You can set the DNS Servers setting to a list of servers that you would like to use. By default, only the first server in the list will be used, unless it fails or does not meet other configured requirements.
The DNS Server list is treated like any other list in Portmaster it goes from top to bottom.
If Portmaster can’t resolve a domain using the first server it goes to the next.
The last server in this list is the System/Network DNS server (it is not diplayed).
If you don’t want Portmaster to ever use that server you need to enable Ignore System/Network Servers.
If you think you have a DNS Leak, make sure to follow these steps.
DNS servers are configured using an URL scheme, the format is:
protocol://host:port?parameter=value¶meter=value
If you just want to use a plain DNS resolver at IP 10.2.3.4, please enter: dns://10.2.3.4.
For DoH servers, you can also just paste the URL given by the DNS provider. When referring to the DNS server using a domain name, as with DoH, it is highly recommended to also specify the IP address using the ip parameter, so Portmaster does not have to resolve it.
If you want to build your URL yourself, here is the format in detail:
dot: DNS-over-TLS (or tls; recommended)doh: DNS-over-HTTPS (or https)dns: plain DNStcp: plain DNS over TCPSpecify the domain name or IP address of the DNS server. When using a domain name (for eg. DoH), it is highly recommended to specify the IP address in the parameters, so Portmaster does not have to resolve it.
You must specify the server port if non-standard.
The standard ports are:
dot: 853doh: 443dns: 53tcp: 53A DNS server configuration URL might have one or more the the following parameters configured.
name: give your DNS Server a name that is used for messages and logsverify: domain name to verify for dot, only valid for dot and dohip: IP address (if using a domain), so Portmaster does not need to resolve it using the system resolver - this is highly recommendedblockedif: detect if the name server blocks a query, options:
empty: server replies with NXDomain status, but without any other record in any sectionrefused: server replies with Refused statuszeroip: server replies with an IP address, but it is zero (ie. 0.0.0.0 for IPv4)search: specify prioritized domains/TLDs for this resolver (delimited by ,)search-only: use this resolver for domains in the search parameter only (no value)Here are some common DNS Servers and their Portmaster configuration. Please note that we do not recommend using IPv6 as the vast address space leads to increased trackability.
Quad9 is a public DNS service that provides malware protection and is run by a non-profit.
# Malware Protection:
dot://9.9.9.9:853?verify=dns.quad9.net&name=Quad9&blockedif=empty
dot://149.112.112.112:853?verify=dns.quad9.net&name=Quad9&blockedif=empty
# Malware Protection, IPv6:
dot://[2620:fe::fe]:853?verify=dns.quad9.net&name=Quad9&blockedif=empty
dot://[2620:fe::9]:853?verify=dns.quad9.net&name=Quad9&blockedif=empty
AdGuard offers a freemium public DNS service that also blocks ads.
Note: The Portmaster uses the publicly available ads blocklist from AdGuard in the Portmaster’s Filter Lists by default.
# Ad Blocking:
dot://94.140.14.14:853?verify=dns.adguard.com&name=AdGuard&blockedif=zeroip
dot://94.140.15.15:853?verify=dns.adguard.com&name=AdGuard&blockedif=zeroip
# Ad Blocking, IPv6:
dot://[2a10:50c0::ad1:ff]:853?verify=dns.adguard.com&name=AdGuard&blockedif=zeroip
dot://[2a10:50c0::ad2:ff]?verify=dns.adguard.com&name=AdGuard&blockedif=zeroip
# Ad Blocking, Family Protection:
dot://94.140.14.15:853?verify=dns.adguard.com&name=AdGuard&blockedif=zeroip
dot://94.140.15.16:853?verify=dns.adguard.com&name=AdGuard&blockedif=zeroip
# Ad Blocking, Familty Protection, IPv6:
dot://[2a10:50c0::bad1:ff]:853?verify=dns.adguard.com&name=AdGuard&blockedif=zeroip
dot://[2a10:50c0::bad2:ff]?verify=dns.adguard.com&name=AdGuard&blockedif=zeroip
The Foundation for Applied Privacy is a small non-profit that also runs a public DNS service.
# No Filtering:
dot://146.255.56.98:853?verify=dot1.applied-privacy.net&name=AppliedPrivacy
# No Filtering, IPv6:
dot://[2a02:1b8:10:234::2]:853?verify=dot1.applied-privacy.net&name=AppliedPrivacy
Cloudflare is a behemoth of the Internet. Next to its commercial offerings, it also provices a public DNS service.
# Malware Protection:
dot://1.1.1.2:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip
dot://1.0.0.2:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip
# Malware Protection, IPv6:
dot://[2606:4700:4700::1112]:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip
dot://[2606:4700:4700::1002]:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip
# Malware and Family Protection:
dot://1.1.1.3:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip
dot://1.0.0.3:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip
# Malware and Family Protection, IPv6:
dot://[2606:4700:4700::1113]:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip
dot://[2606:4700:4700::1003]:853?verify=cloudflare-dns.com&name=Cloudflare&blockedif=zeroip
# DOH
https://cloudflare-dns.com/dns-query?ip=1.1.1.1&name=Cloudflare&blockedif=zeroip
Needs are different, that is why we list settings suggested by the community down below. Is something missing or out of date? Make a report or create a pull request.
# TLS
dot://194.242.2.2:853?verify=dns.mullvad.net&name=Mullvad&blockedif=empty
# Umbrella/OpenDNS
dot://dns.opendns.com?ip=208.67.222.222&name=opendns&blockedif=zeroip
dot://dns.opendns.com?ip=208.67.220.220&name=opendns&blockedif=zeroip
# Malware Protection, Ad Blocking
🇨🇭 Switzerland:
dot://45.91.92.121:853?verify=dot-ch.blahdns.com&name=BlahDNSch&blockedif=zeroip
🇯🇵 Japan:
dot://139.162.112.47:853?verify=dot-jp.blahdns.com&name=BlahDNSjp&blockedif=zeroip
🇸🇬 Singapore:
dot://192.53.175.149:853?verify=dot-sg.blahdns.com&name=BlahDNSsg&blockedif=zeroip
🇩🇪 Germany:
dot://78.46.244.143:853?verify=dot-de.blahdns.com&name=BlahDNSde&blockedif=zeroip
🇫🇮 Finland:
dot://95.216.212.177:853?verify=dot-fi.blahdns.com&name=BlahDNSfi&blockedif=zeroip
# TLS - No Filtering
dot://116.202.176.26:853?verify=dot.libredns.gr&name=LibreDNS
# DNS-over-HTTPS - No Filtering
https://doh.libredns.gr/dns-query?name=LibreDNS&blockedif=empty
# TLS - Malware Protection, Ad & Tracker Blocking
dot://116.202.176.26:854?verify=dot.libredns.gr&name=LibreDNS&blockedif=zeroip
From you nextdns account view the DNS-over-TLS/QUIC or the DNS-over-HTTPS option.
Enter the settings in portmaster:
# DNS-over-TLS/QUIC
dot://123abc.dns.nextdns.io?name=NextDNS
# DNS-over-HTTPS
https://dns.nextdns.io/123abc?name=NextDNS
# Optional with ip address
# DoT
dot://123abc.dns.nextdns.io?name=NextDNS&ip=37.252.247.133
# DoH
https://dns.nextdns.io/123abc?name=NextDNS&ip=37.252.247.133
Replace
123abcwith your nextdns identifier.
For more details set up NextDNS in the Portmaster
# No Filtering:
dot://95.216.24.230:853?verify=fi.dot.dns.snopyta.org&name=SnopytaDNS
# No Filtering, IPv6:
dot://[2a01:4f9:2a:1919::9301]:853?verify=fi.dot.dns.snopyta.org&name=SnopytaDNS
# TLS with Malware Filter
dot://76.76.2.1:853?verify=p1.controld.com&name=ControlD&blockedif=empty
dot://76.76.10.1:853?verify=p1.controld.com&name=ControlD&blockedif=empty
# TLS Uncensored
dot://76.76.2.5:853?verify=uncensored.freedns.controld.com&name=ControlD&blockedif=empty
dot://76.76.10.5:853?verify=uncensored.freedns.controld.com&name=ControlD&blockedif=empty
# DNS-over-HTTPS Uncensored
https://freedns.controld.com/uncensored?name=ControlD&ip=76.76.2.5&blockedif=empty
https://freedns.controld.com/uncensored?name=ControlD&ip=76.76.10.5&blockedif=empty
This suggestion is not vetted, use at your own risk.
Has been suggested on GitHub. If you have knowledge or you find good third party reviews about this provider please let us know. Make a report
dot://185.222.222.222:853?verify=dot.sb&name=DNS-SB&blockedif=empty
dot://45.11.45.11:853?verify=dot.sb&name=DNS-SB&blockedif=empty
This suggestion is not vetted, use at your own risk.
Has been suggested on GitHub. If you have knowledge or you find good third party reviews about this provider please let us know. Make a report
# TLS
dot://193.110.81.9:853?verify=zero.dns0.eu&name=dns0-zero&blockedif=empty
dot://185.253.5.9:853?verify=zero.dns0.eu&name=dns0-zero&blockedif=empty
# DNS-over-HTTPS
https://zero.dns0.eu?name=dns0-zero&ip=193.110.81.9&blockedif=empty
https://zero.dns0.eu?name=dns0-zero&ip=185.253.5.9&blockedif=empty
# DOH
doh://193.110.81.9:443?verify=zero.dns0.eu&name=dns0-zero&blockedif=empty
doh://185.253.5.9:443?verify=zero.dns0.eu&name=dns0-zero&blockedif=empty
# TLS
dot://193.110.81.0:853?verify=dns0.eu&name=dns0&blockedif=empty
dot://185.253.5.0:853?verify=dns0.eu&name=dns0&blockedif=empty
# DNS-over-HTTPS
https://dns0.eu?name=dns0&ip=193.110.81.0&blockedif=empty
https://dns0.eu?name=dns0&ip=185.253.5.0&blockedif=empty
# DOH
doh://193.110.81.0:443?verify=dns0.eu&name=dns0&blockedif=empty
doh://185.253.5.0:443?verify=dns0.eu&name=dns0&blockedif=empty
In contrast to the settings mentioned above, we do not recommend to use these servers. These providers are known to excessively collect user data. But as needs are different, we also list these settings requested by the community.
Is something missing or out of date? Make a report or create a pull request.
Use at your own risk:
# No Filtering:
dot://8.8.8.8:853?verify=dns.google&name=GoogleDNS&blockedif=zeroip
dot://8.8.4.4:853?verify=dns.google&name=GoogleDNS&blockedif=zeroip
# No Filtering, IPv6:
dot://[2001:4860:4860::8888]?verify=dns.google&name=GoogleDNS&blockedif=zeroip
dot://[2001:4860:4860::8844]?verify=dns.google&name=GoogleDNS&blockedif=zeroip
Unfortunately, you cannot disable the Secure DNS module directly. This is because it is a crucial component: Through this the Portmaster can see which domains are being resolved by which application. This is vital information for the Portmaster to provide you with the promised privacy protection.
However, if you would just rather use the plain DNS servers configured in your Operating System, you can just remove all configured DNS Servers from the settings in the Portmaster. This will leave the list of configured DNS Servers within Portmaster empty.
In this case, the DNS queries will still go through the Portmaster, but will end up at the same DNS server as before. The Portmaster is then only somewhat transparently inserted in the chain of servers.
While some systems are starting to offer DNS-over-TLS and DNS-over-HTTPS natively, these settings are usually not as integrated into the programming interfaces as the plain DNS servers. This means that the Portmaster will only pick up configured plain DNS servers from the Operating System.
You can of course always configure the same DNS-over-TLS server directly in the Portmaster.
Search terms: