What is the most secure way todo DNS encryption?

im not trying to achieve adblocking, i am trying to achive privacy and security with dnssec and malware filtering, quad9 is perfect for this and is a non profit company that i would not even compare to clouldflare, cloudflare is a for profit who runs most of the web and chooses to shutdown sites if they are pressured by the controlling elite, i could list many reasons to avoid cloudflare but they are all off topic here
edit: also The auditor was KPMG, and Cloudflare paid them for it. So, third party? Yes. Independent or objective? No.

Additional resources :


Tests if your DNS provider does DNSSEC (so your queries are not spoofed)

Check what services you are using and if they leak.

than you have your solution, let's call it a day :slight_smile: enable dnssec and point your queries to quad9. it is a good choice.

1 Like

i use all of these to test my dns and ip and dnssec

1 Like

it does seem im putting more thought into this then most do, but with as many options as are available todo this it only seems right todo my research and i was hoping to fine someone who uses dnscrypt
i was also hoping to find someone who could compare the pros and cons on the different methods, or possibly suggest something new i had not heard of like Oblivious Doh

I still use dnscrypt-proxy2 since day one with OpenWrt and it has done well by me at least for my uses.

FWIW now, I wrote my first how-to here: Davidc502- wrt1200ac wrt1900acx wrt3200acm wrt32x builds - #5310 by RuralRoots
After a quick review, it should still be relevant.

1 Like

You're looking in the wrong direction...

  • delete all cookies, always
  • use incognito browsing
  • set your browser to paranoid mode
  • install an adblocker with a tracking blocklist
  • don't log on to any FB, Google, etc, related services, while browsing, ever

to achieve (more) privacy. It'll get you a lot further, than picking "the right" DNS provider


  • firefox has built in DoH (under general->network settings) you can add custom servers
  • run a wireguard VPN on your router (DNS is automatically hidden until the exit point)
  • make a piehole
  • using both DoH and wireguard installed on the router will probably interfere with wireguard (interferes with NTP) but I haven't tried this
  • change your WAN MAC every now and then
  • I haven't tried the luci apps for dnscrypt or DoH yet

using/changing them doesn't do sh*t for privacy, unless you mistrust your ISP, still not privacy related though.

same as above, read https://overengineer.dev/blog/2019/04/08/very-precarious-narrative.html

still same as above

probably not, but they won't help with your privacy issue.

what for, you're not tracked by IP ...

same as the 1st answer.

Relay doesn’t provide privacy?

  • use macchanger to fool them so they can't track you :laughing:

you're still not tracked by IP, but hey, whatever floats your boat ...

if you're CGNAT:ed, your routers WAN IP will have nothing to do with your real public IP anyway,
the latter will be completely out of your control.

there is no luci app for dnscrypt proxy V2, only for dnscrypt V1

1 Like

i disagree, i have been working on privacy for years now and DNS is by far the most useful adjustment that can be made, before i was using my isp with no filtering and no dnssec, that is bad, now im learning that i can encrypt that dns traffic and even might try anonymized dns or Oblivious DoH and if i can get that to work with ECH that is a damn good improvement to my privacy and security preventing many different types of attacks, i also use full disk encryption and secure boot with DMA protection and IOMMU and a nitro key with my immutable OS fedora silverblue, i use flatpaks sealed by flatseal, i use vlans for my security systems, i use pgp for my sensitive communications, my router is only accessible from one pc thru ssh and my ssh keys are stored in my keepassXC, i use a very hardened version of firefox with ublock or librewolf, i made my own wireguard vpn on a dirt cheap vps, thinking about switching to SPN instead, i use tails or tor when needed, once i figure out DNSCrypt v2 the only thing left for me todo would be switch to qubes with coreboot and buy a next gen firewall with IPS and EDR
that site breaks down the pros and cons of each, i decided for me dnscrypt was the best but i have not got it working yet, hopefully today i will make time to try it again


The entire web browser development community and IEEE seems to disagree with you on this one. It's standard now on most browsers. Encrypting DNS is obviously privacy related.

I said MAC address - not IP address. Although it doesn't really matter I suppose as IP address is used to track you as well.

I still never referred to IP address. I am referring to LAN MAC address on a computer (using macchanger). Changing your MAC address obviously helps improve your privacy as does changing your IP. Neither are complete solutions, just one of many steps you can take.

IP address = layer 3. MAC address = layer 2.

You will never have total privacy in a system not designed for it. Historically IP/DNS and HTTP security was so bad or non-existent that these are all band-aid solutions added nearly 50 years after the fact. The good old days?


1 Like

encrypted DNS is rather related to security. automatically without asking for consent sending dns queries to a hand picked provider is not assuring privacy.

so yes, from security point of view encryption is good, no bad actor will see what you're doing DNS wise, but still DNS upstream provider may log, track and sell your data regardless it is being sent over encrypted. so from privacy point of view it is still very much depending on the provider.

but the post you linked actually stating the same.

1 Like

@grrr2 beat me to it, I was at the movies.

All those things you've implemented, improves your security, bud does nothing for your privacy....

Which takes us right back to anomymous DNS via encrypted DNS.

1 Like

this website made it pretty clear how much better DNScrypt is then the rest of the options, dnscrypt proxy 2 is the route i choose for my router, a member here perklesimon helped me to find my mistake, i got it working now with quad9 and im going to look at anonymous dns next

anyone have any opinions on dns hijacking and whether or not i should use it with dnscrypt and a vpn
also do you guys turn off ipv6 at the router or do you run it thru dnscrypt or something else

Consider using a subset of the dnscrypt public proxy servers to rotate them via the .toml rather than all your queries going through quad9. I use a subset of all out of country dnscrypt public proxies.

Be aware that anonomizing your dns via relays will slow things down at times, significantly.