Information is up to date, the design will be modernized at a later point - we are a small team and had to prioritize
  1. Secure DNS Resolver
  2. Nameserver
Secure DNS Resolver


This module provides secure domain resolving. Most prominently, it uses the DNS-over-TLS protocol by default in order to protect your precious DNS queries from prying eyes.

It also splits its horizon between your local network and the Internet. If you employ local domains for either an enterprise network or development, it will direct queries for these domains to the correct local nameservers, if they announce them.

Responses from servers are cached intelligently, invalidating any cached responses that do not conform to updated configuration.

If you want to know how we choose our default providers, read How Safing Selects its Default DNS Providers.



This module is kind of the other end of the resolver. It listens locally for DNS requests from processes and lets the resolver come up with an answer.

Similarly to the firewall module, it first attributes the request to a process and fetches custom settings and then lets the Privacy Filter make a decision about the query. Only then is the resolver tasked with finding a response to the query. After receiving the response, it is again checked with the Privacy Filter in case something in the response needs to be blocked.