dns.cmrg.net

dns.cmrg.net lets you keep what you look up in the DNS a secret from anyone snooping on your network traffic.

This is a privacy-preserving open DNS resolver, offering only DNS-over-TLS (a.k.a. DoT, RFC 7858).

Using with Android

To use this on an Android device, go to:

Settings → Network & internet → Advanced → Private DNS

Select “Private DNS provider hostname”

In the “Enter hostname of DNS provider” field, put dns.cmrg.net

Uninstalling on Android

To uninstall, just go back to the same setting and set it back to “Automatic”.

Using with iOS 14+

Load this mobileconfig file.

For iOS, the device will prompt you to confirm that you want this setting. Once you agree, you need to open the Settings app.

Near the top of Settings, you’ll see “Profile Downloaded”. Tap it, then tap the “Install” button in the top right of the “Install Profile” page.

You’ll be prompted for your password. Once you’ve entered it, you have to tap “Install” a few more times to confirm.

You may see warnings that this profile “is not signed” because we haven’t paid for the credential iOS requires for this purpose.

Uninstalling on iOS

To uninstall, go back to the Settings app, choose “General”, and scroll down to “Profile” where it says “dns.cmrg.net Configuration Profile”. Tap it, you’ll see a screen of all profiles you have loaded (maybe just this one!). Tap “dns.cmrg.net Configuration Profile” again, and you’ll see a button to “Remove Profile”.

You’ll need to enter your password for removal as well.

Technical Details

hostname	`dns.cmrg.net`
IPv4 address	199.58.81.218
IPv6 address	2001:470:1c:76d::53
TCP port	853 or 443 or 53053
OOB Pins	3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= 5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=

Using on a GNU/Linux desktop

To use this on a modern Debian system, you can set up a local forwarding stub resolver with:

apt install knot-resolver ca-certificates
cat >> /etc/knot-resolver/kresd.conf <<EOF
policy.add(policy.all(policy.TLS_FORWARD({
 {'199.58.81.218', hostname='dns.cmrg.net',
  ca_file='/etc/ssl/certs/ca-certificates.crt'},
 {'2001:470:1c:76d::53', hostname='dns.cmrg.net',
  ca_file='/etc/ssl/certs/ca-certificates.crt'},
})))
EOF

And then ensure that /etc/resolv.conf points to the local resolver:

# /etc/resolv.conf
nameserver 127.0.0.1

Policies

This service does not log queries beyond the time window necessary for debugging service failures by system administrators. We do not share log information with anyone for any other purpose.

Ths service pads DNS-over-TLS responses on port 853 according to common practice, as derived from empirical research. Ports 443 and 53053 do not offer padding, so response sizes are visible on the wire. It is strongly recommended that your DNS client also pads its queries for maximum protection against size-based traffic analysis.

Future Work

Given the technical capacity, the following upgrades are intended (not necessarily in this order):

Pad responses on ports 443 and 53053
Offer DNS-over-HTTPS, a.k.a. DoH as well as DoT on port 443
Add a local root to reduce some amount of upstream nameserver queries
Do unilateral opportunistic probing to establish encrypted connections to authoritative servers
Apply prefetching, chaffing, and other techniques to improve defenses against time-based traffic analysis
Offer this service as an onion service