Route Shield

Process Level Routing


Route Shield allows you to configure and utilize multiple DNS-Over-HTTPS and DNS-Over-TLS providers at the same time. This provides precise control over name lookups.

The first step to controlling DNS is to configure available providers. Route Shield can sync with Heilig Defense servers to download a list of available DOH and DOT servers. When configured, simply check the box to enable the provider or uncheck it to disable it.

If you don't want to sync with our servers or have your own DOH or DOT resolvers, you can easily add new providers. First enter a name. Next you can optionally enter country information about the servers. And finally enter both DOH and DOT servers associated with the service. DOT providers should just be the IP address while DOH providers should be the full URL that ends with 'dns-query'.

Once your DNS providers are configured, you can now set system-wide options.

  • Random: Every lookup will be assigned a random DNS provider from the configured list.
  • Round Robin: The next DNS provider in the list is picked in a repeating, circular fashion.
  • Schedule: Set specific DNS providers will be applied during the configured days and times.
  • Specific: Use a specific DNS provider for all applications that do not have a specific configuration set.

In addition to the assignment, you can also configure DNS binding, mapping and sinkholing.

DNS binding lets you set the network adapter that both DNS-Over-HTTPS and DNS-Over-TLS use when making a request. This will be a system-wide default that is used if a process is not specifically configured.

DNS mapping is the process of using a specific provider for a specific domain lookup. So for example, if you only want to lookup using BlahDNS, then you can simply set a mapping between the two values.

DNS sinkholing is the process of redirecting the query to a server under our control in order to return a bogus response. Route Shield does sinkholing a bit different. Instead of redirecting in order to spoof the response, Route Shield's sinkholing involes simply dropping DNS requests to and responses from configured domains and IP addresses. This provides network-level filtering against trackers, ads, and malicious content. You can enable DNS sinkholing by checking the appropriate checkbox. To configure the domains and IPs that should be sinkholed, Route Shield can sync to public lists as well as ingest data files that contain domains and IP addresses. While the data can be somewhat unstructured, it's best if each entry is on a its own line.