Install stubby, eg. on Debian
aptitude install stubby
Then activate several DNS servers in /etc/stubby/stubby.yml. A list of DNS-over-TLS server can be found at https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers.
- address_data: 18.104.22.168 tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
It is good to set up some servers that listens on port 443 and others on port 853, so as to be resilient if you are on a network with blocked ports. You can also blend IPv4 and IPv6 addresses.
Next, activate round-robin, so that your DNS request are spread over different servers via:
# Instructs stubby to distribute queries across all available name servers. round_robin_upstreams: 1
This is not pure randomization but it is satisfactory enough. There is is feature request for pure randomization on the stubby repository, see https://github.com/getdnsapi/stubby/issues/95.
Install unbound, eg on Debian aptitude install unbound
Configure it through /etc/unbound/unbound.conf.d/forward.conf. A list of DNS-over-TLS server can be found at https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers.
server: rrset-roundrobin: yes
forward-zone: name: "." forward-ssl-upstream: yes
forward-addr: 22.214.171.124@443 Randomization is builtin in unbound: "The fastest server (randomly picked within a so-called RTT band of 400 msec) is selected when a query has to be sent out" source
Configure your resolver
/etc/resolv.conf so that it only contains:
If you have a laptop, not' that your network manager may overwrite this configuration. This can be disabled, eg in NetworkManager (
[main] dns=none ... # rest of the config
Open questions "Over time (days, weeks) any resolver you use (either in round robin or with a random distribution) will likely acquire enough information about an end user to profile that user because over time it will see the entire query profile (we are creatures of habit and tend to visit the same sites)." Sara Dickinson on Github
On solution to this would be to randomize but deterministically: a random server only sees a slice of your traffic, but this slice always goes to the same server. For instance, all requests to domains starting with letter "a-g" go to DNS server "foo" and all requests to domains starting with letter "h-z" go to DNS server "bar".
When you are behind a captive portal, you first have to manually set
/etc/resolv.conf to get the IP of the registration portal, and, once registered, to revert to the normal configuration.