Blog Main Image

Public DNS Resolver with TLS & HTTPS Support

Quadrant Information Security now offers “DNS over TLS” and “DNS over HTTPS” to the general public. Why is this important? When using services like Google’s public DNS ( and or your ISP’s DNS servers, the traffic is sent unencrypted. This means that the requests are subject to DNS hijacking, and eavesdropping. Using a public DNS resolved with TLS & HTTPS support allows your DNS request to be protected and encrypted. This eliminates the possibility of DNS eavesdropping and hijacking from your ISP or hostile third parties. This project is part of the “DNS Privacy” project. All logs to and from Quadrant’s public DNS servers are sent to /dev/null, which means that we do not record or log any user activity; we do this to protect our users and ourselves.

DNS-TLS / DNS-HTTPS Disclaimers:

The operations of these services are part of a research project driven and funded by Quadrant Security. They are free for public use and have no restrictions. Quadrant Information Security does NOT perform any type of filtering on the DNS request. Quadrant Information Security does NOT keep, store, or retain any information or logs of any DNS queries. Use at your own risk.

If you have any questions or comments about this service, please e-mail [email protected].

DNS-TLS service information:

Server DNS:

Server Port: 853

Server IPv4:

Server IPv6: 2001:1890:140c::159

DNS-HTTPS service information:

Server URL:

Server Port: 443

Server IPv4:

Server IPv6: 2001:1890:140c::159

Using DNS-TLS over DNS-HTTPS services.

Android PIE:

Phones running Andriod “PIE” (or later) support a native DNS over TLS resolver. To use it, go to your phone’s “Settings” and then “Network & Internet”. At the bottom, you should see an “Advanced” option. Open up the “Advanced” options and you should see a “Private DNS” option. Select that option and then hit the “Private DNS provider hostname”. Put in “” and hit save. All your phone’s DNS requests will be encrypted and protected.

Other resources:


Stubby is a small program that runs on Linux, FreeBSD,OSX, etc. that acts as a local DNS resolver that translates your DNS request to a DNS-TLS provider. One side of Stubby “listens” for standard UDP/53 DNS requests. When a DNS request is received, it is forwarded upstream via DNS over TLS. The concept is that you can run Stubby with your DNS over TLS provider and set up your local resolver (/etc/resolv.conf) to This way, all DNS requests are sent over a secure channel. Here are our Stubby configurations:

# Quadrant DNS-TLS IPv4 configuration:

– address_data:

tls_auth_name: “”

# Quadrant DNS-TLS IPv6 configuration:

– address_data: 2001:1890:140c::159

tls_auth_name: “”

If you want to do certificate pining, you’ll need to add the following lines:


– digest: “sha256”

value: {base64 sha256 value}

We use Letsencrypt certificates which change every vew months. To get the most recent pinning sum, see Certificate pinning adds an extra layer of security to the system but will require more maintenance.


In some situations, DNS over TLS may not be an option. For example, it might not be possible to use TCP/853 due to network and firewall restrictions. Or perhaps you would rather use DNS over HTTPS for software compatibility reasons. In any case, the Quadrant Information Security public DNS servers support “DNS over HTTPS”. Rather than using DNS on UDP port 53 or DNS over TLS, requests are made over the standard HTTPS port TCP/443 (TLS). When a DNS request is made, JSON is returned with information about your query. DNS over HTTPS queries should be sent to

More information about DNS over HTTPS can be found at the following links:

Using Firefox with DNS over HTTPS:

Listing of software that support DNS over HTTPS:

If you have any questions, please send us an e-mail at [email protected].

Scroll To Top Arrow