DNS Privacy Stack — Fundamentals
DNS Fundamentals¶
What is DNS and Why Does It Matter for Privacy?¶
Every time you visit a website, your device asks a DNS resolver to translate the domain name (e.g., google.com) into an IP address (e.g., 142.251.220.206). By default, these queries are sent in plaintext to your ISP's DNS servers. This means:
- Your ISP sees every domain you visit
- Your ISP can hijack queries and redirect them (common in Asia, South America)
- Your ISP can inject ads or block domains at the DNS level
- Anyone on the network path can sniff your DNS traffic
A private DNS stack eliminates all of these problems.
The Components¶
AdGuard Home — DNS Filter and Ad Blocker¶
AdGuard Home is a network-wide DNS sinkhole that blocks ads, trackers, and malicious domains at the DNS level. It sits at the front of the stack, receiving all DNS queries from your network.
What it does:
- Blocks ads and trackers using community-maintained blocklists
- Provides a web UI for monitoring DNS queries and managing rules
- Supports DNS rewrites (e.g.,
*.example.com-><YOUR_SERVER_IP>) - Handles client access control and rate limiting
- Caches responses at the application layer
What it does NOT do:
- It does not encrypt DNS queries to upstream resolvers (that's Unbound's job)
- It does not do recursive resolution
- It is not a caching-only resolver (its cache is supplementary)
Unbound — Caching DNS Forwarder with Encryption¶
Unbound is a validating, recursive, caching DNS resolver. In this stack, we use it as a caching forwarder with DNS-over-TLS rather than a recursive resolver (see 05-troubleshooting for why).
What it does:
- Forwards queries over encrypted TLS connections (port 853) to privacy-respecting upstream resolvers
- Caches responses aggressively — deduplicate queries from 100+ Docker containers
- Serves stale cache instantly when upstream is slow (critical for real-time apps)
- Validates DNSSEC signatures
- Handles local domain forwarding (
.lan,.ts.netstay on the LAN)
Upstream Resolvers — Mullvad and Quad9¶
These are the external DNS providers that actually resolve domain names. We chose them for privacy:
| Provider | IP | Port | Logging | Jurisdiction | Notes |
|---|---|---|---|---|---|
| Mullvad DNS | 194.242.2.2 |
853 (DoT) | No logs | Sweden | Also offers ad-blocking variant |
| Mullvad DNS (adblock) | 194.242.2.3 |
853 (DoT) | No logs | Sweden | Blocks ads + trackers at resolver level |
| Quad9 | 9.9.9.9 |
853 (DoT) | No logs | Switzerland | Non-profit, threat blocking |
| Quad9 (secondary) | 149.112.112.112 |
853 (DoT) | No logs | Switzerland | Anycast redundancy |
Recursive vs Forwarding — Why We Forward¶
Unbound can operate in two modes:
Recursive Mode (Not Used)¶
Client → AdGuard → Unbound → Root Servers → TLD Servers → Authoritative Servers
In recursive mode, Unbound talks directly to the DNS hierarchy — root servers, then TLD servers (.com, .net), then authoritative servers. No single third party sees all your queries.
Why we don't use it: ISPs with transparent DNS hijacking intercept all port 53 traffic and redirect it to their own servers. Root servers expect non-recursive queries (RD=0), but the ISP's hijacking proxy can't handle these, causing every query to time out. See ISP DNS Hijacking for the full diagnosis.
Forwarding Mode with DoT (What We Use)¶
Client → AdGuard → Unbound --[TLS]--> Mullvad/Quad9 (port 853)
In forwarding mode, Unbound sends queries over an encrypted TLS connection to trusted resolvers on port 853. The ISP cannot hijack port 853 (only port 53), and the TLS encryption means they cannot read the query content even if they could intercept it.
DNS-over-TLS (DoT) Explained¶
DNS-over-TLS wraps standard DNS queries inside a TLS tunnel, similar to how HTTPS encrypts web traffic.
| Protocol | Port | Encrypted | ISP Can Read | ISP Can Hijack |
|---|---|---|---|---|
| Plain DNS | 53 (UDP/TCP) | No | Yes | Yes |
| DNS-over-TLS | 853 (TCP) | Yes | No | No (different port) |
| DNS-over-HTTPS | 443 (TCP) | Yes | No | No (blends with HTTPS) |
We use DoT because Unbound has native support for it via forward-tls-upstream: yes. No additional software is needed.
Key Terminology¶
| Term | Meaning |
|---|---|
| Upstream | The DNS server that receives forwarded queries (Mullvad, Quad9) |
| Downstream | Clients sending queries to your DNS (laptops, phones, containers) |
| DNSSEC | Cryptographic signing of DNS records to prevent tampering |
| EDNS | Extension to DNS protocol — enables larger responses, client subnet hints |
| TTL | Time-to-live — how long a DNS answer can be cached before re-querying |
| SERVFAIL | DNS error meaning the resolver couldn't get an answer |
| NXDOMAIN | DNS response meaning the domain does not exist |
| Sinkhole | Blocking a domain by returning a fake/empty response (what AdGuard does) |
| Prefetch | Re-querying domains before their cache entry expires |
| Serve-expired | Returning a stale cached answer immediately while refreshing in background |
Next: 02-architecture