Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



getdns is currently the most feature rich client for DNS-over-TCP and DNS-over-TLS features and can be run in daemon mode to send all outgoing DNS messages over TLS (see below).


. See the DNS Privacy daemon - Stubby web page for how to use it as a local DNS Privacy stub resolver.


  • Website:
    • getdns supports multiple features related to DNS privacy including persistent connections, strict and opportunistic privacy profiles and TLS authentication by hostname of SPKI pinset
  • API spec:
  • Source:
    • See the first few sections on the DNS Privacy daemon - Stubby page for instructions on how to install and build getdns as a local stub resolver with TLS support from source.
  • API: Use the api directly via C or any of the available language bindings (Python, Java, nodejs, PHP)
  • getdns_query: Use API directly, or use with the wrapper script getdns_query (run 'make getdns_query' then getdns_query is found in the test directory):
    • getdns_query @<serverIP> -s -a -A -l T  (Pipelined TCP queries)
    • getdns_query @<serverIP> -s -a -A -l L   (Pipelined TLS queries)
    • getdns_query @<serverIP> -s -a -A -l LT  (Pipelined TLS queries with fallback to TCP)
    • getdns_query @<serverIP>~<hostname> -s -a -A -l L -m (Pipelined TLS queries in strict mode using server hostname for authentication)
  • Daemon mode: see the DNS Privacy daemon - Stubby page