Encrypted DNS (DoH/DoT/DNSCrypt)
DNS-MNS supports testing DNS over HTTPS (DoH), DNS over TLS (DoT), and DNSCrypt providers. These encrypted DNS protocols offer enhanced privacy and can help bypass DNS-based censorship.
What is Encrypted DNS?
DNS over HTTPS (DoH)
DoH encrypts DNS queries using the HTTPS protocol (port 443). This makes DNS traffic indistinguishable from regular web traffic, making it harder to detect or block.
Benefits:
- Encrypts DNS queries from your ISP
- Bypasses DNS-based blocking
- Uses port 443 (same as HTTPS), rarely blocked
DNS over TLS (DoT)
DoT encrypts DNS queries using TLS (port 853). It provides the same encryption as DoH but uses a dedicated port.
Benefits:
- Encrypts DNS queries from your ISP
- Lower overhead than DoH (no HTTP layer)
- Dedicated port makes it easier to identify and manage
DNSCrypt
DNSCrypt encrypts DNS queries using a protocol specifically designed for DNS. Unlike DoH and DoT, it does not rely on Certificate Authorities — instead, it uses pre-distributed public keys embedded in DNS stamps (sdns://...).
Benefits:
- Encrypts DNS from the very first packet (no plaintext handshake)
- No reliance on Certificate Authorities
- Cannot be MITMed or downgraded
- Uses DNS stamps for easy server configuration
- Supports both UDP and TCP transports
Testing DoH/DoT Providers
From the main menu, select option [4] Test DoH/DoT DNS to test encrypted DNS providers.
How It Works
- The tool tests each provider’s DoH endpoint (if available)
- The tool tests each provider’s DoT endpoint
- Results are displayed showing response times and success/failure
- Working providers are ranked by response time
Understanding Results
#1 Cloudflare
DoH URL: https://1.1.1.1/dns-query
DoT IP: 1.1.1.1:853
Status: DoH:45ms / DoT:52ms
SNI Host: cloudflare-dns.com
- DoH URL: The HTTPS endpoint for DNS queries
- DoT IP: The IP address and port for TLS connections
- Status: Response times for DoH and DoT (or “Failed” if not working)
- SNI Host: The hostname used for TLS Server Name Indication
Providers Tested
The tool tests 24+ DoH/DoT providers including:
International Providers
| Provider | DoH URL | DoT IP | SNI Host |
|---|
| Cloudflare | https://1.1.1.1/dns-query | 1.1.1.1:853 | cloudflare-dns.com |
| Google | https://8.8.8.8/dns-query | 8.8.8.8:853 | dns.google |
| Quad9 | https://9.9.9.9/dns-query | 9.9.9.9:853 | dns.quad9.net |
| AdGuard | https://94.140.14.14/dns-query | 94.140.14.14:853 | dns.adguard.com |
| Mullvad | https://194.242.2.2/dns-query | 194.242.2.2:853 | dns.mullvad.net |
| ControlD | https://76.76.2.2/dns-query | 76.76.2.2:853 | freedns.controld.com |
Regional Providers (Iran)
| Provider | DoH URL | DoT IP | SNI Host |
|---|
| Shecan | https://178.22.122.100/dns-query | 178.22.122.100:853 | shecan.ir |
| Electro | https://37.152.182.112/dns-query | 37.152.182.112:853 | electrotm.org |
| RadarGame | https://10.202.10.10/dns-query | 10.202.10.10:853 | radar.game |
| 403Online | https://10.202.10.202/dns-query | 10.202.10.202:853 | 403.online |
| Yandex | https://77.88.8.8/dns-query | 77.88.8.8:853 | common.dot.dns.yandex.net |
| AliDNS | https://223.5.5.5/dns-query | 223.5.5.5:853 | dns.alidns.com |
Why IP-Based Endpoints?
In Iran and other regions with DNS filtering, domain-based DoH endpoints (like cloudflare-dns.com) are often blocked. The tool primarily uses IP-based endpoints (like https://1.1.1.1/dns-query) which are:
- Harder to block via DNS filtering
- Less likely to be on blocklists
- More reliable in restricted networks
The SNI (Server Name Indication) hostname is still sent during the TLS handshake for certificate validation.
Configuring DoH/DoT on Your System
Windows 11
For DoH:
- Go to Settings > Network & Internet > Wi-Fi/Ethernet
- Click on your connection > DNS settings
- Select “Manual” and turn on “DNS over HTTPS”
- Enter the DoH URL (e.g.,
https://1.1.1.1/dns-query)
For DoT:
Windows 11 has limited native DoT support. Use third-party tools like YogaDNS or Simple DNSCrypt.
macOS
Using DNS Profiles:
- Create a mobileconfig file with your DoT/DoH settings
- Install the profile in System Preferences > Profiles
Using third-party tools:
- DNS over HTTPS: Use
cloudflared or dnscrypt-proxy
Linux
Using systemd-resolved:
Edit /etc/systemd/resolved.conf:
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
DNSOverTLS=yes
FallbackDNS=8.8.8.8 8.8.4.4
sudo systemctl restart systemd-resolved
/etc/stubby/stubby.yml:
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
upstream_recursive_servers:
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 8.8.8.8
tls_auth_name: "dns.google"
Browser Configuration
Most modern browsers support DoH natively:
Firefox
- Settings > Privacy & Security
- Scroll to “DNS over HTTPS”
- Select “Max Protection” or “Increased Protection”
- Choose a provider or enter a custom URL
Chrome
- Settings > Privacy and security > Security
- Enable “Use secure DNS”
- Select a provider or enter a custom URL
Edge
- Settings > Privacy, search, and services
- Scroll to “Security”
- Enable “Use secure DNS to specify how to lookup the network address for websites”
Troubleshooting
No Working DoH/DoT Providers
If no providers work:
- Check your internet connection
- Try using a VPN - some networks block DoH/DoT ports
- Check if port 443 (HTTPS) and port 853 (DoT) are accessible
DoH Works But DoT Doesn’t (or vice versa)
This is normal. Different networks may:
- Block port 853 (DoT) but allow port 443 (DoH)
- Have transparent proxies that interfere with DoT
- Filter based on SNI hostname
Use whichever protocol works for your network.
Certificate Errors
If you see certificate errors, the provider may have changed their certificates or the SNI hostname may be incorrect. Try:
- Using a different provider
- Updating the tool to the latest version
Privacy Considerations
While DoH/DoT encrypt DNS queries from your ISP, the DNS provider you choose can still see your queries. Choose a provider with a privacy policy you trust.
- Mullvad DNS: No logging, privacy-focused
- Quad9: Blocks malicious domains, no logging
- Cloudflare: Promises not to sell data, 24-hour log retention
Testing DNSCrypt Providers
From the main menu, select option [6] Test DNSCrypt to test DNSCrypt providers.
How DNSCrypt Testing Works
- Stamp Parsing: The DNS stamp (
sdns://...) is decoded to extract the server address, public key, and provider name
- Certificate Fetch: The tool connects to the server and fetches its certificate, verifying it against the public key
- Encrypted Query: An encrypted DNS query for
google.com is sent and the response time is measured
- Results: Providers are ranked by latency, showing working/failed status
DNSCrypt Providers Tested
| Provider | Description |
|---|
| AdGuard | Ad-blocking and privacy DNS |
| AdGuard Family | Family protection filtering |
| Cisco/OpenDNS | Cisco’s public DNS service |
| Cisco/OpenDNS Family | Family-safe filtering |
| Quad9 | Security-focused, blocks malware |
| CleanBrowsing Family | Family-safe content filtering |
| CleanBrowsing Security | Security-focused filtering |
| Scaleway | European privacy-focused DNS |
Understanding DNSCrypt Results
#1 AdGuard
Latency: 85ms
Status: Working
- Latency: Total time for stamp parsing, certificate fetch, and encrypted query exchange
- Status: Whether the provider is reachable and responding correctly
DNSCrypt Proxy
DNS-MNS includes a built-in local DNSCrypt proxy that encrypts all your DNS queries transparently.
How the Proxy Works
- The proxy listens on a local address (e.g.,
127.0.0.1:53)
- Your system sends regular DNS queries to the proxy
- The proxy encrypts each query using DNSCrypt
- The encrypted query is forwarded to the upstream DNSCrypt provider
- The provider’s response is decrypted and returned to your system
This provides transparent DNS encryption for all applications on your system — no per-app configuration needed.
Starting the Proxy
From the main menu, select option [7] DNSCrypt Proxy:
- Choose a DNSCrypt provider from the list
- Enter a listen address (default:
127.0.0.1:53)
- The proxy starts and runs in the background
Port 53 requires administrator/root privileges. You can use a higher port (e.g., 127.0.0.1:5353) without elevated privileges, but you’ll need to configure your system to use that port.
Stopping the Proxy
Select option [7] again from the main menu and choose “Stop Proxy.”
Configuring Your System to Use the Proxy
After starting the proxy on 127.0.0.1:53, configure your system DNS to 127.0.0.1:
Linux:
# Using DNS-MNS option [2] (Set Custom DNS)
# Or manually:
sudo systemctl stop systemd-resolved
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
sudo networksetup -setdnsservers Wi-Fi 127.0.0.1
Set-DnsClientServerAddress -InterfaceAlias "Wi-Fi" -ServerAddresses "127.0.0.1"
You can also use DNS-MNS option [2] Set Custom DNS to set 127.0.0.1 as your DNS server.
