unbound config

  use-syslog: yes
  username: "unbound"
  directory: "/etc/unbound"
  trust-anchor-file: trusted-key.key
  root-hints: "/etc/unbound/root.hints"
  do-not-query-localhost:  no
  name: "."
    forward-addr: ::1@8053

Stubby config

tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
idle_timeout: 10000
  -  0::1@8053
round_robin_upstreams: 1

Knot resolver

As of the 2.0.0 release knot resolver can also forward queries over TLS!


Bind does not support TLS natively but can be configured to run behind a local TLS proxy such as stunnel.

Lars de Bruin has kindly created a docker image which uses BIND as a caching local resolver with Stubby as a TLS forwarder.


Platform Status
Android Android supports DNS-over-TLS in the Android P Developer Preview. Also see this talkgiven by the Android developers at NDSS DNS Privacy workshop 2018: Video, Slides
Quad 9 has an App: Quad9 Connect
iOS Work in underway on a Stubby iOS app, however it is currently blocked by an implementation restriction.
Cloudflare has an app call - it does DoH by default but will also do DoT but only uses



Tenta is a browser for Android that encrypts DNS queries using DNS-over-TLS

Command line clients

If you want a DNS Privacy enabled command line tool or a library then choose from one of the following:


    -   getdns_query @\<serverIP> -s -a -A -l T   (Pipelined TCP queries)
    -   getdns_query @\<serverIP> -s -a -A -l L   (Pipelined TLS queries)
    -   getdns_query @\<serverIP> -s -a -A -l LT  (Pipelined TLS queries with fallback to TCP)
    -   getdns_query @\~ -s -a -A -l L -m         (Pipelined TLS queries in strict mode using server hostname for authentication)
  • Daemon mode: see the DNS Privacy Daemon - Stubby page

LDNS (drill) 1.6.17

Source: ldns 1.6.17 source code available from this link to NLNet Labs: ldns-1.6.7

Patch: Grab and apply the patch to ldns-1.6.17 from out git repository. Also see the notes here.

Query: To query this with drill use: (the IP address is used here simply to stop the server name resolution falling back to TCP because your local resolver doesn’t support DNS-over-TLS).

* drill -t          @<serverIP>  <query name>    (to see TCP query)
* drill -l -p1021   @<serverIP>  <query name>    (to see TLS query)
* drill -C          @<serverIP>  <query name>    (to see STARTTLS query)
* drill -C -D       @<serverIP>  <query name>    (to do a DNSSEC lookup using STARTTLS)


See https://knot.readthedocs.io/en/stable/man_kdig.html





  • Firefox
  • Bromite (https://www.bromite.org/)
    • What is Bromite? It is a fork of Chromium (https://www.chromium.org/): “Bromite is Chromium plus ad blocking and privacy enhancements; take back your browser! Bromite aims at providing a no-clutter browsing experience without privacy-invasive features and with the addition of a fast ad-blocking engine.” Note that at the moment Bromite is only for Android, it currently does not provide builds for desktop.
    • In release 67.0.3396.88 Bromite has enabled the underlying DoH implementation in Chromium by exposing configuration options (via chrome://flags). Today the choice is either Google or Cloudflare DoH servers but it is up to the user to choose: https://github.com/bromite/bromite/wiki/Enabling-DNS-over-HTTPS
  • Chrome
    • Chrome has a full DoH implementation but the configuration for it is not exposed. However if you want to try it out use something like the following example for macOS:

      /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --enable-features="dns-over-https<DoHTrial" --force-fieldtrials="DoHTrial/Group1" --force-fieldtrial-params="DoHTrial.Group1:server/https%3A%2F%2Fcloudflare-dns%2Ecom%2Fdns-query/method/POST"



AdGuard’s dnsproxy supports DoQ, also see AdGuardHome