Encrypt your redirect target

Keep your destination URL private — stored as ciphertext in DNS, readable only by the redirect service.

By default, the destination URL in a _redirect TXT record is publicly visible to anyone who queries DNS. With encryption, the TXT record contains opaque ciphertext — only the redirect service can decrypt it using its secret key. DNS observers and logs see only random-looking data.

Encryption is performed server-side. Your destination URL is sent over HTTPS to this service, encrypted using the same secret key configured on the redirect server, and the resulting ciphertext is returned to you. The key is never exposed to the browser.

Encrypt

Redirect target (URL, with optional status code)

Same format as a plaintext TXT record value — for example: https://example.com or https://example.com permanent

Each click produces a different ciphertext — all are valid.

DNS record format

Use the encrypted value in your TXT record exactly like a plaintext URL.

# Plaintext (destination visible in DNS)
_redirect.www.your-domain.com.  IN  TXT  "https://destination.com"

# Encrypted (destination private)
_redirect.www.your-domain.com.  IN  TXT  "<encrypted value from tool above>"

The redirect service automatically detects whether a TXT record value is encrypted or plaintext. No additional configuration is required on your domain.