It was DNS

 Created
Updated
Author Nicolas Dorriere Reading 4 min

I publicly provide 3 DNS server endpoints using the   DNS over HTTPS  ᛡ  DNSCrypt    protocol. This means that the communication between your terminal and my DNS servers will be encrypted. If someone attempts a Man-in-the-Middle attack using mitmproxy, bettercap, or a simple tcpdump on port 53, they will be unable to see your traffic.

My servers use Adguard, DNSCrypt Technitium as DNS software continuously updated.

The Adguard endpoint is useful for dispersing your DNS requests across multiples   DNS over HTTPS  ᛡ  DNSCrypt   servers, all hosted in Europe with extremely low latency. I have benchmarked each of them to create a curated list that respects privacy.

The Technitium endpoint is a unique DNS over HTTPS server Recursive Resolver, which can be useful for filling your list of dispersed servers, such as the one I offer above.

The DNSCrypt Server endpoint is a unique DNSCrypt Recursive Resolver, which can be useful for filling your list of dispersed servers, such as the one I offer above.

Regarding privacy, I host services in separate LXC containers on my own equipment, connected to a low-latency fiber connection. I anonymize all IP addresses that connect to my DNS servers. I do not exploit any data and do not look at logs - I have better things to do. Life is short.

Dilution Upstreams Proxy

Software: AdGuard Home (latest)

Endpoint : https://doh-dilution-to-upstreams-adguardhome.nicolas-dorriere.fr/dns-query

Features : 

- DNS over HTTPS (reverse caddy TLS)
- dilution max 5%
- self-hosted in France
- adblock
- DNSSEC
- no filter
- no logging
- IP anonymized
- load-balancing mode
- cache
- dashboard not exposed to internet
- average processing time 30ms

ip anonymization enabled

Ad-Blocklists

Name Rules url
AdGuard DNS filter 161 351 https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
Steven Black's List 83 599 https://adguardteam.github.io/HostlistsRegistry/assets/filter_33.txt
Malicious URL Blocklist (URLHaus) 16 814 https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt
Phishing Army 145 278 https://adguardteam.github.io/HostlistsRegistry/assets/filter_18.txt
uBlock filters – Badware risks 3 014 https://adguardteam.github.io/HostlistsRegistry/assets/filter_50.txt
HaGeZi's Normal Blocklist 151 706 https://adguardteam.github.io/HostlistsRegistry/assets/filter_34.txt
oisd big 427 464 https://big.oisd.nl/

Dilution

What is dilution? I've adopted this term to simply explain that each DNS request is systematically sent to a different DNS server, thus avoiding any notion of centralization by a single entity and reinforcing privacy.

The DNS servers of Cloudflare (1.1.1.1) or Google (8.8.8.8) concentrate too many DNS requests. They use your data to likely serve ads for Google, and for Cloudflare, likely to improve their products. 1.1.1.1 remains the recursive DNS server with the lowest latency in the world, ahead of Google and others.

We avoid centralization, as mentioned earlier, and achieve dilution. 
The more servers we have in our dilution list, the better your privacy will be.

DNS over HTTPS servers with low latency and respect for privacy (no logging, anonymization) are rare. That's why I offer a public endpoint to help improve the global privacy of internet users.

 

Dilution list

Features Public Upstream :

- DNS over HTTPS (DoH)
- DNSCrypt
- Direct to root servers (no upstream)
- Keeps DNS traffic inside Europe
- 200ms max
- No Cloudflare
- No Google

∴ DOH Server (5)

URL Policy Hosting Country Features
https://dnspub.restena.lu/dns-query Link Restena Luxembourg DNSSEC
https://dns.kescher.at/dns-query Link Netcup Germany DNSSEC, support DoT & DoQ
https://doh.ffmuc.net/dns-query Link ffmuc Germany DNSSEC, No logging, no filter,
https://dns.glf.wtf/dns-query Link Hetzner Germany No DNSSEC, Block ads,
https://dns.belnet.be/dns-query Link Belnet Belgium No DNSSEC, No log,
source list : github.com/curl/curl/wiki/DNS-over-HTTPS

∵  DNSCrypt Server (5)

Stamps Policy Hosting Country Features
sdns://AQcAAAAAAAAADTkxLjEw
OC44MC4xNTkgMM6jepD
oFl1PnnXwNjbqe-V8
hUotmrrq7Khw
Jbik6A0ZMi5kbnNjc
nlwdC1jZXJ0Lm
Ruc2NyeS5wdA		 Link CSN-Solutions Germany No filter, no logs, DNSSEC support
sdns://AQcAAAAAAAAADTQ1LjE0Ny45
OC4yMjMgxrLxuUBUIK0
uhJptc75BSbkhou5kHD
Mi2p4AHf0zHg
MWMi5kbnNjcnlwdC1
jZXJ0LmRjdC1mcg		 no found Serverd France Non-logging, non-filtering, DNSSEC
sdns://AQYAAAAAAAAAEjQ2LjIyNy4yM
DAuNTQ6ODQ0MyB-y-8-LwGAMo1
g4OHR7CPk6HfY6gmhk3AaBN
azwL6L4R8yLmRuc2
NyeXB0LWNlcnQucmRucy
5mYWVsaXgubmV0		 no found Faelix  United Kingdom Non-logging, non-filtering
sdns://AQcAAAAAAAAADjE5My4yM
DEuMTg4LjQ4IBERKdQJgL
SjqCSK99e2f_WRTQzEq9__DeXlQFv
xxhZ6GzIuZG5zY3J5cHQtY
2VydC5uczIua3NvbC5pbw		 no found Rackforest Zrt. Hungary Non-logging, non-filtering, DNSSEC enforced
sdns://AQcAAAAAAAAADTE
0Ni43MC42Ni4yMjcgMTNyrVlWMsJBa4
cvCY-FG925ZShMbL6aTxkJZDDbqVoeMi
5kbnNjcnlwdC1jZXJ0LmNyeXB0b
3N0b3JtLmlz

cryptostorm.is

m247

 Roumania No log, open source config, Decentralized organization.
Public list : https://dnscrypt.info/public-servers/

Stats

The percentages in the table below show the number of requests dispatched to the different DNS servers present in Adguard's list. For example, for the server collecting the most requests, doh.ffmuc.net, they will see a maximum of 34.36% of my DNS traffic. The public DNS server of sdns://AQcAAAAAAAAAK1syMDAxOjliMTo0 sees only 1,93% of my traffic.

DNS Resolver  Count Percentage
https://doh.ffmuc.net:443/dns-query 4,045 34.36%
sdns://AQcAAAAAAAAADjE5My
4yMDEuMTg4LjQ4IBERKdQJgLS
jqCSK99e2f_WRTQzEq9__DeXlQFv
xxhZ6GzIuZG5zY3J5cHQtY2Vyd
C5uczIua3NvbC5pbw		 1,952 16.58%
sdns://AQcAAAAAAAAADTkxLjEwO
C44MC4xNTkgMM6jepDoFl1
PnnXwNjbqe-V8hUotmrrq7KhwJbik6A0ZMi5
kbnNjcnlwdC1jZXJ0LmRuc2NyeS5wdA		 1,531 13.01%
https://dns.nick-slowinski.de:443/dns-query 1,452 12.34%
https://dns.glf.wtf:443/dns-query 996 8.46%
https://dnspub.restena.lu:443/dns-query 453 3.85%
sdns://AQYAAAAAAAAAEjQ2
LjIyNy4yMDAuNTQ6ODQ0M
yB-y-8-LwGAMo1g4OHR7CP
k6HfY6gmhk3AaBNazwL6L4R
8yLmRuc2NyeXB0LWNlcnQuc
mRucy5mYWVsaXgubmV0		 443 3.76%
https://dns.kescher.at:443/dns-query 373 3.17%
sdns://AQcAAAAAAAAADTQ1L
jE0Ny45OC4yMjMgxrLxuUBUIK0
uhJptc75BSbkhou5kHDMi2p4AH
f0zHgMWMi5kbnNjcnlwdC1jZXJ0LmRjdC1mcg		 299 2.54%
sdns://AQcAAAAAAAAAK1syMDA
xOjliMTo0NWJjOmZmMDA6MjBjO
jI5ZmY6ZmUxYzpjMTJhXTo0NDM
gF2us8UFijhQlRmAOf1z01hCVm
96g7FHq-C3VnpJ53XQjMi5kbnNjcnlwdC1jZ
XJ0LmhsaW5jb3JlLnNlY3VyZS5kbnM		 227 1.93%

Recursive Resolver

ᐉ Software : Technitium (latest)

Endpoint : https://doh-recursive-to-root.technitium.nicolas-dorriere.fr/dns-query

Features Technitium: 

- DNS over HTTPS (reverse caddy TLS)
- Unbound  (no upstream) (ICANN root server)
- DNSSEC
- EDNS
- Self-hosted in France
- No logging
- No filter
- No adblock
- Dashboard not exposed to internet
- Cache (100k size)

 

ᐉ Software : DNScrypt server (latest)

Endpoint/Stamps : sdns://AQcAAAAAAAAAETkwLjQ2LjIwNi4yNDg6NDQzIBliqCXeEXeous1YRa1T3AIXMpYmK-Cz4yaK62AyQiOcRzIuZG5zY3J5cHQtY2VydC5kbnNjcnlwdC1yZWN1cnNpdmUtdG8tcm9vdC11ZHAtb25seS5uaWNvbGFzLWRvcnJpZXJlLmZy

Features : 

- DNScrypt v2 (protocol)
- Unbound (no upstream) (ICANN root server)
- DNSSEC
- EDNS
- Cache (key cache)
- Only UDP (sorry, I only have one public IP and port 443 TCP is already being used by Caddy for a static website. Also, my ISP doesn't provide NAT for IPv6.)
- No upstreams
- No logging
- No filter
- No adblock

 

iOS DoH client

Most DNS apps on the App Store are just wrappers that force a local VPN connection or heavy Swift GUI. This drains your battery, occupies your VPN slot, and adds unnecessary overhead. You don't need them. Apple has native, system-level support for Encrypted DNS.

 

Profile generator : dns-mobile-config.nicolas-dorriere.fr

 
Transparency & Credits

This project is a fork of fyr77's original work. All credit for the base logic goes to them. 
My version features a cleaner, simplified frontend and runs on my own infrastructure, utilizing Caddy as a reverse proxy for secure TLS handling.

Signer repo : https://codeberg.org/fyr77/dns-mobileconfig-signer

 

Close
Fullscreen image