Operating systems

As of release 239 systemd-resolved now supports opportunistic DNS-over-TLS - see   the resolved.conf man pageThe release notes say:

systemd-resolved now supports DNS-over-TLS. It's still
turned off by default, use DNSOverTLS=opportunistic to turn it on in
resolved.conf. We intend to make this the default as soon as couple
of additional techniques for optimizing the initial latency caused by
establishing a TLS/TCP connection are implemented.

Local forwarders


Recommended: See the DNS Privacy Daemon - Stubby web page for how to use Stubby as a local DNS Privacy stub resolver on your desktop or laptop!


Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet re-use TCP/TLS connections or send several of the privacy related options (padding, ECS privacy) etc. The 1.7.1 release of Unbound supports authentication of upstream recursive resolvers using an authentication domain name (i.e. PKIX authentication) if a certificate bundle is configured. An example minimal config is given below.


  • This uses Cloudflare for simplicity and testing purposes, modify this to the resolver of your choice from e.g. the stubby config file!
  • Update the path to the cert bundle to a locally installed cert.pem file so that connections can be authenticated. The path will depend on your OS and installation.
    directory: "/etc/unbound"
    username: unbound
    chroot: "/etc/unbound"
    # logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
    pidfile: "/etc/unbound/"
    # verbosity: 1      # uncomment and increase to get more logging.
    # listen on local host, port 53
    interface: 0::1@53
    prefetch: yes
    hide-identity: yes
    hide-version: yes
    do-not-query-localhost: no
    # specifiy a path to a local certificate bundle to authenticate connections
    tls-cert-bundle: "/etc/ssl/cert.pem"
        name: "."
        forward-tls-upstream: yes

Unbound/Stubby combination

Some user combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as fully featured TLS forwarder).

Or, if you want to set this up yourself, an example config for this is:

Unbound config

  use-syslog: yes
  username: "unbound"
  directory: "/etc/unbound"
  trust-anchor-file: trusted-key.key
  root-hints: "/etc/unbound/root.hints"
  do-not-query-localhost:  no
  name: "."
    forward-addr: ::1@8053

Stubby config

tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
idle_timeout: 10000
  -  0::1@8053
round_robin_upstreams: 1

Knot resolver

As of the 2.0.0 release knot resolver can also forward queries over TLS!


Bind does not support TLS natively but can be configured to run behind a local TLS proxy such as stunnel.

Lars de Bruin has kindly created a docker image which uses BIND as a caching local resolver with Stubby as a TLS forwarder.



Android supports DNS-over-TLS in the Android P Developer Preview. Also see this talk
given by the Android developers at NDSS DNS Privacy workshop 2018:
Video, Slides

iOSWork in underway on an iOS app, however it is currently blocked by an implementation restriction.



Tenta is a browser for Android that encrypts DNS queries using DNS-over-TLS

Command line clients

If you want a DNS Privacy enabled command line tool or a library then choose from one of the following:


  • Website:
    • getdns supports multiple features related to DNS privacy including persistent connections, strict and opportunistic privacy profiles and TLS authentication by hostname of SPKI pinset
  • API spec:
  • Source:
    • See the first few sections on the DNS Privacy Daemon - Stubby page for instructions on how to install and build getdns as a local stub resolver with TLS support from source.
  • API: Use the api directly via C or any of the available language bindings (Python, Java, nodejs, PHP)
  • getdns_query: Use API directly, or use with the wrapper script getdns_query (run 'make getdns_query' then getdns_query is found in the test directory):
    • getdns_query @<serverIP> -s -a -A -l T  (Pipelined TCP queries)
    • getdns_query @<serverIP> -s -a -A -l L   (Pipelined TLS queries)
    • getdns_query @<serverIP> -s -a -A -l LT  (Pipelined TLS queries with fallback to TCP)
    • getdns_query @<serverIP>~<hostname> -s -a -A -l L -m (Pipelined TLS queries in strict mode using server hostname for authentication)
  • Daemon mode: see the DNS Privacy Daemon - Stubby page

LDNS (drill) 1.6.17

  • Source: ldns 1.6.17 source code available from this link to NLNet Labs: ldns-1.6.7
  • Patch: Grab and apply the patch to ldns-1.6.17 from out git repository. Also see the notes here.
  • Query: To query this with drill use: (the IP address is used here simply to stop the server name resolution falling back to TCP because your local resolver doesn't support DNS-over-TLS).

    • drill -t             @<serverIP>  <query name>    (to see TCP query)

    • drill -l -p1021 @<serverIP>  <query name>    (to see TLS query)

    • drill -C           @<serverIP>  <query name   (to see STARTTLS query)

    • drill -C -D      @<serverIP>  <query name>    (to do a DNSSEC lookup using STARTTLS)






There is an Android App called 'Intra' which can be used to send all queries from the device over DOH to either Cloudflare or Google


  • No labels