Emerald Onion's Encrypted DNS Resolver
The Emerald Onion public recursive name server (aka DNS resolver) is a privacy-respecting DNS service offering modern, encrypted DNS protocols: DNS-over-TLS (DoT)
, DNS-over-HTTPS (DoH)
, and DNS-over-QUIC (DoQ)
. We have configured dnsproxy and unbound with specific privacy controls:
DoT
,DoH
, andDoQ
TLS-based transport encryption ensures that your ISP cannot see your DNS queries.- IP connection data and metadata logging has been disabled completely. No IP logs exist at Emerald Onion's edge, firewall,
dnsproxy
syslog, orunbound
syslog. - DNS query data and metadata logging has been disabled completely. This includes disabling
unbound-control
to prevent the possibility of exposing unbound's in-memory data to the Emerald Onion admins. - A DNS caching resolver offers inherent privacy due to the fact that if another user requested DNS information before you, and the validity time has not expired, then the DNS service will not transmit another upstream request for the data. This makes it more difficult for network adversaries to track users.
- QNAME minimization assures that upstream DNS services are only sent the minimum amount of data necessary to perform DNS resolution.
Emerald Onion's software configurations are pulled directly from this Github repo, so users can validate for themselves that these privacy settings are enforced. This public DNS service is shared by Emerald Onion's Tor exit relays, meaning that Tor user's queries are blended with non-Tor exit user's queries, further enhancing DNS privacy.
How To Use
iOS 14 and macOS Big Sur (DoH)
- From your device, download this DNS Profile in Safari
- iOS: Settings > General > Profiles > Emerald Onion DNS-over-HTTPS > Install
- macOS: Settings > Profiles > Emerald Onion DNS-over-HTTPS > Install
Android 9 (DoT)
- Open settings
- Network & internet > Advanced > Private DNS
- Choose Private DNS provider hostname and enter
dns.emeraldonion.org
Firefox (DoH)
- Go to Preferences
- Type "DNS" in "Find in Preferences" at the top
- Click Network Settings
- Enable "DNS over HTTPS"
- Use provider "Custom" and enter
https://dns.emeraldonion.org/dns-query
Chrome (DoH)
- Go to Settings
- Type "DNS" in "Search Settings" at the top
- Click Security
- Enable "Use secure DNS"
- Select with "Custom" and enter
https://dns.emeraldonion.org/dns-query
Local proxy with Docker
If your system doesn't support DoT, DoH, or DoQ and you don't want to change your stub resolver, you can use our Docker image for dnsproxy which supports all 3 protocols.
- Create and start the container:
docker run -p 127.0.53.53:53:53/udp emeraldonion/docker-dnsproxy
- Update your DNS server to 127.0.53.53
Protocols
- DNS over TLS :
tls://dns.emeraldonion.org:853
- DNS over HTTPS:
https://dns.emeraldonion.org:443
- DNS over QUIC:
quic://dns.emeraldonion.org:8853
Protocols, Pros and Cons
There is not one protocol that is strictly better than the others, but DoH (DNS over HTTPS) seems to be the one that most of the industry is adopting. Emerald Onion is using draft implementation of DoQ, so please only use that for testing.
All 3 supported protocols provide a layer of transport security to protect DNS queries from surveillance. The difference is only in the transport itself; DoT uses TLS, DoH uses HTTPS+TLS, and DoQ uses QUIC+TLS. All protocols use the standard RFC1035 DNS wire format. For more information on how DNS messages work over alternate transports, check out Cloudflare's 1.1.1.1 documentation. Note: our resolver does not support the JSON message format.
- DoT is the simplest protocol using only an additional TLS layer on top of DNS.
- DoH is the most widely supported protocol where browsers such as Firefox have built-in DoH support.
- DoQ is the newest protocol and uses the modern QUIC transport protocol.
Emerald Onion does not offer vulnerable DNS-over-UDP services.
Emerald Onion's Server-Side Configuration
We're using dnsproxy to proxy DoT, DoH, and DoQ queries to unbound as the resolver. On the networking side, we use BIRD as a BGP daemon automated with bcg which converts a simple YAML file into BIRD configs with filtering for IRR, RPKI, and max-prefix limits. Each DNS server announces the same routes making this an anycast service that can be easily scaled out by adding more servers.
If you're interested in running your own service like this, this repo can serve as a quick way to get started. Just edit the Ansible hosts file to contain a list of your DNS servers, BGP configuration, and TLS certificate paths, and run ansible-playbook -i hosts.yml install.yml
. Ansible will install and configure the DNS server with unbound and dnsproxy, and set up BGP session with BIRD and BCG according to the bcg
key in your Ansible hosts file. The hosts.yml
file in this repo contains our production config as a starting place, but you'll have to make a few modifications if you're running your own deployment:
- Replace
tls_cert
andtls_key
with the path to your TLS certificate and private key. - Replace the
hosts
key with objects for each of your DNS servers, notingansible_host
andbcg
which takes a raw bcg config in YAML.
Legal
Per the legal FAQ, Emerald Onion does not log network information. To report abuse, please contact Abuse.
Donate
Emerald Onion is 100% volunteer-run, and 100% of donations go to business administration and insurance, hardware, bandwidth, and co-location. Please consider becoming a monthly donor using Github Sponsors!
Other donation methods are available here: emeraldonion.org/donate
Emerald Onion is a U.S. 501(c)(3) nonprofit, tax ID #82-2009438. Contributions are tax deductible as allowed by law.