The Emerald Onion is a privacy-respecting DNS resolver offering modern, encrypted DNS protocols: DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) We have configured specific privacy controls:
DoTandDoHuse transport encryption to ensure that your ISP cannot see your DNS queries.- IP connection data and metadata logging have been disabled completely. No IP logs are kept by Emerald Onion's edge or firewall.
- DNS query data and metadata logging have been disabled completely.
- A DNS caching resolver offers inherent privacy due to the fact that if another user requested DNS information before you, and the validity time has not expired, then the DNS service will not transmit another upstream request for the data. This makes it more difficult for network adversaries to track users.
- QNAME minimization ensures that upstream DNS services are only sent the minimum amount of data necessary to perform DNS resolution.
Emerald Onion's software configurations are pulled directly from this Github repo, so users can validate for themselves that these privacy settings are enforced. This public DNS service is shared by Emerald Onion's Tor exit relays, meaning that Tor users' queries are blended with non-Tor exit users' queries, further enhancing DNS privacy.
- From your device, download this DNS Profile in Safari
- iOS: Settings > General > Profiles > Emerald Onion DNS-over-HTTPS > Install
- macOS: Settings > Profiles > Emerald Onion DNS-over-HTTPS > Install
- Open settings
- Network & internet > Advanced > Private DNS
- Choose Private DNS provider hostname and enter
dns.emeraldonion.org
- Go to Preferences
- Type "DNS" in "Find in Preferences" at the top
- Click Network Settings
- Enable "DNS over HTTPS"
- Use provider "Custom" and enter
https://dns.emeraldonion.org/dns-query
- Go to Settings
- Type "DNS" in "Search Settings" at the top
- Click Security
- Enable "Use secure DNS"
- Select with "Custom" and enter
https://dns.emeraldonion.org/dns-query
If your system doesn't support DoT or DoH and you don't want to change your stub resolver, you can use our Docker image for dnsproxy which supports both protocols.
- Create and start the container:
docker run -p 127.0.53.53:53:53/udp emeraldonion/docker-dnsproxy - Update your DNS server to 127.0.53.53
- DNS over TLS :
tls://dns.emeraldonion.org:853 - DNS over HTTPS:
https://dns.emeraldonion.org:443
There is not one protocol that is strictly better than the others, but DoH (DNS over HTTPS) seems to be the one that most of the industry is adopting.
Both protocols provide a layer of transport security to protect DNS queries from surveillance. The difference is only in the transport itself; DoT uses TLS, while DoH uses HTTPS. All protocols use the standard RFC1035 DNS wire format. For more information on how DNS messages work over alternate transports, check out Cloudflare's 1.1.1.1 documentation. Note: our resolver does not support the JSON message format.
Emerald Onion does not offer vulnerable DNS-over-UDP services.
Per the legal FAQ, Emerald Onion does not log network information. To report abuse, please contact Abuse.
Emerald Onion is 100% volunteer-run, and 100% of donations go to business administration and insurance, hardware, bandwidth, and co-location. Please consider becoming a monthly donor using Github Sponsors!
Other donation methods are available here: emeraldonion.org/donate
Emerald Onion is a U.S. 501(c)(3) nonprofit, tax ID #82-2009438. Contributions are tax deductible as allowed by law.