RSS

Choosing a Public DNS Resolver

pawal1 pts0 comments

Choosing a Public DNS Resolver

Step 1 &middot; Interactive finder<br>Find a resolver for your requirements

Check what matters to you. Transport, DNSSEC, IPv6, jurisdiction and operator type are hard filters. The priorities are scored and ranked.

My priorities

Maximum privacy and no loggingMinimal or no query logging, privacy-first operator<br>Block malware and phishingSecurity blocklist on by default or via a simple variant<br>Block ads and trackersNetwork-wide ad and tracker filtering<br>Parental controls and adult-content blockingFamily or adult-content filter available<br>No filtering (unaltered DNS)Returns answers exactly as published<br>Fully customizable filteringChoose your own blocklists or rules via an account<br>Top-tier speed (global anycast)Large low-latency anycast network<br>Non-commercial operatorNonprofit, registry, community or public-interest, not a for-profit company

Must support encrypted DNS

DNS-over-HTTPS (DoH)<br>DNS-over-TLS (DoT)<br>DNS-over-QUIC (DoQ)<br>DNSCrypt

Other requirements

Must validate DNSSEC<br>Must offer IPv6Provides IPv6 resolver addresses<br>Operator jurisdiction

Operator type

Any<br>Nonprofit, community or public-interest<br>Commercial

Clear all filters

Recommended resolvers

Step 2 &middot; Full comparison<br>All 29 global public resolvers

Click a column header to sort. Search by name, operator, jurisdiction, or feature. Filter-variant addresses (malware, family, unfiltered) are listed in the Filtering cell.

Resolver<br>Jurisdiction<br>Type<br>Primary IPs (v4 / v6)<br>Filtering (default and variants)<br>DNSSEC<br>Transports<br>Logging<br>ECS

Evidence<br>How to decide: what the research says

Findings from peer-reviewed DNS measurement studies that should shape the trade-offs above.

Speed: plain DNS has the lowest latency, but encrypted keeps up

Encrypted transports (DoH and DoT) add latency per query, yet whole-page load times are often close to plain DNS, and DoH's overhead is small in practice. On lossy or high-latency links, plain Do53 still wins. Performance also varies by provider and region, so the fastest resolver depends on where you are.

Hounsel et al., WWW 2020; B&ouml;ttger et al., IMC 2019; Chhabra et al., IMC 2021.

Encrypted DNS resists tampering, not just snooping

The largest end-to-end study of encrypted DNS found queries are far less likely to be intercepted or altered in transit than plain DNS, with only minor overhead. Operator quality varies, though: about 25% of DoT providers in that study served invalid TLS certificates, so favour well-run providers.

Lu et al., IMC 2019.

Encryption hides queries from the network, not from the resolver

Whichever provider you choose still sees every domain you look up. If that worries you, prefer no-logging operators, or an oblivious design (ODoH) where a proxy separates your identity from your queries so no single party sees both. Cloudflare and Apple have deployed ODoH.

Schmitt, Edmundson & Feamster, PoPETS 2019; Singanamalla et al., 2021.

DNSSEC validation is what stops forged answers

Only a validating resolver protects you from spoofed records. Google, Cloudflare and Quad9 all validate, and they handled the first root-key (KSK) rollover without breaking users. If integrity matters, treat DNSSEC validation as a must.

M&uuml;ller et al., IMC 2019.

ECS trades speed for privacy

EDNS Client Subnet sends part of your IP to CDNs for better geo-routing. Google and OpenDNS send it for sharper CDN mapping; Cloudflare and standard Quad9 leave it off for privacy. Pick based on which you value more.

"A Look at the ECS Behavior of DNS Resolvers", IMC 2019.

Jurisdiction and centralization matter too

The operator's legal home governs what can be compelled or logged, and a handful of providers now carry a large share of the world's recursive traffic. The U.S. NSA has also warned that external resolvers bypass internal DNS filtering and inspection, so weigh control against convenience.

Moura et al., IMC 2020; NSA guidance, 2021.

DNS-over-QUIC is now the fastest encrypted transport

A 2022 measurement of DoQ found it already beats both DoT and DoH on response time, though about 40% of handshakes were slowed by QUIC's address-validation limit. Where your client and resolver both support it (Quad9, AdGuard, NextDNS, Control D, Mullvad, UncensoredDNS, and the Chinese majors here), DoQ is the encrypted option to prefer.

Kosek et al., PAM 2022.

DNSCrypt: the oldest encrypted option, and the hardest to measure

DNSCrypt predates DoH, DoT, and DoQ (version 2 dates to 2013). It encrypts from the first packet using a resolver's pre-shared public key, so there is no plaintext hostname lookup and no dependency on certificate authorities, and its Anonymized DNS mode (2019) also hides client IPs. Among the resolvers here it is offered by Quad9, OpenDNS, AdGuard, NextDNS, Control D, and Yandex. Reliable usage numbers are scarce, though: population-scale measurements such as APNIC Labs track DoH and DoT but not DNSCrypt, so there is no trustworthy public figure for how many...

resolver encrypted public operator from dnssec

Related Articles

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire

Italy's Meloni says Trump 'made up' story that she 'begged' him for photo at G7

root-parent13 ptsmeloni trump italy said italian begged
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.