DNSBunker

Apple Device Setup

Deploy mobile configuration for iOS/macOS securely:

Deploy Config Profile

Scan to Configure:

Encrypted Protocols

DoH & DoH3: https://dnsbunker.org/dns-query

DoT & QUIC: dnsbunker.org

How to Use on Your Device

Android (9+):
Go to Settings > Network & Internet > Advanced > Private DNS
Set the hostname to: dnsbunker.org
Uses DNS over TLS (DoT)

Windows:
Use a tool like YogaDNS to configure encrypted DNS.
DoH endpoint: https://dnsbunker.org/dns-query
Supports DoH, DoH3, DoT, and DoQ

Linux:
Configure using tools like systemd-resolvedstubbydnscrypt-proxy
Supports DoH, DoT, and DoQ

iOS (14+):
Install a DNS configuration profile (see top of this page).
Compatible with DoH

Routers (e.g., OpenWRT, pfSense):
Set the upstream DNS resolver:
DoT: dnsbunker.org
DoH: https://dnsbunker.org/dns-query
Works with Stubby, Unbound, dnsmasq-full, etc.

DNS Leak Protection

Why it matters:
A DNS leak can expose your DNS traffic to your ISP or third parties, even if you're using an encrypted resolver.

How to check:
Use one of these free tools to confirm that all DNS queries are going through DNSBunker:

DNSBunker IP to expect:
152.53.144.65

Tip:
If you see any other IPs in the test results, your device or network might be leaking DNS through fallback resolvers or your ISP.

Filter Intelligence

Only following Hagezi Lists are in use:

Did you encounter breakage? Does something not work? Or did you find something which should be blocked?

Please report any issues to Hagezi's repository! Click to report

Privacy & DNS Behavior

EDNS Client Subnet (ECS): Disabled

QNAME Minimization: Enabled

QNAME Randomization: Enabled

Recursion to 3rd Party Resolvers: Disabled

DNSSEC Validation: Enabled

Standard DNS (Port 53): Disabled

ANY Requests: Dropped (for performance & privacy)

Security, Filtering & Blocking

Content Filtering: Blocks ads, trackers, and malware only

Block TTL: 3600 seconds

Original TTL: Untouched for allowed domains

DNS Rebinding Protection: Blocks private and reserved IP responses

Censorship Policy: Everything else is uncensored

Limitations: Cannot bypass ISP-level routing or geo-blocks (not a VPN replacement)

Special Domain Handling

Google Pre-caching Domains: Returned as NXDOMAIN

Apple Private Relay Domains: Returned as NXDOMAIN

Mozilla DoH Canary Domain: Returned as NXDOMAIN

Purpose: Prevents DNS leakage and unnecessary third-party lookups

Infrastructure & Compliance

No Logging: GDPR-compliant, no user data retained

Location: Berlin, Germany

Redundancy: High availability with automatic failover

About Me and DNSBunker.org

Hi, I'm xRuffKez — a privacy advocate and someone who works mostly behind the scenes on the Hagezi Blocklist Project. With DNSBunker.org, my goal is to offer a free and privacy-respecting public DNS service that blocks ads, tracking, malware, scam sites, and fake shops — all powered by Hagezi's blocklists and additional lists I maintain.

I contribute to the community by creating and maintaining NRD (Newly Registered Domains) and NRD DGA (Domain Generation Algorithm) blocklists. These are designed to block malicious domains right from their creation — a critical step in stopping malware and phishing campaigns early.

I believe that online ads have evolved into a real threat to users. They are not only annoying, but often used as vectors for malware (malvertising) and invasive tracking. The internet should be a place where users are safe and in control — not constantly monitored and targeted.

My project does not censor the internet like some ISPs or institutions do — for example, via lists like the German CUII list. I strongly oppose such forms of censorship as they can violate the fundamental right to freedom of expression. DNSBunker.org is about protection — not suppression.

This project is completely non-commercial and run out of passion for helping others. I don't track users, I don’t sell data — I just want to provide a simple, fast, and secure DNS experience for everyone.

Thank you for trusting DNSBunker.org.