For the very basics, I recommend reading sections 1 - 2 of a previous post. It has good information and sets you up for this article.
Another useful term to know is Anycast. A lot of servers (including mine) have it set up so you only have to set and remember one IP address or hostname and you automatically use the server geographically nearest to you, the one with the lowest latency.
DoT stands for DNS-over-TLS. It’s a protocol that wraps DNS queries and responses in the TLS protocol. By default, most systems use plaintext DNS and this is very insecure. Plaintext is . . . plaintext; anyone can snoop on your connection and see what websites you’re visiting. If you’re using DNS-over-TLS, the only parties that know where you’re going is you and the DNS server itself. This article focuses on that because it’s more secure and private. DNS-over-HTTPS (DoH) is another option but far fewer clients support it, it’s more difficult to set up, and there are far fewer DoH providers.
Linux and Android are all fairly simple to set up but I couldn’t find anything for Windows other than DNS-over-HTTPS (DoH). I couldn’t find anything at all for iOS but there are instructions for macOS.
Unbound is what I use for DNS on all of my systems. It’s wonderfully easy to use and works very well. Once you’ve used it for a while and have built up a cache, it’s much faster than third-party resolvers.
(stolen from here)
server: tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt forward-zone: name: "." forward-tls-upstream: yes forward-addr: 184.108.40.206@853#uncensored.any.nixnet.xyz forward-addr: 220.127.116.11@853#resolver-eu.lelux.fi forward-addr: 18.104.22.168@853#anycast.censurfridns.dk forward-addr: 22.214.171.124@853#dns.digitale-gesellschaft.ch
server: use-syslog: yes do-daemonize: no username: "unbound" directory: "/etc/unbound" # TODO: fix local DNSSEC check # trust-anchor-file: trusted-key.key tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt forward-zone: name: "." forward-tls-upstream: yes forward-addr: 126.96.36.199@853#uncensored.any.nixnet.xyz forward-addr: 188.8.131.52@853#resolver-eu.lelux.fi forward-addr: 184.108.40.206@853#anycast.censurfridns.dk forward-addr: 220.127.116.11@853#dns.digitale-gesellschaft.ch
Using Unbound as a local resolver
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf && sudo chattr +i /etc/resolv.conf
127.0.0.1 as your nameserver and locks the file by adding the immutable flag (
chattr +i). To remove the flag and make it editable again, run
chattr -i /etc/resolv.conf.
I know the title is for DNS-over-TLS but, from what I’ve found, DoT on Windows is incredibly difficult and I can’t find much on it. This tell you how to change your plaintext DNS configuration so you can at least use a private resolver.
- Open the Control Panel
- Click Network and Internet
- Click Network and Sharing Center
- Click Change adapter settings in the left pane
- Right-click the network interface connected to the internet, and select the Properties option
- Select and check the Internet Protocol Version 4 (TCP/IPv4) option
- Click the Properties button
- Click Use the following DNS server addresses
- Enter your primary and secondary DNS addresses. If you’re using mine, the primary would be
18.104.22.168and secondary would be from some other provider (such as UncensoredDNS’s
- Click OK
- As with all things Windows, reboot to finish applying the changes.
EDIT: It was pointed out that you can use DoH on Windows using something like Simple DNSCrypt. After installing and getting it set up, it looks like you would just go to the Resolvers tab, disable Automatic Mode, then add whatever custom resolvers you want. I don’t offer DoH yet but there are some providers listed on a friend’s wiki.
I got this tutorial from phiffer.org. I don’t have anything from Apple so I can’t test it but a friend of mine did and said it works.
- Use Homebrew to install
knot-resolverthen set up a service so it runs on startup with
sudo brew services start knot-resolver
- Use your favourite text editor to modify
/usr/local/etc/kresd/configand add this to the very end of the file:
sudo brew services restart knot-resolver
- At this point, you should check what DNS server you’re currently using to make sure it actually changes. You can do that with
- Go to Apple Menu > System Preferences > Advanced > DNS then add
- Test again with
kdig nixnet.xyz. This time, one of the last couple IP addresses you see should show up something like
Note that DoT is only available on Android Pie and up. For other versions, try Nebulo. I go over the process of installing and using it in my last post. Once you’ve gone through that, you’re pretty much good to. If you want to add additional servers tap the server icon, then the plus at the bottom, and add whatever IP addresses or hostnames you’d like. Mine is included by default as NixNet Uncensored so all you have to do is select it.
The only client I’ve been able to find is DNSCloak. I don’t use iOS so I can’t attest to how well it does or doesn’t work.