Ad-free. Private. Secure.

DNSBunker is a high-availability, hardened DNS resolver specifically engineered to safeguard your digital sovereignty. Experience a cleaner web through intelligent ad-blocking, integrated malware protection, and a strict zero-log policy by design.

DNS over HTTPS (DoH & DoH3 / ECH)

Ideal for modern browsers and mobile devices. These protocols use an encrypted tunnel that blends seamlessly into standard HTTPS web traffic, making it harder to block or throttle.

https://dnsbunker.org/dns-query h3://dnsbunker.org/dns-query

Next-Gen Protocols (DoT & DoQ)

Leverage DNS over TLS for robust system-wide encryption or DNS over QUIC for the fastest and most resilient connection technology available today.

dnsbunker.org quic://dnsbunker.org

DNS Stamps for Automated Configuration

These encrypted "Stamps" contain all the necessary metadata to connect supported tools to DNSBunker fully automatically.

DoH Stamp: sdns://AgMAAAAAAAAADjE1Mi41My4yMDcuMTkxAA1kbnNidW5rZXIub3JnCi9kbnMtcXVlcnk
DoT Stamp: sdns://AwMAAAAAAAAADjE1Mi41My4yMDcuMTkxAA1kbnNidW5rZXIub3Jn
DoQ Stamp: sdns://BAMAAAAAAAAADjE1Mi41My4yMDcuMTkxAA1kbnNidW5rZXIub3Jn
DNSCrypt (DoH) sdns://AgMAAAAAAAAADjE1Mi41My4yMDcuMTkxIO-he8l8HdH_IX6rPT7pDvub_-YiI72AyhjaH5cc7ioAEWRuc2J1bmtlci5vcmc6NDQzCi9kbnMtcXVlcnk

IP Addresses

Unencrypted DNS over 53 (Legacy) is NOT supported!


152.53.207.191 2a00:11c0:5f:362c::

TLS Public Key (SPKI)

Current SPKI fingerprint of our encrypted DNS service (DoH / DoT). Published for transparency and optional client-side pinning.


Algorithm: sha256 (Base64)

sha256/76F7yXwd0f8hfqs9PukO+5v/5iIjvYDKGNoflxzuKgA=

Device Configuration Guide

Setting up DNSBunker is straightforward. Select your operating system below to enhance your network security instantly.

Android (Version 9+):

Navigate to Settings > Network & Internet > Private DNS. Enter our hostname there to enable system-wide encryption for all your apps.

dnsbunker.org
Windows:

Windows 11 supports DoH natively. For older versions or advanced features, we highly recommend using YogaDNS for easy setup.

DoH-URL: https://dnsbunker.org/dns-query
Apple (iOS & macOS):

Install our encrypted configuration profile to ensure your DNS queries never leave your device unencrypted.

Download Config Profile

Create Custom Profile

Advanced Security & Strict Validation

DNSBunker employs uncompromising security mechanisms to protect you from modern threats like data manipulation and local network attacks.

Cryptographic DNSSEC Validation:

We strictly enforce DNSSEC verification. This guarantees that the DNS responses you receive are authentic and haven't been tampered with. Domains with a broken signature chain are rejected as REFUSED to protect the user.

Rebind Protection (Private IP Filtering):

To guard against "DNS Rebinding" attacks, our server filters responses that point to private IP ranges. If a public domain attempts to redirect to your local home network, the request is automatically REFUSED.

Intelligent Content Filtering:

Advertisements, trackers, and malicious domains are neutralized at the source. Our resolver responds with NXDOMAIN in these cases, stopping the connection before any data is even transferred.

Filter Intelligence & Community

Our blocklists are powered by high-quality sources and updated every 10 minutes to ensure protection against the latest online threats.

Is a website not loading correctly, or have you found an unblocked ad domain?

Your feedback improves the filters for the entire community.


Report an Issue on GitHub

Is DNSBunker to strict for your purpose?

Check out Hagezi DNS Resolvers, which are also applying strict privacy and security focused policies!

Infrastructure & Privacy

Strict Zero-Log Policy:

We do not store your IP address or your browsing history. DNSBunker is fully GDPR-compliant and designed for maximum anonymity.

Located in Germany:

Our servers in Nuremberg operate under the world's strictest data protection laws and offer excellent performance across Europe.

Privacy-Centric Features:

ECS is ignored to keep your location private. QNAME Minimization ensures that only the minimum necessary information is shared with upstream servers.

Special Domain Policies

Certain services are intentionally disabled (NXDOMAIN) to prevent tracking and maintain control over your system behavior:


Google Pre-caching: Blocked
Apple Private Relay: Disabled
Mozilla DoH Canary: Disabled

Configuration Transparency

DNSBunker publishes sanitized and cryptographically signed configuration files to provide operational transparency while protecting sensitive infrastructure details.


Public Configuration Repository: https://dnsbunker.org/configs/
Secrets & Internal Data: Redacted
Signatures: OpenPGP Signed

Digital Sovereignty

Selfhosting your own DNS Stack is ALWAYS better for your Digital Security and Privacy!

Please consider using AdGuard Home or Pi-hole with Unbound!

Protect your data and support the movement for an independent web.

GAFAM Poster
Powered by these awesome Projects: PowerDNS / Knot Resolver / Caddy / Debian