DNS Resolver / Server

  DNS Resolver / Server [wiki:doc/DnsResolver] article & project, and all other articles & projects under this page/article are non-offical articles & non-official projects. Author(s) of these articles & projects is(/are) not affiliated with The Tor developers are not responsible for these articles or projects. Also see Disclaimer for more information. DnsResolver (related) project(s) here, are produced independently from the Tor® anonymity software and carries no guarantee no warranty from 'The Tor Project' about quality, suitability or anything else.

( Notes for Editors Only: (non-Editor Readers, please goto next paragraph): Editors, in this article (and articles under it) you must use such words which make sense to people (if necessary, explain in different style, way and/or words, even multiple different ways), these articles are for people from different discipline and background. This is not an Academic or Research article, nor it is a Technical or Manual document. Must keep it useful for practical purpose (for what a regular user *see* on their computer screen, and what a regular user can *use* practically by following guidelines from this page). Explain in simple words, which practical command-line(s) or step(s) can be applied, and also add info on what it does and why is it necessary for Anonymity (2) (3) (4) and Privacy (6) (7) (8). Even if one portion appears to be unnecessary, to you, but remember it may be necessary for another type of person to understand, so please do not remove, do not modify any sections. This page is not intended for only one type of users. You are welcome to create a short sub-paragraph under any paragraph, and explain in a different language or style. You are welcome to create a new page NOT UNDER this article or project, outside, and place a link here, and in that new page explain the same matter or new matter with a different language or whatever style you choose to be. Do not copy text directly, write in your own style & language. Put technical words inside "Acronyms" section, and explain+mention what it means (please make it easy for regular user to understand), then use a common, general, non-technical, synonym or simple word(s) in article which make(s) sense to general or regular level users, and add URL and/or reference link to that technical term inside acronym section. If you are not following these guidelines, I will remove your additions, you are welcome to start your own pages with your own content. If you are not able to write with simple+easy (non-technical) words, then DO NOT edit. Thanks. )

This article & all articles under this, This project & all projects under this, are written & developed by Bry8Star. Copyright (C) 2012 Bry8Star.

(Start reading from here)
We want to reach, communicate, view, exchange any content with any server (Internet destinations), where ever we want to, without anyone blocking it, without any filtering or censoring, without any altering or hampering, without any monitoring or tracking (unless a very justified or appropriate or in-avoidable situation or reason exist for an elected+consented known public entity) and/or without any redirecting in middle.

  • Use or apply below solutions (like, How To Use 3rd Party DNS Server and Configure, or, How To Configure existing DNS server or resolver further, or, How To Use All TLDs from All Root DNS or TLD Service provider entities, etc) on such areas: on Tor Exit Nodes, on any Server or Gateway computers, on any computers which is running any Server software, and, on your own end-user computers.

Pre-Requisite Knowledge

Please read through all mentioned articles for your own better understanding. If you are only interested at this point to get a practical or real solution, then you may skip this section, goto DNS Server or DNS Resolver sections.

  • Please read or view the webpage or the section located here (it's inside TorFAQ page), and see below DNS section (in this page) for understanding what is DNS, etc in a regular or general level.
  • You should view & read TorifyHowTo to understand Tor and related common terms, conceptions, ideas, issues, etc.
  • You should also checkout DNS (Wikipedia), DNS Hijacking (Wikipedia), DNS spoofing/cache poisoning (Wikipedia), Proxy (Torproject), Proxy/Server (Wikipedia), SOCKS (protocol) (Wikipedia), Alternative DNS Root (Wikipedia), etc.
  • Various apps & tools to help Torification process and to help increase Anonymity, Privacy(2), Security(2), etc for public & end-users like you and me, are mentioned in SupportPrograms webpage.
  • To understand various types of DNS Server & Resolver, please view & read Nameserver (Wikipedia). To understand DNSSEC, please first read DNSSEC short section (in this page) and then also visit DNSSEC (Wikipedia). And also see EDNS (Wikipedia). DNSSEC system and mechanism provide ways & means to obtain very accurate information on Internet server(s) for a domain-name, so that we can connect with correct destination to view webpage(s), or to exchange (send or receive) email(s) etc Internet or web based services & activities.
  • Also checkout pages mentioned at bottom side of this page, about other DNS articles.
  • Mainstream DNS, Root zone, TLDs, SLDs, IDN-TLDs Controllers, Operators, Managers: ccTLDs (two letters based, around 250 country code TLDs) are governed by IANA, gTLDs (generic TLDs, around 21 TLDs) are governed by ICANN. ICANN governs the name and number systems of the Internet. Root KSK (Key Signing Key) is managed by ICANN to provide for verification of the DNSSEC-signed root zone. IANA is responsible for management of the DNS root zone, ".int" & ".arpa" TLDs, 39 IDN TLDs, 11 test IDN TLDs. IANA is responsible for coordinating the Internet's globally unique identifiers, and is operated by the ICANN. IANA assigns and keeps authoritative "Operator"/"Manager" list for over 250 ccTLDs, and over 40 IDN TLDs. ICANN (& IANA) assigns & keeps authoritative list(1) of "Operator" (also known as: "Sponsor", "Registry", "Maintainer", "Delegation") for around 21 gTLDs: VeriSign (USA) (.com, .net, .name), SITA (USA) (.aero), NeuStar (USA) (.biz), Public Interest Registry (PIR) (USA) (.org), DotCooperation (USA) (.coop), EDUCAUSE (USA) (.edu), Afilias Ltd (Iraland) (.info), Employ Media LLC (USA) (.jobs), Fundació puntCAT (Spain) (.cat), Universal Postal Union (Switzerland) (.post), Registry Services Corp (USA) (.pro), Tralliance Reg Mngmt Co (USA) (.travel), DotAsia Org (Hong Kong) (.asia), Telnic (UK) (.tel), MDI (.museum), ICM reg (USA) (.xxx), US GSA (.gov), IANA (USA) (.int), US DoD (.mil), etc. Root-zone has 13 named authority root servers (actually these are combination of hundreds of networked servers located globally around the world) are managed by 12 entities: VeriSign(1) (USA), USC-ISI (USA), Cogent Comm (USA, Spain, Germany), ISC (USA), Univ of Maryland (UMD) (USA), NASA-ARC (USA), US DoD-NIC, RIPE (Netherlands), ICANN, WIDE (Japan), Netnod (Autonomica) (Sweden), US Army (ARL). So far there are around 39 IDN TLDs + 11 test IDNs which IANA controlling & testing (along with 255 ccTLDs). IANA TLD list: 1, 2. The ICANN-accreditation only applies for gTLDs, ICANN accredited registrar list: 1. There are other Registrar(s) inside each ccTLD. Also see this for other TLD-Providers.
  • Most ISPs ("Internet Service Provider", a company which gives you their (broadband) modem or access, to connect with Internet), usually provides you their recursive DNS-server's IP-address, and, not all, but, many (ISP) still using non-validating (non-DNSSEC) DNS servers. See this for more info.
  • And not all, but, most mainstream Operating Systems include/use 'stub resolver' type of non-validating (non-DNSSEC) DNS resolver (or DNS client) by default. Most Microsoft Windows uses 'stub resolver' , and Windows Server 2008 R2 and Windows 7 in particular, uses a non-validating but (partially) DNSSEC-aware stub resolver.
  • IPv6 supported DNS Registrars status: list. IPv6 support & comparison of OS: 1.
  • Alternative of installing or loading or using your own local DNS-Server or DNS-Resolver software, is to use, any public DNS-servers which are listed in Public DNS Servers page. Find servers which does not censor, filter or block, and supports DNSSEC, then such DNS-Servers will be a closest alternative or replacement which can be used, instead of using your own local DNS server/resolver.
  • Identity correlation through (Tor) circuit sharing is possible, if DNS queries for your Tor (Anonymity & Privacy related) usage and non-Tor (Private, Personal related) usage, both passes through common circuit.

DNS (short/brief info)

DNS (Domain Name System) is a way to find IP-address of different types of Internet web servers which are directly related or kept-under or used-by a specific domain-name. Kind of like finding a Phone-number of a Company, from a Telephone-Directory book. (Where, a phone number is similar to a IP-address, and a company-name is similar to a domain-name). DNS is used not only for finding IP-address, it also allows to find & obtain other data (DNS-Records) used by a domain-name or a host-name. DNS uses various system(s) & mechanism(s), where the highest, last level is "root-zone" or "root" server. DNS resolving process starts from this "level" (can also be called as "zone"). The "root-zone" or "root" server actually is a combination of 13 groups of DNS servers located globally around the world, these are often called "13 named root servers" as well. Each of this named root-server is actually a combination of hundreds of networked server computers located in different areas and interlinked with each-other. These servers are always answering back when DNS related questions are asked. "Root-zone" servers keep list of those 13 named root-servers in a "root.hints" file. Various software component related to DNS, always keeps or obtains that "root.hints" file. Root-servers also keep a "root-zone" file, which contains list (database) of IP-address of all TLD (gTLDs, ccTLDs, IDN TLDs, etc) operator's (or maintainer's or manager's) nameservers (DNS-servers), located in different areas. TLDs means, Top Level Domains, for example: the ".org" word or portion, is a TLD of the "" domain-name. TLD maintainers are (for example: the ".org" TLD maintainer is "PIR", the ".com" TLD maintainer is "VeriSign") selected by ICANN & IANA organizations. You can very easily create your own TLD almost for free, for example, you can create ".MyName" TLD, and then create your own free website at "home.MyName" or at "www.home.MyName" etc. If you are using your own custom TLD, only then your DNS-server can be treated or called as TLD level DNS-server, and you have turned into a TLD-provider. Next level of DNS-servers under TLD level are SLD level DNS-servers. SLDs means Second Level Domains, for example: the "wikipedia" word or portion, is a SLD of "" domain-name. Various "Registrar" entities & companies maintains SLD level nameservers (DNS-servers). And 3rd Level of DNS-Servers are from various Hosting Service Providers (HSP) and Data-Centers, who holds sub-contracts with SLD ("Registrar") level DNS-servers. If you are operating your own nameserver(s) (for example: "ns1" & "ns2") for your own domain-name (for example: ""), then your own DNS-server ("", "") can also be treated or called as 3rd Level DNS-servers. And this mechanism & process goes on for all next domain levels. DNS-servers keep list (data-base) in a DNS RR (resource records) format (also commonly known as "DNS-record"), associated with each domain-name (or SLD or TLD), host- or node-names, IP-addresses, DNSSEC records, etc. DNS-servers use 'SOA', 'NS', etc DNS RR for each domain-name, TLD, SLD, etc, which help to find the exact 'NS' nameserver which has further related RR (resource records) for a given domain-name, TLD, SLD, hostname, etc. Few RR example: the 'A', 'AAAA' RR shows IP-address of a hostname or nodename, email-server uses 'MX' RR, the 'CNAME" RR is used to create alternative name for a same hostname or nodename, hostnames which has 'www' (at the left-most-side (LMS) on L-to-R written language, or, at the RMS on R-to-L written language) indicates that is a webpage related content server's hostname, a hostname with 'ftp' indicates a ftp server which keeps files, etc. Web-browser software resolves DNS like above, by using a DNS-client sofwtare component on your or on that computer, and finds the IP-address, then by default connects on port 80 using HTTP protocol and obtains webpages to show on the web-browser's screen, (it happens when we type or click on a URL, link or domain-name). DNS communication process uses UDP on port 53 with DNS-server by default, when a query and answer is less or equal to 512 bytes. DNS-client side can send query from any port, but, destination must be the DNS port of that DNS-Server, which is usually port 53, (and to bypass surveillance, spoofing & hajacking processes, a DNS-Server can use different port as well). DNS query & DNS answer can also be done over TCP connections/packets, and little bit more secure than using UDP, but uses more bytes & bandwidth. More info: DNS (Wikipedia).

DNSSEC (short/brief info)

DNSSEC means Domain Name System (DNS) Security Extensions. It works by digitally signing the DNS resource records(RR(2)) (like SOA, A, NS, MX, CNAME, AAAA, CERT, SPF, SRV, TXT, TLSA, etc) using PKI / PKC (public-key cryptography) methods, and then resulted (public-side portion of) codes are also stored back in DNS records (as DNSKEY, RRSIG, NSEC, NSEC3, NSEC3PARAM, DS, DLV, etc) so that others (who will use DNSSEC) can view, access & verify it. And these records are delivered when a dns-client, dns-user, dns-user-agent, etc has asked or queried for it. The 'DNSKEY' RR is authenticated via a chain of trust mechanism (of verifying 'DNSKEY' RR of one level by using the 'DS' or 'DLV' RR from one step higher level (or from user's pre-chosen another DNS-Server), and this process goes on like a sequence of chain (only when verification process is succeeding), by first starting with a verified or very trusted ("root" or "root zone (.)") level, using the public keys ("root.keys") from that "root" level, it is the highest, last level in DNS. When DNSSEC is used, each answer of a DNS query/lookup will contain an 'RRSIG' RR, in addition to the record type which was requested in the query. This 'RRSIG' code is in a "digital signature" form, and can be and is verified by locating the correct public key found in a 'DNSKEY' record. The 'NSEC' and 'NSEC3' RR are used for robust resistance against spoofing. More info: DNSSEC (Wikipedia).


List of Technical or frequently used acronyms, words, terms, and their meanings and/or short explanation.

DNS = Domain Name System. A system to convert domain-name or host-name, and obtain the IP-address & other data (DNS-Records) used by it. | TLD = Top Level Domain (means the last & end portion of a domain-name, like, .org is the TLD portion of "" domain-name) | SLD = Second Level Domain (means second portion of a domain-name, like the torproject is the SLD portion of "" domain-name, and exists inside .org TLD) | IDN = Internationalized Domain Name, uses non-Latin (non-english) scripts & languages. IDN TLD portion or IDN SLD portion, or further lower level portion, can be accessed from client or user side, by using local or native script or language based Unicode characters. IDN maps Unicode strings into valid DNS character set using Punycode. Punycode based TLD name begines with .xn-- ascii characters | NIC = Network Information Centers | LMS = the Left Most Side | RMS = the Right Most Side.

  • Root Zone = Root Server = Root nameservers = also known as "root zone": is the highest (the-top-most) last level (set of) DNS server(s), which holds records related to almost all (mainstream) TLDs, and often indicated by using the "." (a dot symbol) at the end of a domain or host or node name. All domain-names has TLD, and after the TLD for a Left-to-Right (LtR or L-to-R) written script & language this "." exists at the right most side, or, for a Right-to-Left (RtL or R-to-L) written script & language this "." exists at the left most side, but, no need to write this last dot in web-browser, ping, nslookup, email, etc area, software or purpose. But when, domain information diagnostics or query tool like 'dig' is used, or, when you are configuring DNS zone information, then it is better to use that '.' at the end of a TLD portion of domain-names or hostnames to be more correct & precise.

List of DNS Server / Resolver / Client

A list of wider comparison of multiple DNS server & resolver software is here: Comparison of DNS Software. Another comparison is here. Few DNSSEC validation aware DNS servers, resolvers, tools are mentioned here. Few are mentioned below, which we will use here:

  • Unbound: Small DNS Server, it is able to do Caching, Recursive and also Validating(DNSSEC) DNS resolving. It works on Unix, Linux, Windows platforms.
    Note: To prevent DOS failure with Unbound apply 'resolv.conf' tuning per Bug #18580.
  • BIND: Very powerful (and almost the Standard) DNS server, able to do Authoritative, Caching, Recursive, Validating(DNSSEC), etc DNS resolving. It works on Unix, MacOSX, Linux, Windows, etc platforms.
  • vsResolver, GbDns, etc.
  • MaraDNS/Deadwood: 'MaraDNS' is a very small & fast DNS server, it is able to do Authoritative, Caching, Recursive, etc DNS resolving. 'Deadwood' DNS Server is able to do Caching, Recursive, etc DNS resolving. Both does not support DNSSEC Validating. It can work on Windows XP, Vista, 7, Linux, Unix platforms.

Goto DNS Server/Resolver section: #Unbound Unbound, #BIND BIND, #Deadwood Deadwood,.

Tuning eventdns component of Tor Daemon

Tor utilizes a modified version of the eventdns subsystem of libevent for communicating with DNS resolvers. In order to prevent a known denial-of-service scenario and to maximize performance, high-capacity exit relays should include eventdns tuning parameters in /etc/resolv.conf. Examples for two common cases where a single DNS resolver is running on the same server as the Tor daemon:

Local Unbound resolv.conf

options timeout:15 attempts:1 max-inflight:16384 max-timeouts:1000000

Local Bind9/named resolv.conf

options timeout:5 attempts:3 max-inflight:16384 max-timeouts:1000000

Remote any DNS resolv.conf

options timeout:5 attempts:3 max-inflight:4096 max-timeouts:1000000
nameserver x.x.x.x
options timeout:5 attempts:3 max-inflight:4096 max-timeouts:15
nameserver x.x.x.x
nameserver y.y.y.y

Timeout:5 is the same as the eventdns default. Max-inflight:16384 expands the permitted number of concurrent requests from the default of 64 which both enhances performance and mitigates a denial-of-service where a Tor client rapidly requests large numbers of domains and the authoritative or SOA server does not respond (GoDaddy has been known to null-route Tor relays). Unbound automatically retries requests, hence the attempts:1 setting. With 'named' and other resolvers attempts:3 causes eventdns to perform two request retries one after five and one after ten seconds. Max-timeouts:1000000 also mitigates the aforementioned DOS scenario by preventing eventdns from marking the resolver "down" after three (the default) consecutive SERVFAIL timeouts replies. If more than one DNS resolver is configured a max-timeouts value of between 10 and 30 probably makes sense. Information which led to this advice can be found in bugs 18580 and 21394.

Generalized implementation of the above tuning advice incorporated in Tor daemon commencing at version 0.3.2.

How To Use All TLDs From All Root Servers

Generally, by default, most users & computers & network-devices use the ICANN & IANA governed 13 ROOT DNS-Servers (aka, Root Name-Servers) only, for mostly to resolve TLD (Top Level Domains) portion of any domain or host names into their name-server's IP-address. ICANN & IANA, have chosen & controlling & operating & setting-rules for 12 manager companies & entities, these 12 manager entities use & serve "root-zone" file from (IANA controlled) 13 named Root-Servers (or Root DNS Servers), on behalf of those 19 (gTLD "Registry") companies & entities, and around 255 (ccTLDs) manager entities from different countries all around the world. The "root-zone" file keeps list of all TLD (ccTLDs, gTLDs) nameserver's name & IP-address. So entities who are managing any TLDs, (selected & assigned by ICANN & IANA), are (mainstream) "TLD-Providers" or "TLD Service Providers" (TSP).

There are other, TLD service providers, whose DNS-Servers partially function as alternative root. But, their main function is to provide & maintain more TLDs, than what is supported or adopted by ICANN & IANA. Such companies & entites are though widely known as "Alternative DNS Roots" (Alt Roots), but here we are going to identify them simply as "Alternative TLD-Providers" (Alt TLD-Providers) (ATP), "Alternative TLD DNS Service Provider" (Alt.TLD.DNS.Servc.Provider) (ATDSP), or "Alt.TLD.DNS", based on their main function & purpose. Many of these TLD based domain-names are very very low cost, or totally free. If you need to allow your own custom TLD or domain-names be reachable from any place on world, then you can also use these DNS service providers, as they have already placed their DNS-servers all around the world. In our DNS-Resolver software (mentioned on & under this page), we will use TLDs provided by these type of DNS-Server based service providers. See below list.

There are also another type of "Alternative DNS Roots" (Alt Roots), which really & truly mirrors, which really maintains alternative of "Root-Servers" functions. We are not going to use such, (and not going to discuss these type of DNS-Servers or service provider entities here very thoroughly, for now). Since ICANN & IANA members have allowed & exhibited behaviors of favoring only few countries, rather than function as a neutral entity for the entire world, for various functions (specially) related to (censoring & filtering of) "Root-Servers", TLD, SLD level DNS-Servers etc. So, any Decision making process must involve ALL global members, if it is to be used for global exchange purpose for all sides to benefit from it and if located globally. As a result or consequence (of in-appropriate decisions by ICANN & IANA & their members), other global organisations, authorities & various other entities all around the world, have expressed their concern and started to propose & create other alternative root DNS-Servers. Even newer concepts based DNS-Servers are starting up, like: De-centralized Root DNS-Servers, P2P Root DNS-Servers, etc, which cannot be censored or filtered very easily. Some entities have simply placed DNS-Servers publicly all around the world as alternative to ICANN & IANA governed Root-Servers. These type of DNS-Server based entities can truly be called as "Alternative DNS Roots" (Alt Roots), or, "Alternative Root DNS Operators" (Alt.Root.DNS.Opr), or "Alternative Root DNS". Some of these entities also provide their own TLDs, along with special DNS-Server services.

If Tor exit-nodes, your own system, various server software, etc are not resolving all of those TLDs (from all type of TLD-Providers), then those other alternative TLDs will remain suppressed, which is not good. If all TLDs can be queried and answer is received, then we can communicate & exchange with more users & entities, all around the world, and chance of censoring will reduce.

Specific configuration will allow us to use all TLDs from all type of TLD-providers. Config files which are used in this page, also includes an "Access All TLDs From All Type of TLD-Providers" edition, which is optimized for reaching to all TLD-Provider's DNS-Servers, provided by (almost all known mainstream, alternative & other) root, alt-roots, TLD, SLD etc level DNS-Servers all around the world, (including all mainstream TLDs which are governed & operated by ICANN & IANA).

Currently, all config files are in "Access All TLDs From All Type of TLD-Providers" mode. (So when other editions will be added: to use default root only, or to use lesser root servers, etc, then this line will be removed).

Currently, all DNS-Resolver's config files (linked in this webpage) are pre-configured to resolve (almost all) TLDs, IDNs, IDN TLDs, domain-names, etc from these entities:

Prevent DNS Leaks in Windows/MacOS/Linux/Unix Platforms

In Windows, default local DNS client resolver service or software cannot stop DNS resolving query specifically made for certain hostnames or domain-names, like which have .onion, .i2p, etc TLD at end. As a result, DNS query requests are sent for resolving toward the external DNS servers which are listed inside Network Interface Adapter (NIC) setting.

If someone by mistake types a *.onion host name, also known as, a "Hidden Service" (HS), on a non-Torified web-browser, then such happens. If someone by mistake, selects the option "Bypass Proxy Server" or similar option, in their IRC client software, and tries to connect with an IRC server which has a .onion based host, also then such DNS leak happens. Those can happen, even though these software are fully capable of resolving *.onion hostnames inside a properly configured software via going through Tor SOCKS5 proxy server or tunnel without leaking any protocol.

Though here, DNS is working what it suppose to do: find the IP address of a hostname or domain-name by using DNS/name server system, but, by doing so, or, by trying to do so, it is exposing & revealing the site(s) & service(s) where we are trying to reach & suppose to connect Anonymously (by going through Proxy servers or tunnels only). To prevent DNS query of certain type of hostnames, even when by accident or by mistake it was used, or a mis-configured software is started, or when we have forgotten to set correct configurations, we can do these at-least as fail-safe mechanism:

  • Use 3rd Party Local DNS Servers/Resolvers, here.
  • Apply Windows Tweak and Registry Hacks, here.
  • Apply MacOS Tweaks, here.
  • Configure Firewall as Failsafe To Prevent Leaks, here.

3rd Party Local DNS Servers (Windows)

Click to goto your choice of 'DNS Server' (or 'DNS-Resolver') section: #Deadwood Deadwood, #Unbound Unbound, #BIND BIND.

Currently, all configuration files are pre-configured to perform like below daigram C:

┌—————┐  ┌———┐      ┌———┐  ┌——————┐  ┌——————┐ .
|Root |  |TLD|      |SLD|  |3L-DNS|  |4L-DNS| .
|zone |  |DNS|      |DNS|  | Srv  |  | Srv  | .
| DNS |  |Srv|      |Srv|  └——————┘  └——————┘
|Servr|  └———┘      └———┘    Ạ   Ạ     Ạ  Ạ
└—————┘   Ạ  Ạ       Ạ  Ạ    |   |     |  |
 Ạ   Ạ    |  |       |  |    |   |     |  |
 |   └----|--┴-------|--┴----|---┴-----|--┴-┐
 ├--<-->--┴---<-->---┴-<--->-┴--<------┘    |
 |                                          V
 V                          ┌------->┌—————————┐
┌———————┐   ┌————————┐<-----┘        |Alt. TLD |
|Censor-|   |Your own|   ┌————————┐  |Service  | .
| -free |-->|  DNS   |-->|Software|  |Providers| .
|Public |<--|Resolver|<--| on Your|  |  (or)   | .
|  DNS  |   └————————┘   |Computer|  |Alt.Root |
|Servers|                |or Servr|  |  DNS.Opr|
└———————┘                └————————┘  └—————————┘
            diagram: C

Please Use Unicode fonts (for example: DejaVu Sans Mono) to view above diagram properly (if you are having difficulty viewing above boxes or shapes, and if not appearing alligned). DNS-Servers which are on Internet side (for public use) (and which are mentioned in above diagram), are explained on PublicDnsResolvers page, and also on this page.

If you follow the "Short Note:" section, mentioned under the configuration file's textbox, then DNS-Resolver software will perform like below diagram B:

Root-zone DNS┌┐<---┐   ┌--->|Alternative TLD |
         Srvr└┘    |   |    |  Providers, or,|
TLD-DNS┌┐<--┐      V   V    |Alt.Root.DNS.Opr|
   Srvr└┘   └--->┌————————┐ |   DNS Servers  |
SLD-DNS┌┐<------>| Your   | └————————————————┘
   Srvr└┘        |  own   |     ┌————————┐
3L-DNS/HSP┌┐<--->|  DNS   |---->|Software|
   Srvr   └┘  ┌->|Resolver|<----| on your|
4L-DNS┌┐<-----┘  └————————┘     |Computer|
  Srvr└┘                        └————————┘
            diagram: B

Deadwood (on Windows)

(1) Deadwood can be obtained from MaraDNS website. Get the maradns win32 zip file, 'deadwood' binary file is included inside it. Deadwood is MaraDNS software's client-side recursive DNS-server or DNS-resolver portion. (The zip file also has a Windows native binary of MaraDNS, which is a reasonably secure DNS client and recursive server, but, does not have all of the security features, that are available in Linux & Unix binary. If you want a MaraDNS with full or all feature set, source can be compiled with 'Cygwin'). MaraDNS and Deadwood are not able to do DNSSEC validation based recursive resolving. It can work with both IPv4, and IPv6. Here we will configure & use the 'Deadwood' portion only.

  • (2) Using Windows Explorer, goto the folder or Desktop location on your computer where you downloaded the "" file (where, N is any 0~9 digits). With mouse, do right-click on that zip file, and select & click on the "Extract.." or "Unzip.." or "Decompress.." or "7-Zip --> Extract Files.." option. Copy the decompressed folder "Deadwood-N-N-NN-win32" (where, N is any 0~9 digits) inside your Windows computer's "Program Files" folder (if your Windows is 32 bit, x86 based) or inside "Program Files (x86)" folder (if your Windows is 64 bit). And rename "Deadwood-N-N-NN-win32" folder into just "Deadwood".
  • (3) Make a backup copy of the "dwood3rc.txt" file. And then open dwood3rc.txt file for editing, with a better TEXT editing free software like Notepad++, Notepad2, etc. Avoid using windows default Notepad editor. Select all previous text, and then erase, remove or delete. Change 'dwood3rc.txt' file's character encoding from ANSI to "UTF-8" (without BOM, if given the option).
  • (4) Click once anywhere inside the "dwood3rc.txt" marked textbox area, on the below mentioned webpage, then select all texts by pressing Ctrl+A buttons. And copy by pressing Ctrl+C buttons (into clipboard/buffer memory area). And then goto your text editor's 'dwood3rc.txt' file editing tab or editing area, and paste copied text (from buffer memory to file) by pressing Ctrl+V buttons:
  • (5) We need a "Command Prompt" window with "Administrator" user level/privilage. Any one of the below option will be suffice, do which is easier for you:
    • If you are using Windows XP, then, log into Windows with an user account who is member of 'Administrator'. Goto 'Start' menu --> Run, or, press the Windows Flag/Logo button on keyboard and hold it, and then press the letter button R just once, and then release both buttons, and then type:
        cmd.exe ⏎
      and then press ('Enter') or 'Return' button/key on keyboard. Windows "Command Prompt" window will appear.

    • (In XP/Vista/7), If you are using a non-Administrator account, then to get a "Command Prompt" with Administrator privilage, type:
        runas /noprofile /user:mymachine\administrator cmd.exe ⏎

      In the above 'runas' command-line, you will must have to change/adjust the word 'mymachine' into your computer's exact & actual name. And also change 'administrator' into the user name in your computer who has 'Administrator' level access & privilage. After you enter correct password of an 'Administrator' level privilaged user, another "Command Prompt" window will appear, with 'Administrator' level privilage.

    • In Vista/7, goto the 'Start' menu, and search for "cmd". When found, right click on the "cmd" or "cmd.exe", and select the option "Run as Administrator", or select the option "cmd" as an administrator.
  • (6) go inside 'Deadwood' folder inside the "Command Prompt". Type any one of the below command-line:
      cd /d  "C:\Program Files\Deadwood" ⏎
      cd /d  "C:\Program Files (x86)\Deadwood" ⏎
    Instruction writer is assuming here, that, your "Program Files" folder is located in C: drive. Change & adjust it to match with your exact location.
  • (7) To install Deadwood from inside the "Command Prompt" (window which has 'Admiistrator' privilage), run the below batch file, type:


Deadwood will first create a 'secret.txt' file using the 'mkSecretTxt.exe' binary file, which stores a 64-byte (512 bit) random file info inside secret.txt, and then deadwood will install 'deadwood.exe' binary file as a 'service' program in Windows (so that it can start automatically when Windows starts up), and then it will start running the "Deadwood DNS cache" server. By default it will listen for DNS query request, on UDP port 53 of IP-address.

  • (8) Go inside the "Network Settings" from "Control Panel", or, right click on the icon that looks like a dual-(networked)-computer (or, network-cable-and-computer) icon, on start menu bar's tray area (usually in bottom-right corner of your screen) and select "Open Network Connections" (in XP) or select "Open Network and Sharing Center" (In Vista/7/8). In Vista/7/8 click on "Change Adapter Settings". Locate, find or goto the Network Adapter (NIC) which your computer uses to connect with Internet (or Router or Gateway), click once on that Network Adapter to select it first, then right click on that and select 'Properties'. Inside 'Properties' window, scroll down or find the element/item : "Internet Protocol version 4 (TCP/IPv4)" (in Windows Vista/7/8) or find the "Internet Protocol (TCP/IP)" (in Windows XP), and click once on it first, then click on 'Properties' button. Then inside the "Internet Protocol ..." window, you will see existing or preferred DNS server IP address list under the "Use following DNS server addresses" section, or, you will see "Obtain DNS Server address auotomatically" option is pre-selected. If DNS server IP address numbers exist, write them down on a paper or on a text file. Click once on the "Use following DNS server addresses" section, then enter IP-address as a preferred, primary or first DNS server, and then remove or erase all other previous DNS server IP address numbers. Click on 'Ok' button > 'Ok', to save this new configuration. If you use or going to use both TCP/IP v4 and TCP/IP v6, then like previous TCP/IP v4 steps, go inside TCP/IP v6 network element or item's Properties window, and enter ::1 as preferred DNS IP address & remove all other DNS IP address numbers, and then also save this new configuration.
  • (9) Goto Test section, and run the test commands to find & check if local DNS server is working or not. Note: ping, nslookup, web-browser etc should work, but 'dig' tool may not work when using deadwood dns server.
  • (10) If everything appeared to be working fine & expected, like shown inside the 'expected' result boxes inside the Test section, then, temporarily disable Windows' default DNS resolver: press Windows Flag/Logo button on keyboard & hold on to it and then press R button once, and then release both buttons. On 'Run' window, type: "services.msc" (without the double quote symbols), and press ('Enter') or 'return' button on keyboard. On 'Services' window, find the "Windows DNS Client" or the "DNS Client" service, click on it once, then right-click on it, then select 'Properties'. On 'Properties' window, change "Startup type:" option from 'Automatic', into 'Manual' or 'Disabled', press OK button. Close 'Services' window.

Unbound (on Windows)

(1) Unbound can be obtained from Unbound website. Get the 'unbound_setup_N.N.NN.exe' windows installer file (where, N is any 0~9 digit). Unbound is a Validating (DNSSEC), Recursive, and Caching DNS server. Can also be used as stub-resolver. It can work with both IPv4, and IPv6. Install by using an 'Administrator' privilaged windows user account. By default it will install into "C:\Program Files\Unbound" folder (on 32 bit or x86 systems), or, will install into "C:\Program Files (x86)\Unbound" folder (on 64 bit or x64 systems), you must install inside "C:\Program Files\Unbound" folder even on 64 bit systems (you may change drive letter C: to another drive letter, but folder must be "\Program Files\Unbound\"). Installer will install it as a Windows 'service', so that it can start automatically when Windows starts up. By default it will listen for DNS query request, on UDP port 53 of IP-address.

  • (2) Set default Character Encoding in Firefox to UTF-8 : goto main menu > 'Tools' > 'Content' > 'Advanced' > change 'Default Character Encoding:' into 'Unicode (UTF-8)' > OK > OK. You must now Refresh or Reload this webpage either by pressing Ctl+R, or by pressing 'F5' function button/key.
  • (3) Using Windows Explorer, goto the location where you installed 'Unbound'. Start "Windows Explorer" like this, if you are using Vista, 7, 8 : from Windows Start menu icon > All Programs > Accessories > right click on "Windows Explorer", select "Run as Administrator" > if "Run as" window appears with User list, choose any one user account who is member of 'Administrator' > enter password > OK. Start "Windows Explorer" like this, if you are using Windows XP & and a non-Administrator type of user account : from Windows Start menu icon > All Programs > Accessories > right click on "Windows Explorer", select "Run as" > select any one user account from User list, who is a member of 'Administrator' group > enter password > OK.
  • (4) First, make a backup copy of existing "service.conf" file by right clicking on it using mouse > select 'Copy', then place your mouse pointer arrow on an empty area (in right side pane) and right click > select 'Paste'.
  • (5) Open this "service.conf" file for editing : If you dont want to keep Unicode characters intact (which are shown inside "service.conf" textbox on doc/DnsResolver/unbound page) then you can use Windows Notepad text editor and skip below '5b', '6b' sections. The "service.conf" file will work without Unicode characters, so steps '5b', '6b' are optional (not required).

    • (5b) To keep Unicode characters intact, use a better TEXT editing (free) software like: Notepad++, Notepad2, etc. Install Notepad++ or Notepad2. Right click on "Notepad++" or on "Notepad2" icon, and select "Run as Administrator" (in Windows Vista, 7, 8), or, select "Run as" (in Windows XP) > select any one of the user account, who is member of 'Administrator' group > OK. In Notepad++ or in Notepad2, goto 'File' > 'Open' > browse to "My Computer" or "Computer" > "C:\Program Files\Unbound\", and select "service.conf" file > 'Open'. Select all previous text (press Ctrl+C), and erase/remove/delete. Then change "service.conf" file's character encoding from "ANSI" to "UTF-8". Press Ctrl+S.
  • (6) Save all texts from "service.conf" textbox area which is shown on below linked webpage or linked location.
    Step (6b) section, is now inside below linked webpage. Unbound DNS Server config file 'service.conf' is now inside below linked webpage or linked location:

    Unbound DNS Server Config File in ([wiki:doc/DnsResolver/unbound]) page.

If necessary adjust & change the drive letter "C:\" (inside the "service.conf" file) into which your computer's Windows actually uses. When using a computer (micro-)Processor (CPU) with single or one core, then follow steps mentioned inside Tweak section. (And after saving, you may close the running text editor software.) You may later see #Tweak_Unbound Tweak Unbound section for more configuration options/choices.

Root Trust Anchors provided by (ICANN) is here. Root Zone file is here, Note: you do not need to download Root Zone file, because, DNS system automatically delivers it to DNS Servers, if you have correct root hints file.

  • (7) named.cache: It is a "root hints file" (for ICANN/IANA/VeriSign/PIR/etc). Hint file is a list of name & IP address of nameservers. If you do not see the file "named.cache" inside "C:\Program Files\Unbound\" folder, then create a text file, rename to "named.cache", and copy-paste below textbox's content inside "named.cache" file (if using Notepad++ or Notepad2 text editor, keep character encoding to ANSI). You can get the original 'named.cache' (also known as 'named.root') file directly from site, or, via using ftp-client software from, or, view it on

  • (8) Open or run the "Command Prompt" (cmd.exe) utility.
  • (9) go inside 'Unbound' folder inside the "Command Prompt". Type below command-line:
      cd /d  "C:\Program Files\Unbound" ⏎
    Instruction writer is assuming here, that, your "Program Files" folder which has 'Unbound', is located inside C: drive. Change & adjust it to match with your exact location. This ⏎ symbol is indicating that you have to press ('Enter') or 'Return' button or key on keyboard.
  • (10) Run unbound-checkconf.exe command inside "Command Prompt" window, (when you are inside C:\Program Files\Unbound> folder), and if you receive an error message like below:
      C:\Program Files\Unbound\service.conf:1 error: unknown keyword '∩╗┐#'
    C:\Program Files\Unbound\service.conf:1 error: unknown keyword 'BEGIN'
    read C:\Program Files\Unbound\service.conf failed: 12 errors in configuration file

    Then above error is indicating Unbound is not able to process a UTF-8 encoded "service.conf" file. So change "service.conf" file's character encoding back into "ANSI", save Ctrl+S. Run unbound-checkconf.exe ⏎ again. Right click on a "Command Prompt" (cmd or cmd.exe) icon and select "Run as Administrator", by using that "Command Prompt" window stop "Unbound DNS validator" service by running this command: net stop unbound ⏎, wait around 30 seconds, and then restart the service by running this command: net start unbound ⏎.
  • (11) Inside "Command Prompt" window, run below command. This utility software first runs few tests: if the root anchor file (root.key) is working or not, and it tests if an update for a newer 'root.key' file is possible or not. If update is possible then it tries to connect with (ICANN/IANA/VeriSign/PIR/etc governed & operated) root servers by default, using the root update certificate. It fetches 'root-anchors.xml' over https connection, and checks the results. If all checks are successful, it updates the root anchor file. Which is used for DNSSEC validation of domains & SLDs & TLDs . Before running "unbound-anchor" command, you must run NTP (preferably in secure mode), that means, you have to adjust, update or sync your computer's time with any one of the "Internet Time Server" using your "NTP-client" sofwtare (try to use an up-to-date IP-address of Time server, closest to your location), because "unbound-anchor" utility software uses it. (You can also get free 'NTP-server' type of sofwtare/tool which can provide NTP data to NTP-client software, these obtains time from atomic-clock or radio-clock or pre-set time or from another time-server, etc).
      unbound-anchor.exe -C service.conf ⏎
    More info unbound-anchor.html ( If no error appears then you are ok to use existing "root.key" and "service.conf" file. If you receive "Windows Security Alert" from "Windows Firewall" (in Windows Vista, 7, 8) that it has blocked Internet access for the "unbound-anchor.exe" utility, then allow & select "Private Networks,.." and "Public Networks,.." options > click on 'Allow Access' button > again run above command.
  • (12) Go inside the "Network Settings" from "Control Panel", or, right click on the icon that looks like a dual-(networked)-computer (or, network-cable-and-computer) icon, on start menu bar's tray area (usually in bottom-right corner of your screen) and select "Open Network Connections" (in XP) or select "Open Network and Sharing Center" (In Vista/7/8). In Vista/7/8 click on "Change Adapter Settings". Locate, find or goto the Network Adapter (NIC) which your computer uses to connect with Internet (or Router or Gateway), click once on that Network Adapter to select it first, then right click on that and select 'Properties'. Inside 'Properties' window, scroll down or find the element or item : "Internet Protocol version 4 (TCP/IPv4)" (in Windows Vista/7/8) or find the "Internet Protocol (TCP/IP)" (in Windows XP), and click once on it first, then click on 'Properties' button. Then inside the "Internet Protocol ..." window, you will see existing or preferred DNS server IP address list under the "Use following DNS server addresses" section, or, you will see "Obtain DNS Server address auotomatically" option is pre-selected. If DNS server IP address numbers exist, write them down on a paper or on a text file. Click once on the "Use following DNS server addresses" section, then enter IP address as a preferred, primary or first DNS server, and then remove or erase all other previous DNS server IP address numbers. Click on 'Ok' button > 'Ok', to save this new configuration. If you use or going to use both TCP/IP v4 and TCP/IP v6, then like previous TCP/IP v4 steps, go inside TCP/IP v6 network element/item's Properties window, and enter ::1 as preferred DNS IP address & remove all other DNS IP address numbers, and then also save this new configuration.
  • (13) Stop the running "Unbound DNS validator" windows service. And after waiting for about 30 seconds, restart it back. You may see unbound section (10) for how to use net commands.
  • (14) Goto the Test DNS Resolving page or section and run the test commands to check if local DNS server is working or not.
  • (15) If everything appeared to be working fine & expected, like shown inside the 'expected' result boxes inside the Test section, then, temporarily disable Windows' default DNS-client or DNS-resolver: press Windows Flag/Logo button on keyboard & hold on to it and then press R button once, and then release both buttons. On 'Run' window, type: "services.msc" (without the double quute symbols), and press ('Enter') or 'return' button on keyboard. On 'Services' window, find the "Windows DNS Client" service, click on it once, then right-click on it, then select 'Properties'. On 'Properties' window, change "Startup type:" option from 'Automatic', into 'Manual' or 'Disabled', press OK button. Close 'Services' window.

BIND (on Windows)

will be added later, please wait, thanks. or, add your data.

Windows Tweak and Registry Hacks

There are some Windows related tweaking (fine-tuning) or registry hacks to prevent some portion of DNS leaks or partially (in Windows XP, Vista, 7, 8). This section is for explaining how to achieve that.

Block Domains/Hostnames Using hosts file

Using 'Windows Explorer' goto C:\Windows\System32\Drivers\etc folder location. Start Notepad++ or Notepad2 text editor software and open the file 'hosts' for editing, (if you do not have any of those editor, then search on Internet and download & install them). Find the line which has:       localhost

Under that line, or go at the end of the 'hosts' file and then, add below lines:


In above textbox, mentioned are few known onion web-sites or web-services (also called or known as "Hidden Services" in Tor terms). And also included are few i2p web-sites & web-services (also known as "eepsites" in i2p terms).

Add all .onion and .i2p address which you visit or you may visit, in your 'hosts' file. So that by accident or because of any mis-configuration, your software cannot connect or try to resolve DNS by going through direct Internet connections, becuase these sites and services are suppose to be connected by going via proxy tunnels or servers only.

The 'hosts' file does not accept wild card symbols like * or does not have a mechanism to use just 1 line to filter "all" or "any" domains which has ".onion" at the end. So we needed to specify each domain-names 1 by 1. However, 3rd party DNS server config file can accept wild card * symbol or has a mechanism to specify "any" or "all" domains or TLDs, etc.

Notes: On Windows computers, if you have difficulty saving your changes to the HOSTS file, you may need to explicitly give your user account Full Control security permissions on the HOSTS file. If you do not know how to do this, from Windows Explorer, right click HOSTS, choose Properties/Security/Edit/Add, type the name of your user account, click Check Names/OK, click on your user account in the top box, click on Full Control in the lower box, then click OK to close each of the dialogue boxes and apply the changes. Also, modifying the HOSTS file may cause Windows Defender to detect the HOSTS file as malware. See Microsoft Knowledge Base article 2764944.

Change Unbound Service Running Priority Affinity

If 'Unbound DNS Validator' windows service often or periodically uses too much CPU resources (or causing responsiveness issues on your computer, mostly seen on Windows XP computers), only then, apply one of the tweak which is suitable for your need or which you prefer and easier to you, from below page:

Windows Service Process Thread Priority Affinity in ([wiki:doc/windowsServiceProcessThreadPriorityAffinity]) page.

In above linked page, change the word "vidalia.exe" to "unbound.exe", and "vidalia" into "unbound".

Test DNS Resolving Functionality

This section is now here:

Test DNS Resolving in ([wiki:doc/DnsResolver/TestDnsResolving]) page.

How To Verify If DNSSEC is Working

Run this below command inside a "Command Prompt" window.
dig com. any +dnssec

If your DNS server is capable of doing DNSSEC validation, then you will see result similar to below and is expected:

; <<>> DiG 9.3.2 <<>> com. any +dnssec
;; global options:  printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1210
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 18, AUTHORITY: 0, ADDITIONAL: 1


; EDNS: version: 0, flags: do; udp: 4096
;com.                           IN      ANY

com.                    16      IN      SOA 1345366643 1800 900 604800 86400
com.                    16      IN      RRSIG   
SOA 8 1 900 20120826085723 20120819074723 47783 com. bLXazl+BdFxbVeiWwG5gsMZ961H2xCJ3jkZEn36ddUGYWobaHMuOfbAn HXeTQUonnh+Nzx4OHIDwKMyH1szQW9byOuOIRvuzw0bv4zz9HE1SZMs1 mzOMyKyXU0PF608ac4/S0A6Rr5doX+5pFepVOpWdoMYylr0uI9BgzW6h RxI=
com.                    86092   IN      
DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86092   IN      RRSIG   
DS 8 1 86400 20120826000000 20120818230000 50398 . ZyKOIsYQsJwBVez33+YxtVHDEIQD5STBJU4LMBagiaN/R1s+Kj4SOVUb B8pSI/MHVV8uTfXUKh7WoMAm5sNS/UxjdksNv7tUezFQTJishqAI+HtX Zj0PP9xaraJlYa6IVbZlUs+nSjrSeCpgNfg2KAVGAOmAcign5IODSyBi RUM=
com.                    10702   IN      NS
com.                    10702   IN      NS
com.                    10702   IN      NS
com.                    10702   IN      NS
com.                    10702   IN      NS
com.                    10702   IN      NS
com.                    10702   IN      NS
com.                    10702   IN      NS
com.                    10702   IN      NS
com.                    10702   IN      NS
com.                    10702   IN      NS
com.                    10702   IN      NS
com.                    10702   IN      NS
com.                    86092   IN      RRSIG   
NS 8 1 172800 20120823041745 20120816030745 47783 com. k3bDPreUvtP3O2FSBOLOqtaD/i3J+R4eGIu8Q7Vx1bRPqkHrDNGQqTGx o7ZzYq1kVzIeBrB5N+AECLwwucUR/lHBEBT+EcPDk0id/H169g5RHx/w 0+jLkJqYNDseQhWcvwUI/03iz91NV6UUTLaPzCthBk+R4tuucxp49YkV 0to=

;; Query time: 265 msec
;; WHEN: Sun Aug 19 02:09:05 2012
;; MSG SIZE  rcvd: 844

Notice inside above box, that the ad is present in the flags:, it is indicating, this query was answered with AD (Authenticated Data) bit, that means, DNSSEC validation was successful. And normally the DS (Delegation Signer) record will be present in parent servers, which is the root zone, as we have queried/asked to resolve a TLD.

If you run dig any +dnssec ⏎ then you will see result similar like below and such result is expected:

; <<>> DiG 9.3.2 <<>> any +dnssec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1765
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;                   IN      ANY

;; ANSWER SECTION:            70      IN      A            70      IN      RRSIG   
A 7 2 600 20120919184653 20120820185612 63920 duP7C27gnSEw7VjDNkb49RDFHd/Yv+iiXgHD3ttO+hMcvprb9i4PTJoh yRRR/x+xno8yIakdeUbSZ4qblXdcR5NUOE4Fec82oFEgA42C9ayEq05q yg8jcyvNc+W0qlaR83mejw3vii+zuE6ANw774Wy2UDoZGcn79CIJM31a nFQ=            86278   IN      DS      
51618 7 1 B996ED047EF73B9CF9342491761EDCB63622A150            86278   IN      RRSIG   
DS 7 2 86400 20120830160604 20120809150604 4818 org. t39+puNAAPTgEC5/1R5lvG6jLO2B7VhUkLCmGUlkbTxTOW1MFUIfPTfG 6yLopkvIoaKwOBXikQJIlshXEdMq/uOXsXHSJLa9hJgzIhCfPg9EuOUU tzrwp6452F6fSajfW+Dbvk+1SWR2BV7rWlHmVAuSBiGx93Np6wCOm/Ky m8k=            63      IN      NS            63      IN      NS            63      IN      NS            599     IN      RRSIG   
NS 7 2 600 20120919185051 20120820185612 63920 jkvVUJEI6suMAU7rRhmX3tI9HJSjPRKCeWyUZuPt4YrFZB4KbnbGudnJ E/PUsWgQalOPRjA4LspuA80qQv1oWavtxzIg6wGISI0LkUi5ALn4ZD8y p3kLe31K6AoUQ3YtimgRT0CA9s5nd1Ati0evF9k8n7AUadHqsgxDq9xb BPg=

;; Query time: 203 msec
;; WHEN: Wed Aug 22 08:20:05 2012
;; MSG SIZE  rcvd: 651

Configure Firewall as Failsafe To Prevent Leaks

Content coming soon. Mostly Windows, MacOS related.
The "tor.exe", "vidalia.exe", "firefox.exe", etc uses specific set of ports to communicate with each other, and specific patterns of ports to communicate with Internet servers. We will add rules in firewall rules table, for such valid & known ports & communication, so that any unwanted or accidental or misconfigured communication initiations can be blocked.

Tweaks (DNS Server/Resolver)

Use below sections to configure further to suit your need.

Tweaking Unbound

Basic level configuration is shown & used inside #Unbound Unbound section. The shown "service.conf" file is pre-configured to function by default as a Validating Recursive Caching DNS Server, which will be using multiple external Recursive Servers for the (".") Root Zone, and Unbound will also resolve other TLD and domains which exists & provided by other alternative root dns providers or operators, other than the "ICANN/IANA/VeriSign/PIR/etc governed or operated Root DNS servers".

Different Options for Root Zone

If you want to use lesser amount of Recursive or Caching DNS server(s) which uses at-least the "ICANN/IANA/VeriSign/PIR/etc governed or operated Root DNS Servers", for the Root Zone (.), then search for the word [ROOT ZONE] inside the "service.conf" file, and read various options and choices.

Unbound is Not Able To Resolve Some Sites

When Unbound is not able to resolve some sites, which are under the "ICANN/IANA/VeriSign/PIR/etc governed or operated Root DNS Servers", then find (Ctrl+F) below lines (which has forward-zone: and name: "." # [Root.Zone] configuration command-lines) inside the "service.conf" file. Then you can, either disable (by placing a # sign in front of) some of the forward-addr: command-lines, or, you can remove all of the next lines after the below two lines. And when you have disabled or removed all forward-addr: lines (after the name: "." # [Root.Zone] configuration command-line), then also disable below two lines:

	name: "." # [Root.Zone]
# Chaos Computer Club (Berlin) DNS: censor-free,

  • If you have info, fact, reason to trust your ISP provided DNS servers, then you may add just your ISP provided (external) DNS servers, or, add just one or set of very TRUSTWORTHY (external) DNS server IP-addresses (as a forward-addr:), below the name: "." # [Root.Zone] configuration command-line (like shown above). If you are going to use your ISP's (recursive/caching) DNS Servers, then also add 13 root server IP addresses, shown inside "named.cache" file. Some of the TRUSTWORTHY DNS Servers are already mentioned/included under the [ROOT ZONE] section inside "service.conf" file. In above example box, the CCC DNS is shown, you may change or add more based on your preference. When you want to add or use external DNS servers, then you will have to add each IP address in separate lines, and each IP-address will also have to be specified after a 'forward-addr:' configuration command (without using the single quote symbols).

Turn Off DNSSEC Validation And Use As Caching DNS Server

Current Unbound "service.conf" is pre-configured to function as a Validating Recursive Caching DNS Server. If you do not want to use the DNSSEC validation functionality, then you can disable by doing steps like shown in below box. In "service.conf" (or in "unbound.conf") file, search (Ctrl+F) for mentioned below lines which has the # (hash/pound) symbol at the beginning of that line, (but do not use the # sign in the search string or text). Once you find it, add the # symbol at the beginning of that line, and if the next line (in below box which does not have # symbol at beginning), does not exist inside "service.conf" file, then add that line:

#module-config: "validator iterator"
module-config: "iterator"

#val-permissive-mode: "no"
val-permissive-mode: "yes"

#val-clean-additional: "yes"
val-clean-additional: "no"

# Optional step, you may disable below line like this:
#auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"

# Optional step, you may disable below line like this:
#dlv-anchor-file: "C:\Program Files\Unbound\"

Above settings will turn off "DNSSEC Validator" portion of Unbound, and will turn it into a Recursive Caching DNS server only.

Use Specific Nameservers for Specific Sites

If you need to forcefully use a very specific set of DNS or name servers for a very specific website or domain-name, and for all sub-domians under that, then follow this:

  # If you use Deadwood / MaraDNS then use below one line:
upstream_servers[""]="ip.adrs.dns.N1, ip.adrs.ns.N2"

# If you use Unbound then use below few lines:
	name: ""
	stub-addr: ip.adrs.dns.Numbers1
	stub-addr: ip.adrs.ns.Numbers2

Change "" to your desired website or domain-name. And change ip.adrs.dns.Numbers1 and ip.adrs.ns.Numbers2 to the correct IP address numbers for that website. Like above examples, keep the . (dot) at end of a domain-name or name-server in stub-host configuration command-lines, when example shown above used it. For more info, search for [SIGNED TLD] & [UNSIGNED TLD OR ROOT] sections inside "service.conf" file.

  • If you don't have name-server's or DNS server's (FQDN) hostname, then disable line which has or by placing a # (hash/pound) sign at the begin as first character of that line. If you don't have actual IP address then disable lines which has ip.adrs.dns.Numbers1 or ip.adrs.ns.Numbers2.
  • If your desired domain-name, site or TLD is DNSSEC signed, then add 'trust-anchor:' for it, see "service.conf" file for further info.
  • If stub-host: nameserver's hostname is using such a TLD portion, which is not supported by the "ICANN/IANA/VeriSign/PIR/etc governed or operated Root DNS Servers", then use forward-zone: for each of those stub-host: hostname, and also add such TLD in 'domain-insecure:' section if such TLD is not DNSSEC signed.

Add Unsigned or Signed TLD from Other or Alt Root DNS Providers

Inside the "unbound.conf" or "service.conf" look (Ctrl+F) for these words: [UNSIGNED TLD OR ROOT] to goto related section. Also see above section. Those sections will give further instructions on what to do when you want to add new or more TLDs, or, what you need to do if you want to move or add DNSSEC signed TLDs, or what you need to do for zones, domain-names, etc.

  • If you obtained caching dns server IP addresses (or hostnames) which can also resolve your desired site or domain-name or TLD instantly, and you do not want DNSSEC validation, or those domain-names or TLDs are not DNSSEC signed, then those can also be added using 'forward-zone:' and 'domain-insecure:' configuration command-lines.
  • For DNSSEC validation to work for a (signed) site or domain-name or TLD, your (3rd party) DNS-resolver must connect directly with the "Authoritative" DNS server which holds the AA, SOA dns records of that exact domain-name or TLD, and it must also be DNSSEC signed, and then DNSSEC validation will work for all signed SLDs, under DNSSEC signed TLDs which are from ICANN/IANA/VeriSign/PIR/etc entity.
  • If your desired site or domain-name or TLD exists outside of ICANN/IANA/VeriSign/PIR/etc entity and DNSSEC signed, then you must add those DNSSEC public keys, either by using a file and 'trust-anchor:' configuration command, or, by adding them directly in the "service.conf" file. You can also run your own DLV supported DNS-server for assisting in DNSSEC validation for such TLD, and for any future SLDs, 3rd Level Domains, etc under that. A 2nd DNS-resolver configured to use another DLV (& DNSSEC data), can be queried from main (or first) DNS-resolver to resolve your own custom created TLDs, SLDs, etc.

Re-Configure Unbound To Use One Core/CPU

Currently, the "service.conf" is configured to use dual-core based CPU and use 2 threads. On single-core (or 1 CPU) based computer, use 1 thread. In "service.conf" (or in "unbound.conf") file, search (Ctrl+F) for mentioned below lines which has the # (hash/pound) symbol at the beginning of that line, (but do not use the # sign in the search string or text). Once you find it, add the # symbol at the beginning of that line, and if the next line (in below box which does not have # symbol at beginning), does not exist inside "service.conf" file, then add that line:

#num-threads: 2
num-threads: 1

#outgoing-range: 450
outgoing-range: 950

#num-queries-per-thread: 225
num-queries-per-thread: 475

#msg-cache-slabs: 2
msg-cache-slabs: 1

#rrset-cache-slabs: 2
rrset-cache-slabs: 1

#infra-cache-slabs: 2
infra-cache-slabs: 1

#key-cache-slabs: 2
key-cache-slabs: 1

Use UDP And TCP DNS Query And Answer

To allow Unbound to connect with DNS/nameserver using TCP or UDP DNS based connection, and to allow UDP answer for UDP query, and TCP answer for TCP query, make sure your "service.conf" file has these configuration lines in this format:

do-udp: "yes"
do-tcp: "yes"

Most software and DiG tool uses UDP DNS by default, but to use a TCP DNS query, see example here.

Force Unbound To Use TCP With DNS/Nameservers

To force Unbound to connect with DNS/nameserver using TCP based connection, make sure your "service.conf" file has this configuration lines in below format. Also useful when you are using TCP based Tunnels or Proxy-Servers (like Tor proxy) etc:

#tcp-upstream: "no"
tcp-upstream: "yes"

Use Unbound In VM, a VM Dedicated Only For Tor

(1) Install your choice of VM solution, from this page. (2) Implement Anonymizing and Torification for various components of OS, all software, hardware etc. (3) Goto Torify Unbound? page for more detail instructions/guidelines.


This entire article & ALL articles under it and this project & ALL projects under it are written & developed by Bry8Star.

By Bry8Star. Copyright (c) 2012 Bry8Star (bry8star a.t yahoo d.o.t com).

Other Co-Author(s) (Section or project which are written or developed by other author or developer will mention his/her name):

By adrelanos. Copyright (c) 2012 adrelanos. These sections: 1, 2.

  • Credit also goes to freenode & other IRC network users: 'Olipro', 'detha', 'tareek', 'mjt', 'PZt', and, to OFTC IRC network users: 'velope', 'Riastradh', 'linus', and, to CesidianRoot user: 'Kai', and, to Mail List users: 'Leen Besselink', 'Jan-Piet Mens', 'Paul Wouters', 'Anders Sundman', and, to Mail List users: 'Ondrej Mikle', among many others, for their help & helpful suggestions & helpful data on solving various configuration, blocking related issues, accesing all TLDs, hardenning DNSSEC config, etc, related to this article.

Disclaimer: If you make mistake in following, any of these "general" steps & guidelines mentioned here in these article, it will NOT be good at all for your system, so be warned, search for each word which you don't understand, on Bing or Yahoo or Google or DuckDuckGo search engine sites, and search in documents and books, before actually following any of these steps. No Warranty. No Guarantee. If you wish & want to use, use at your own risk. Instruction writer(s) has(/have) tested and found these steps to be effective on his/her(/their) computer's OS + software + hardware + internal-network + external-network, etc environment + configuration + settings + features + restrictions, etc combinations. These factors & combinations cannot be 100% same on your case. Instruction writer(s) is(/are) assuming, users who will follow these steps are familiar with these steps, at least have done such once or twice before and very recently, effectively and correctly. Instruction writer will not be (and cannot be held) responsible in any way for your mistakes, or for your lack of experties, or for your lack of understanding, or for your lack of not following these general instructions, or for not converting them to a practical level in correct manner for your case, or for not learning effectively more on these, or for not realizing the patterns to suit with & modify for your case, or for any conflict or for any type of any loss which may or will occur with any current or any future component, event, etc, or, for any reason. Everything is changing all the time, so you will need to improve & adopt better solution(s) which suits you, your need(s), that is your responsibility. Adopt such solution(s) which is(/are) (or will be) better for majority, or will meet your goals. Adopt which works, discard which does not.

Contact: To communicate with authors, users, developers, operators related to this article, join IRC channel named #dnsresolvers on server on port +6697 using TLS/SSL. Answer will not be provided instantly. If you stay connected then someone knowledgeable on your question will respond back.

Send author(s), link of other (complex or techincal) article & data, if you want them to add an easier version, in this article.

Guidelines & Rules (for Authors): are here. (And, Please learn to create html links in between sections on a same page and on another page, and learn to create sub-paragraphs using lists).

Warnings If You Use Tor-DNS For Both Tor and non-Tor Purpose

This specific section and paragraphs are written & developed by author 'adrelanos', 'Bry8Star'.

Tor is a Socks5 proxy server. It can also be configured to turn it into a local DNS-Server or DNS-Resolver to resolve DNS queries from all type of software in your computer. If you start to use Tor-DNS resolver when you are using Internet for your Private purpose (non-Anonymity related) usage, then in some cases by observing Exit-node traffics some are able to obtain & reveal your identity & location, so it is very risky and not suggested. In this page, or in the shown default DNS server configurations, we are not using any "Tor DNS" in any form. TorDNS should only be used on a VM or on a computer, which is only to be used for "Anonymity" related purpose.

  • If you login into some online accounts over Tor, such as bank accounts, your bank account may get frozen. That is a very realistic risk, for example paypal freezes for any Tor exit or VPN.
    • For example, if can determine which DNS server you are using, any other server (you connect to) can do that as well.
  • You should not use Tor to resolve DNS for your non-Tor surfing.
    • Example: a malicious exit node asked to resolve could return an IP under their control and sslstrip. The website would look and feel like normal, no SSL warnings. You'd only recognize if you remember to manually look if SSL is activated. Of course, also your ISP's DNS server can mount such an attack. But it's much more easy to host an malicious exit node, anyone can do that. On the other hand, not everyone can compromise a ISP DNS server or mount a MITM in your ISP's network.
    • Since your TorDNS and web-browsing and your non-Tor DNS requests will go through the same circuit, identity correlation or even de-anonymizing is at risk. Imagine an exit node gets and DNS request and traffic for and for (Same circuit, same flow.)
  • If you have installed an OS (Operating System) as a native OS for a computer, or inside a VM (Virtual Machine), from the very beginning to be used ONLY for your Privacy & Anonymous related usage, and you have not used any information in that OS or in any software which can be used to reveal your real identity, or to reveal your location, and if you have also taken enough steps to obscure or randomize or generalize various & specific hardware IDs, and you have also "Anonymized" (aka, "Torified") all software components, then you can use "Tor DNS".


This specific section and paragraphs are written & developed by author 'adrelanos'.

TODO: This chapter needs to be incorporated into this article...

Some ISPs mitm and thus manipulate (i.e. censor or spoof) DNS traffic, even though you are using a censorship free DNS server. They mitm the DNS traffic directly. Source: transparent DNS proxy. Circumvention is only possible using:

  • encrypted connection to DNS server (there is only httpsdnsd and DNSCrypt)
  • proxies (only if the censurer is not technically sophisticated, because the connection to the proxy is not encrypted, see proxy and Tor plus VPN or proxy)
  • See Tor plus VPN or proxy
  • SSH tunnels.
  • VPNs.
  • Tor
  • Jondo

Whonix Secondary DNS resolver chapter should be adapted for this article.

httpsdnsd by JonDo (not sure if it can be compiled for Windows, if I remember right it was written in a script language and should be possible), although documentation lacks, it's a fine piece of software and can be used for encrypted DNS requests on port 443 (SSL), thus circumventing transparent DNS manipulation. On the Jondo transocks page. The page might be a bit confusing, because it's about transparent proxying, but there are no other official documents about httpsdnsd. Whonix related httpsdnsd can be adapted for this article.

DNSCrypt by OpenDNS (all platforms), better documented, can be used against transparent DNS manipulation circumvention as well.; DNSCrypt github; Whonix related about DNSCrypt can be adapted for this article.

See Other DNS Related Articles

Most articles could be merged with this one.

Editor Talk

Please see Editor Guidelines first.

  • (adrelanos) The "Preventing_Tor_DNS_Leaks Preventing DNS Leaks" has a high ranking on google. People share this link in forums, blogs etc. So it should be really probable checked if it's still accurate. (Haven't checked.) Perhaps should be really merged/redirected.
    • Hi, this page's name is "Prevent_DNS_Leaks", it is not "Preventing_Tor_DNS_Leaks". It is not about Tor binary/system's leakage. It is neither about DNS leakage from other sofwtare. It is about, How to prevent ACCIDENTAL or by MISTAKENLY entered or used .onion host, and/or how to block mis-configured settings trying to resolve .onion host on a computer. Fail-safe mechanism to block DNS query to go outside. More notes will be added. need to add firewall config info, etc. And not about Linux/Unix, but some1 can add into it. At this stage i will add info related to Windows and MacOS. -- Bry8Star.
  • (adrelanos) We should move and redirect this article to or something like that.
    • Hi, this page is about How to block/prevent .onion host DNS leaks using 3rd Party DNS resolver software and firewall on WINDOWS platform, then i will add info on MacOS. To prevent accidental or mis-configured .onion host usage. AND it is about how to reach to other root DNS servers other than ICANN 13 root servers, from your own computer, and it is about DNS resolver configuration to be used by exit-nodes so that Tor users can reach to TLDs resolved by other root servers. I will add multiple configuration, optimized for different scenario. -- Bry8Star.
    • Sorry, i agree partially with you. The sections/areas which will be touched, will be better served, if page is renamed to "DNS_Resolver", so i'm moving into that. THANKS. -- Bry8Star.
  • Thanks for adding more links. None of those links have detail practical example. And none is informing about how to reach to more TLDs, supported by various alternative Root server all around the world, so we don't supprees or allow to suppress their freedom of speech/art in any way. And none is detailing how to do DNSSEC secure validating recursive cache resolving for webpages/email-exachnages. Hopefully i will try to touch some of those, then further contributors can add further later. Windows has the most users. They should not be neglected. And PLEASE CONSIDER TO NOT WRITE with too many "TECHNICAL" words or use too many ACADEMIC/RESEARCH words, without EXPLAINING it further in DETAIL, this page IS INTENDED for less-smarter people and for those who comes from a different discipline/background. Not everyone is tech-savvy. Thanks for your effort to understand and all of your help. Let us try to help more. -- Bry8Star.
    • (adrelanos) Yes, agreed. I just wanted to say, if you have expertise in DNS field it would make sense to get ride of some cruft in the wiki. Some of the other DNS articles are more than outdated, wrong and obsolete.
    • I have limited knowledge on DNS. I'm just reading lot of articles, and emailed few companies to help out on configuring various software. But i did went into those webpages for few seconds and scanned quickly after you have given those links, and noticed errors & outdated & limited info, and also realized some portion of data is better & better documented there than here, so i will borrow some notes from there to here, and try to integrate as much needed for this or related to this article, ofcourse with proper credit given to the actual poster, to my best. THANKS. -- Bry8Star.
Last modified 2 years ago Last modified on Nov 19, 2017, 11:20:23 PM