DNS Resolution Protocol Comparison

Protocol	Port	Transport	Encryption	Visible to ISP	Anti-Tamper	Latency	RFC
Plain DNS	53	UDP/TCP	None	Fully visible	No	Lowest	1035
DNSSEC	53	UDP/TCP	None (signed)	Visible	Yes	Low	4033
DoT (DNS-over-TLS)	853	TLS/TCP	TLS 1.3	Port identifiable	Yes	Medium	7858
DoH (DNS-over-HTTPS)	443	HTTPS/TCP	TLS 1.3	Indistinguishable from HTTPS	Yes	Medium	8484
DoH3 (DNS-over-HTTP/3)	443	QUIC/UDP	TLS 1.3	Same as HTTPS	Yes	Low	9250
DoQ (DNS-over-QUIC)	853/8853	QUIC/UDP	TLS 1.3	Identifiable	Yes	Lowest (encrypted)	9250
DNSCrypt	443/5443	UDP/TCP	X25519+XSalsa20	Identifiable	Yes	Low	—

Recommended Choice

For most scenarios, DoH is recommended: uses port 443, blending with normal HTTPS traffic so ISPs can't identify encrypted DNS by port. For ultra-low latency, use DoQ (QUIC has no TCP handshake). Enterprise networks should consider DoT — its dedicated port allows clean firewall policies.

Encrypted DNS Provider Comparison

Provider	DoH URL	DoT Hostname	IP	Logging	Ad Filter	DNSSEC
Cloudflare	`https://cloudflare-dns.com/dns-query`	`one.one.one.one`	1.1.1.1 / 1.0.0.1	24h purge	No (1.1.1.2 yes)	✅
Google	`https://dns.google/dns-query`	`dns.google`	8.8.8.8 / 8.8.4.4	48h anonymized	No	✅
Quad9	`https://dns.quad9.net/dns-query`	`dns.quad9.net`	9.9.9.9 / 149.112.112.112	No logs	Malware	✅
NextDNS	`https://dns.nextdns.io/YOUR_ID`	`YOUR_ID.dns.nextdns.io`	Dynamic	Configurable	Highly custom	✅
AdGuard	`https://dns.adguard-dns.com/dns-query`	`dns.adguard-dns.com`	94.140.14.14	No logs	Ads+Trackers	✅
Mullvad	`https://dns.mullvad.net/dns-query`	`dns.mullvad.net`	194.242.2.2	No logs	Optional	✅
Ali DNS	`https://dns.alidns.com/dns-query`	`dns.alidns.com`	223.5.5.5 / 223.6.6.6	Undisclosed	No	✅
Tencent DNSPod	`https://doh.pub/dns-query`	`dot.pub`	119.29.29.29	Undisclosed	No	✅

Operating System Setup

Windows 11 / 10 (DoH)

# Windows 11: Settings → Network → DNS → Manual # Set Preferred DNS: 1.1.1.1 # DNS over HTTPS: On (automatic template) # Or via PowerShell (Win 11): Set-DnsClientDohServerAddress -ServerAddress "1.1.1.1" ` -DohTemplate "https://cloudflare-dns.com/dns-query" ` -AllowFallbackToUdp $False -AutoUpgrade $True # Verify: Resolve-DnsName example.com -DnsOnly | Select-Object Name,IPAddress

macOS (DoH / DoT)

# Create a .mobileconfig profile (XML plist) # Or use a tool like dns-profile-creator # Manual: System Settings → Network → DNS → add 1.1.1.1 # For DoH via mobileconfig: # PayloadType: com.apple.dnsSettings.managed # DNSSettings: # DNSProtocol: HTTPS # ServerURL: https://cloudflare-dns.com/dns-query # ServerAddresses: [1.1.1.1, 1.0.0.1] # Install: double-click .mobileconfig → System Settings → Profiles

Linux (systemd-resolved DoT)

# /etc/systemd/resolved.conf [Resolve] DNS=1.1.1.1#one.one.one.one 1.0.0.1#one.one.one.one DNSOverTLS=yes DNSSEC=yes Domains=~. FallbackDNS=9.9.9.9#dns.quad9.net # Restart: sudo systemctl restart systemd-resolved # Verify: resolvectl status resolvectl query example.com

Android (DoT Native)

# Settings → Network → Private DNS # Select "Private DNS provider hostname" # Enter: one.one.one.one (Cloudflare) # or: dns.google (Google) # or: dns.adguard-dns.com (AdGuard)

iOS / iPadOS (DoH)

# Install a DoH/DoT profile (.mobileconfig) # Cloudflare: https://1.1.1.1/dns-over-https.mobileconfig # Or install "1.1.1.1: Faster Internet" app from App Store # Settings → General → VPN & Device Management → DNS

Browser DoH Setup

Browser	Settings Path	Default DoH
Chrome	`chrome://settings/security` → Use secure DNS	System / Cloudflare / Google selectable
Firefox	`about:preferences#privacy` → DNS over HTTPS	Cloudflare (default on in US)
Edge	`edge://settings/privacy` → Secure DNS	Same as Chrome
Brave	`brave://settings/security` → Secure DNS	Quad9
Safari	No browser-level DoH (requires system config)	—

Note

Browser-level DoH only protects DNS queries from the browser. Other apps (terminal, email clients) still use system DNS. For full protection, configure at system or router level.

Proxy Tool DNS Configuration

Clash / Clash Meta (mihomo)

# config.yaml dns: enable: true listen: 0.0.0.0:53 enhanced-mode: fake-ip # redir-host | fake-ip fake-ip-range: 198.18.0.1/16 fake-ip-filter: - '*.lan' - '*.local' - 'time.*.com' default-nameserver: # bootstrap DNS (plain, for resolving DoH domain) - 223.5.5.5 - 119.29.29.29 nameserver: # main encrypted DNS - https://doh.pub/dns-query - https://dns.alidns.com/dns-query - tls://dot.pub:853 fallback: # fallback for non-CN domains - https://dns.cloudflare.com/dns-query - https://dns.google/dns-query - tls://dns.google:853 fallback-filter: geoip: true geoip-code: CN ipcidr: - 240.0.0.0/4 tun: enable: true stack: system # system | gvisor | mixed dns-hijack: - any:53 auto-route: true auto-detect-interface: true

V2Ray / Xray

// config.json → dns 部分 { "dns": { "servers": [ { "address": "https://cloudflare-dns.com/dns-query", "domains": ["geosite:geolocation-!cn"], "skipFallback": true }, { "address": "https://doh.pub/dns-query", "domains": ["geosite:cn"], "expectIPs": ["geoip:cn"] }, "223.5.5.5" // fallback plain DNS ], "queryStrategy": "UseIPv4" } }

sing-box

// config.json { "dns": { "servers": [ { "tag": "remote", "address": "https://dns.cloudflare.com/dns-query", "detour": "proxy" }, { "tag": "local", "address": "https://doh.pub/dns-query", "detour": "direct" }, { "tag": "block", "address": "rcode://success" } ], "rules": [ {"geosite": "cn", "server": "local"}, {"geosite": "category-ads-all", "server": "block"} ], "strategy": "prefer_ipv4" } }

WireGuard

# wg0.conf [Interface] PrivateKey = YOUR_PRIVATE_KEY Address = 10.0.0.2/32 DNS = 1.1.1.1, 1.0.0.1 # WireGuard sets system DNS when connected [Peer] PublicKey = SERVER_PUBLIC_KEY Endpoint = vpn.example.com:51820 AllowedIPs = 0.0.0.0/0 # route all traffic (full tunnel) PersistentKeepalive = 25 # DNS leak prevention: AllowedIPs = 0.0.0.0/0 forces all traffic through tunnel # For split tunnel, also add: AllowedIPs = 1.1.1.1/32 to route DNS specifically

OpenVPN

# client.ovpn — server pushes DNS: push "dhcp-option DNS 1.1.1.1" push "dhcp-option DNS 1.0.0.1" push "block-outside-dns" # Windows: prevents DNS leak # Client-side override (add to .ovpn): dhcp-option DNS 1.1.1.1 script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

Shadowsocks + dns2socks

# Use dns2socks to forward DNS through SOCKS5 proxy dns2socks 127.0.0.1:1080 8.8.8.8:53 127.0.0.1:5353 # Then point system DNS to 127.0.0.1:5353 # Or use ss-tunnel for DNS forwarding: ss-tunnel -s server -p 8388 -l 5353 -L 8.8.8.8:53 -k password -m aes-256-gcm

TUN Mode Explained

TUN (network tunnel) mode creates a virtual network interface in the OS, capturing all network traffic (including DNS) and forwarding it to the proxy client. Unlike manual proxy configuration, TUN mode requires no per-app proxy setup — all traffic automatically goes through the tunnel.

TUN Flow

App → OS routing → TUN interface → Proxy client (Clash/sing-box) → Rule matching → Direct or proxy → Remote server

DNS Handling

In TUN mode, DNS queries are intercepted by dns-hijack and handled by the proxy's DNS module. fake-ip mode returns a fake IP, using the real domain when connecting.

fake-ip vs redir-host

fake-ip: Fast (no DNS delay), but some apps may not work (use fake-ip-filter). redir-host: Real DNS first then route, better compatibility but slower.

Stack Selection

system: OS stack, stable but needs root. gvisor: Userspace stack, no root but higher CPU. mixed: TCP=system, UDP=gvisor (recommended).

Clash TUN Full Config

tun: enable: true stack: mixed dns-hijack: - any:53 - tcp://any:53 auto-route: true auto-detect-interface: true # macOS/Linux: auto-route adds route rules # Windows: sets TUN as default gateway

sing-box TUN

{ "inbounds": [{ "type": "tun", "interface_name": "tun0", "inet4_address": "172.19.0.1/30", "auto_route": true, "strict_route": true, "stack": "mixed", "sniff": true, "sniff_override_destination": true }] }

iptables Transparent Proxy DNS Forwarding

On a Linux gateway/router, use iptables to forcefully redirect all DNS traffic to a local encrypted DNS proxy (clash, sing-box, or dnscrypt-proxy), preventing any device from bypassing encrypted DNS.

DNS Hijack (Redirect Port 53)

# Redirect all outbound DNS (port 53) to local proxy on port 5353 iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 5353 iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 5353 # Also catch local traffic (from the gateway itself) iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353 iptables -t nat -A OUTPUT -p tcp --dport 53 -j REDIRECT --to-ports 5353 # Exclude the proxy itself from being redirected (prevent loop) iptables -t nat -A OUTPUT -m owner --uid-owner clash -p udp --dport 53 -j RETURN

TPROXY Transparent Proxy (Full Traffic)

# TPROXY mode: proxy all TCP+UDP (including DNS) through clash/sing-box # Step 1: Create routing rule ip rule add fwmark 0x1 table 100 ip route add local default dev lo table 100 # Step 2: Mark packets for TPROXY iptables -t mangle -N CLASH iptables -t mangle -A CLASH -d 0.0.0.0/8 -j RETURN iptables -t mangle -A CLASH -d 127.0.0.0/8 -j RETURN iptables -t mangle -A CLASH -d 10.0.0.0/8 -j RETURN iptables -t mangle -A CLASH -d 172.16.0.0/12 -j RETURN iptables -t mangle -A CLASH -d 192.168.0.0/16 -j RETURN iptables -t mangle -A CLASH -p tcp -j TPROXY --on-port 7893 --tproxy-mark 0x1 iptables -t mangle -A CLASH -p udp -j TPROXY --on-port 7893 --tproxy-mark 0x1 iptables -t mangle -A PREROUTING -j CLASH # Step 3: Exclude proxy process iptables -t mangle -A OUTPUT -m owner --uid-owner clash -j RETURN iptables -t mangle -A OUTPUT -p tcp -j MARK --set-mark 0x1 iptables -t mangle -A OUTPUT -p udp -j MARK --set-mark 0x1

nftables (Modern Alternative)

# nftables DNS redirect nft add table ip nat nft add chain ip nat prerouting { type nat hook prerouting priority -100\; } nft add rule ip nat prerouting udp dport 53 redirect to :5353 nft add rule ip nat prerouting tcp dport 53 redirect to :5353

Router-Level DNS Encryption

OpenWrt

Install https-dns-proxy → LuCI → Services → HTTPS DNS Proxy → Add Cloudflare/Google → Disable dnsmasq forwarding. Or install OpenClash/PassWall for integrated proxy+DNS.

Asus Merlin

Firmware 386+ natively supports DoT: Administration → System → DNS Privacy Protocol → DNS-over-TLS → Add servers. Or install stubby via Entware.

pfSense / OPNsense

Services → DNS Resolver (Unbound) → Custom Options → Add forward-tls-upstream: yes and DoT servers. OPNsense Unbound natively supports DoT.

MikroTik

RouterOS v6.47+ supports DoH: /ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes. Import CA certificate first.

Split DNS Strategy

In proxy environments, split DNS is a critical optimization: domestic domains use domestic DNS (to avoid resolving to overseas CDN), foreign domains use overseas DNS (to avoid poisoning).

# Clash DNS 分流逻辑示意 # ┌─────────────────────────────────────────────────────────┐ # │ DNS Query: example.com │ # ├─────────────────────────────────────────────────────────┤ # │ 1. Check geosite rules: │ # │ - geosite:cn → nameserver (Ali/Tencent DoH) │ # │ - geosite:geolocation-!cn → fallback (CF/Google) │ # │ 2. If no rule match → both nameserver + fallback │ # │ 3. Apply fallback-filter: │ # │ - If nameserver returns CN IP → use it (direct) │ # │ - If nameserver returns non-CN IP → use fallback │ # └─────────────────────────────────────────────────────────┘

Best Practice

① Bootstrap DNS uses plain IP (e.g., 223.5.5.5) to avoid circular dependency resolving DNS server domains; ② fake-ip mode doesn't care about DNS poisoning since actual domains are resolved remotely through the proxy tunnel; ③ Enable geoip in fallback-filter to decide fallback based on the resolved IP's geographic location.

Security & Privacy Analysis

Threat	Plain DNS	DNSSEC	DoT	DoH	DoQ
ISP snooping query content	✗	✗	✓	✓	✓
ISP identifying protocol	—	—	Port 853	Blends with HTTPS	QUIC
DNS cache poisoning	✗	✓	✓	✓	✓
MITM tampering	✗	✓	✓	✓	✓
ISP blocking	—	—	Easy	Hard	Possible
Metadata leak (SNI/IP)	All	All	Server IP	SNI+IP	Server IP

QUIC Leak Risk

QUIC (HTTP/3) uses UDP port 443. Many TCP-only proxy tools (HTTP proxies, some SOCKS5) can't tunnel QUIC traffic, causing the browser to bypass the proxy and connect directly — leaking both IP and DNS. Prevention: ① Enable TUN mode to capture all UDP; ② Disable QUIC in browser (chrome://flags/#enable-quic → Disabled); ③ Use UDP-capable protocols (Shadowsocks/Trojan/VLESS+XUDP). Verify with our IP Leak Test QUIC channel.

ECH (Encrypted Client Hello)

DoH's HTTPS connection still exposes the DoH server domain via SNI during TLS handshake. ECH (formerly ESNI) encrypts the SNI field — combined with DoH, it makes DNS queries completely invisible. Chrome and Firefox have experimental ECH support.

FAQ

Should I use DoH or DoT?

DoH uses port 443, indistinguishable from regular HTTPS, harder for ISPs/firewalls to identify and block. DoT uses dedicated port 853, which firewalls can specifically block. Personal users: DoH. Enterprise: DoT (easier to manage).

Does encrypted DNS add latency?

First query may add 5-20ms (TLS handshake), but subsequent queries benefit from HTTP/2 multiplexing and connection reuse, approaching Plain DNS latency. DoQ's QUIC 0-RTT handshake is even faster. Real-world difference is negligible.

What are fake-ip mode drawbacks?

① Apps connecting by IP directly (like Telegram) bypass DNS and can't be proxied by fake-ip; ② Local ping returns fake IPs, unusable for network debugging; ③ Requires maintaining a fake-ip-filter exclusion list (NTP servers, LAN discovery protocols).

How to verify DoH/DoT is working?

① Use our DNS Leak Test tool; ② Check Cloudflare's https://1.1.1.1/help page — look for "Using DNS over HTTPS: Yes"; ③ Test with dig: dig @1.1.1.1 example.com +https (requires dig 9.18+).

Why am I still getting DNS poisoning with DoH?

Possible causes: ① Bootstrap DNS uses poisoned Plain DNS to resolve the DoH server domain — use IP address as bootstrap instead; ② Other apps bypass proxy and send DNS directly — enable TUN mode to capture all traffic; ③ IPv6 DNS isn't covered by proxy — disable IPv6 or configure IPv6 DNS in proxy.

iptables vs TUN mode — which is better?

TUN mode is simpler, cross-platform (Windows/macOS/Linux), proxy client handles routing automatically. iptables/TPROXY is more flexible and performant, but Linux-only and complex to configure. Routers/gateways: iptables. Personal devices: TUN.

What should enterprises do?

① Deploy Unbound + DoT as recursive resolver on gateway; ② Force all port 53 traffic through gateway DNS via iptables; ③ Internal domains → internal DNS, external → encrypted DNS (split-horizon); ④ Enable DNSSEC validation; ⑤ Log retention for compliance.

DNS加密完全指南