Free, encrypted DNS resolver with post-quantum cryptography.
This server provides encrypted DNS resolution via DNS over TLS (DoT) and DNS over HTTPS (DoH). All queries are fully recursively resolved — with DNSSEC validation enabled.
| Protocol | Setting |
|---|---|
| DoT Port 853 | dns.kernel-error.de |
| DoH HTTPS | https://dns.kernel-error.de/dns-query |
Settings → Network → Private DNS → dns.kernel-error.deSettings → Privacy → DNS over HTTPS → Custom
https://dns.kernel-error.de/dns-query# /etc/systemd/resolved.conf
[Resolve]
DNS=37.120.183.220#dns.kernel-error.de
DNS=2a03:4000:38:20e::853#dns.kernel-error.de
DNSOverTLS=yesThis server supports X25519MLKEM768 (ML-KEM, formerly Kyber) as the preferred key exchange group — on both DoT (port 853) and DoH (port 443). Clients with PQC support (e.g. Chrome 124+, Firefox 128+, curl with OpenSSL 3.5+) automatically negotiate a quantum-safe connection.
Legacy clients transparently fall back to X25519 or ECDH.
| Property | Value |
|---|---|
| Operating System | FreeBSD |
| Software | BIND + nginx |
| Protocols | HTTP/2, HTTP/3 (QUIC) |
| DNSSEC | Zone signed (ECDSAP256SHA256) + validation enabled |
| DANE/TLSA | TLSA records published for DoT (853) and DoH (443) |
| QNAME Minimisation | Yes (relaxed, RFC 9156) |
| TLS Versions | TLS 1.2, TLS 1.3 |
| Preferred Cipher | CHACHA20-POLY1305 |
| PQC Key Exchange | X25519MLKEM768 |
| DoH Format | RFC 8484 (wire format) |
| Location | Netcup, Germany |