Privacy Tools Guide

Combine encrypted DNS with secure messaging (Signal, Matrix) to create defense-in-depth privacy protection. Encrypted DNS (DoH/DoT) hides your browsing destinations from network observers, while secure messaging protects communication content and metadata—together addressing different threat vectors for complete privacy.

Understanding the Privacy Gaps

DNS queries reveal your browsing activity even when you use HTTPS. Every time your device resolves a domain name, it sends a request that can be logged, analyzed, or intercepted. Traditional DNS uses plaintext UDP on port 53, making it trivial for network observers to build a complete picture of your internet usage.

Encrypted DNS protocols—DoH (DNS over HTTPS) and DoT (DNS over TLS)—encrypt these queries. However, encrypted DNS alone only protects the resolution step. Your ISP or network administrator can still see which IP addresses you connect to, and your messaging metadata remains exposed.

Secure messaging apps encrypt the content of your communications, but they often leak metadata: who you contacted, when, and how frequently. Combining both technologies addresses different threat vectors simultaneously.

Layer 1: Encrypted DNS Configuration

Setting up encrypted DNS requires choosing a provider and configuring your system or application. For developers, configuring at the application level provides granular control.

System-Level Configuration

On Linux with systemd-resolved, edit /etc/systemd/resolved.conf:

[Resolve]
DNS=1.1.1.1 1.0.0.1
DNSOverHTTPS=yes
DNSStubListener=no

Restart the resolver:

sudo systemctl restart systemd-resolved

Verify the configuration:

resolvectl status

Application-Level Configuration

For Chromium-based browsers, launch with these flags:

chromium --enable-features="DnsOverHttps" \
  --dns-over-https.modes="secure" \
  --dns-over-https.servers="https://1.1.1.1/dns-query"

Firefox users can configure DoH in about:config:

network.trr.mode = 2  // Bootstrapped TRR (Trusted Recursive Resolver)
network.trr.uri = "https://1.1.1.1/dns-query"
network.trr.bootstrapAddress = "1.1.1.1"

A trr.mode value of 2 ensures the browser uses DoH exclusively while falling back to the system resolver if needed.

Choosing a DNS Provider

Not all encrypted DNS providers are equal from a privacy standpoint. Your DNS provider still sees your queries in plaintext on their end—encryption only protects the transit between your device and the resolver.

Key criteria when selecting a provider:

Recommended providers for privacy-focused users:

Provider DoH URL DNSSEC ECS Stripped Jurisdiction
Quad9 https://dns.quad9.net/dns-query Yes Yes Switzerland
Cloudflare 1.1.1.1 https://cloudflare-dns.com/dns-query Yes Partial USA
NextDNS https://dns.nextdns.io/[id] Yes Yes USA
AdGuard DNS https://dns.adguard.com/dns-query Yes Yes Cyprus

For maximum privacy, self-hosting an encrypted DNS resolver using software like Unbound with DoH support eliminates reliance on any third-party.

Layer 2: Secure Messaging Configuration

Encrypted DNS protects your DNS queries, but your communication metadata still needs protection. Signal provides strong encryption with minimal metadata retention.

Signal Configuration for Privacy

Signal’s default settings prioritize security, but power users should verify these settings:

  1. Enable registration lock - Prevents SIM-swap attacks by requiring your Signal PIN when re-registering
  2. Disable link previews - Prevents your client from fetching URLs in messages
  3. Use disposable messages - For sensitive conversations, configure auto-delete timers

Signal’s sealed sender feature hides metadata about who sent messages to whom, though it requires both sender and recipient to have the feature enabled.

Signal’s Sealed Sender Explained

The sealed sender feature deserves deeper examination. In a standard message, Signal’s server receives metadata including the sender’s identity. With sealed sender, the sender’s identity is encrypted in such a way that Signal’s servers cannot link the sender to the recipient. The server knows a message was delivered to a specific recipient, but not who sent it.

To enable sealed sender for all contacts (including those you haven’t established a session with):

Navigate to Signal Settings > Privacy > Advanced > “Allow from Anyone”. This allows sealed sender from contacts not in your address book, improving your anonymity set.

Alternative: Matrix with E2EE

For self-hosted options, Matrix with end-to-end encryption provides comparable security:

# Install Element (Matrix client)
# Enable E2EE in Settings > Security & Privacy
# Verify devices using safety numbers

Matrix allows you to host your own server, reducing reliance on centralized providers. However, note that federation metadata remains visible to your server operator unless you use the Tor bridge.

Self-Hosting Matrix with Synapse

Running your own Matrix homeserver eliminates the metadata exposure to third-party providers. Install Synapse on a VPS:

# Install Synapse (Debian/Ubuntu)
sudo apt install matrix-synapse-py3

# Edit /etc/matrix-synapse/homeserver.yaml
# Key settings:
# server_name: "yourdomain.com"
# enable_registration: false  # Invite-only
# max_upload_size: "10M"

sudo systemctl enable --now matrix-synapse

Configure Nginx as a reverse proxy with TLS, then register your account. With your own server, federation can be disabled entirely for a fully closed, private communication channel.

Combining Both Layers

The real privacy benefit emerges when you use both layers together. Here’s a practical setup:

Complete Privacy Stack

┌─────────────────────────────────────┐
│         Secure Messaging            │
│         (Signal/Matrix E2EE)        │
├─────────────────────────────────────┤
│        Encrypted DNS (DoH/DoT)      │
├─────────────────────────────────────┤
│         VPN or Tor                  │
├─────────────────────────────────────┤
│      Operating System               │
└─────────────────────────────────────┘

This stack addresses different threat models:

Testing Your Configuration

Verify encrypted DNS is working:

# Check if DNS queries are encrypted
nslookup example.com 1.1.1.1

# Or use a DNS leak test
curl -s https://dnsleaktest.com

For messaging, verify encryption is active:

Threat Model Mapping

Understanding which threat each layer addresses helps you invest effort appropriately:

Threat Encrypted DNS Secure Messaging VPN/Tor
ISP DNS surveillance Mitigated No effect Mitigated
Government intercept of DNS Partial No effect Strong
Message content interception No effect Mitigated No effect
Communication metadata (who/when) No effect Partial (sealed sender) Partial
IP address correlation No effect No effect Mitigated
Browser fingerprinting No effect No effect Partial (Tor Browser)

No single layer solves all problems. Defense-in-depth means accepting that each layer has gaps and layering controls to cover each other’s weaknesses.

Advanced: DNS over Tor

For maximum privacy, route your DNS queries through Tor. This adds latency but prevents DNS leaks entirely.

Configure systemd-resolved for Tor

[Resolve]
DNS=127.0.0.1
DNSOverHTTPS=no
DNSSEC=no

Then configure your applications to use the Tor SOCKS proxy for DNS. Some applications support this natively:

# Example: curl through Tor with DNS resolution through Tor
curl --socks5-hostname 127.0.0.1:9050 https://check.torproject.org

For browsers, use the Tor Browser Bundle, which combines encrypted DNS (via its own resolver) with Tor routing.

Common Mistakes to Avoid

1. Mixing encrypted and plaintext DNS Using DoH in your browser while leaving system DNS unencrypted creates gaps. Always configure at the system level for consistent protection.

2. Trusting “free” VPN services If a VPN service is free, your data is the product. Combine encrypted DNS with a reputable paid VPN or use Tor for sensitive activities.

3. Ignoring metadata Encrypted content doesn’t hide that you communicated. Signal’s sealed sender and Tor help, but understand the residual metadata footprint.

4. Failing to verify implementations Configuration alone isn’t sufficient. Regularly test your setup using tools like dnsleaktest.com and check.torproject.org.

5. Neglecting certificate validation DoH relies on TLS, which relies on certificate trust. Be aware that corporate firewalls often perform TLS inspection using a trusted root CA installed on your device—negating DoH encryption for that observer. Check for unexpected CAs in your trust store:

# Linux: List trusted CAs
ls /etc/ssl/certs/

# macOS: List system trust store
security find-certificate -a -p /System/Library/Keychains/SystemCACertificates.keychain | openssl x509 -noout -subject

Performance Considerations

Encrypted DNS adds minimal latency—typically 10-30ms for well-optimized providers. Secure messaging encryption adds negligible overhead on modern devices. The Tor network, however, can slow connections significantly (200-500ms or more).

For most users, the privacy benefits outweigh the modest performance cost. Measure your baseline performance and test after each layer to understand the impact on your specific use case.

When combining multiple layers, prioritize based on your threat model. A journalist communicating with sources needs the full stack. A developer wanting to prevent ISP profiling might only need encrypted DNS and Signal’s defaults. Calibrate your configuration to the actual risks you face rather than implementing maximum security theater.

Built by theluckystrike — More at zovo.one

Explore Our Developer Guides

© 2026 theluckystrike Developer Guides