Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Randomization + encryption of DNS requests


Install stubby, eg. on Debian aptitude install stubby

Then activate several DNS servers in /etc/stubby/stubby.yml. A list of DNS-over-TLS server can be found at

  - address_data:
    tls_port: 443
      - digest: "sha256"
        value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=

It is good to set up some servers that listens on port 443 and others on port 853, so as to be resilient if you are on a network with blocked ports. You can also blend IPv4 and IPv6 addresses.

Next, activate round-robin, so that your DNS request are spread over different servers via:

# Instructs stubby to distribute queries across all available name servers. 
round_robin_upstreams: 1

This is not pure randomization but it is satisfactory enough. There is is feature request for pure randomization on the stubby repository, see


Install unbound, eg on Debian aptitude install unbound

Configure it through /etc/unbound/unbound.conf.d/forward.conf. A list of DNS-over-TLS server can be found at

server: rrset-roundrobin: yes

do-ip6: no

#verbosity: 3

forward-zone: name: "." forward-ssl-upstream: yes













forward-addr: Randomization is builtin in unbound: "The fastest server (randomly picked within a so-called RTT band of 400 msec) is selected when a query has to be sent out" source

Configure your resolver

Modify /etc/resolv.conf so that it only contains: nameserver

If you have a laptop, not' that your network manager may overwrite this configuration. This can be disabled, eg in NetworkManager (/etc/NetworkManager/NetworkManager.conf) via:

... # rest of the config

Open questions "Over time (days, weeks) any resolver you use (either in round robin or with a random distribution) will likely acquire enough information about an end user to profile that user because over time it will see the entire query profile (we are creatures of habit and tend to visit the same sites)." Sara Dickinson on Github

On solution to this would be to randomize but deterministically: a random server only sees a slice of your traffic, but this slice always goes to the same server. For instance, all requests to domains starting with letter "a-g" go to DNS server "foo" and all requests to domains starting with letter "h-z" go to DNS server "bar".


When you are behind a captive portal, you first have to manually set /etc/resolv.conf to get the IP of the registration portal, and, once registered, to revert to the normal configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.