DNS Privacy Project

Skip to end of metadata
Go to start of metadata

If you are interested in running your own DNS-over-TLS server this page provides some ideas...

Pick your software

See the Implementations page to see what features are currently supported in the various open source nameserver implementations.

Don't forget that you can also run a TLS-proxy in front of any nameserver too (and there is a Docker image for doing this with BIND).


Example configurations can be found on this site for:

To authenticate or not?

In order to allow users to authenticate the server it needs to be configured with a certificate.

It is helpful to also provide the pinset for the certificate (The SHA-256 fingerprint of the public key) as an alternative validation mechanism. If you decide to do this then it is recommended to use the same key when renewing the certificate to avoid having to manage key rollovers and also provide 2 keys to enable key roll. Also see how to generate an SPKI pinset.

Many of the existing servers use the great service at Let's Encrypt to obtain certificates. It has become clear that it is not obvious how to renew a certificate with the same key so we have a short guide on Let's Encrypt Key renewal


A fork of dnsperf now exists that supports TCP. In future TLS support will also be added. 

Monitor your server

Stephane Borztmeyer has written a basic Nagios plugin to monitor DNS-over-TLS servers using getdns which is available in github. We will soon use it to provide a dashboard of the available Privacy servers. 

  • No labels
Write a comment…