DNS Providers#

Reference of public recursive DNS resolvers, authoritative DNS providers, and DNS-layer security services. Useful for egress hardening, censorship circumvention, ad-blocking, domain hosting, and threat blocking.

For broader networking, see Network Protocols. For DNS-based intel sources, see OSINT Sources. For CDN-bundled DNS, see CDNs & Edge.

Public recursive resolvers#

Operator

Country

IPv4 / IPv6

Notes

Cloudflare 1.1.1.1

US/global

1.1.1.1, 1.0.0.1 / 2606:4700:4

700::1111, ::1001 Privacy-focused; DoH / DoT; 1.1.1.2 (mal), 1.1.1.3 (mal+adult).

Google Public DNS

US/global

8.8.8.8, 8.8.4.4 / 2001:4860:4

860::8888, ::8844 DoH / DoT.

Quad9

CH/global

9.9.9.9 (filter), 9.9.9.10 (no

filter), 149.112.112.112 / 2620:fe::fe Threat-blocking; based in Switzerland; Quad9 Foundation.

OpenDNS / Umbrella

Cisco

208.67.222.222, 208.67.220.220

/ 2620:119:35::35, ::53 Family / Umbrella enterprise.

AdGuard DNS

CY/global

94.140.14.14, 94.140.15.15

Ad-block + family + non-filtering tiers.

NextDNS

US/global

Per-account DoH endpoints

Per-account customisable filtering.

Comodo Secure DNS

US

8.26.56.26, 8.20.247.20

Threat-blocking.

DNS.SB

Various

185.222.222.222, 45.11.45.11

No-logs.

Mullvad DNS

SE

194.242.2.2, 194.242.2.3

Ad-block + tracker-block; no-logs.

CleanBrowsing

US

185.228.168.168 (family); .169

(adult); .9 (security) Family / adult-block / security.

Yandex.DNS

RU

77.88.8.8, 77.88.8.1

Basic / safe / family.

NIC.cz Free DNS

CZ

193.17.47.1, 185.43.135.1

OARC.

DeNIC / Dyn Standard

DE/global

n/a

Operator-specific.

ControlD

CA

Per-config endpoints

Per-policy resolver.

LibreDNS

GR

116.202.176.26

Greek community.

Verisign Public DNS

US

64.6.64.6, 64.6.65.6

Verisign.

Encrypted DNS endpoints#

Provider

DoH / DoT / DoQ endpoints

Cloudflare

https://cloudflare-dns.com/dns-query (DoH); tls://1.1.1.1 (DoT); quic://1.1.1.1 (DoQ).

Google

https://dns.google/dns-query (DoH); tls://dns.google.

Quad9

https://dns.quad9.net/dns-query (DoH); tls://dns.quad9.net.

NextDNS

https://dns.nextdns.io/<configID>.

AdGuard

https://dns.adguard-dns.com/dns-query.

Mullvad

https://doh.mullvad.net/dns-query (DoH); tls://dns.mullvad.net.

DNS.SB

https://doh.dns.sb/dns-query.

Authoritative / managed DNS#

Provider

Org

Notes

Cloudflare DNS

Cloudflare

Anycast; free + enterprise; DNSSEC.

Route 53

AWS

Anycast; alias records; route53 = 53rd AWS service.

Cloud DNS

Google

Managed DNS on GCP.

Azure DNS

Microsoft

Public + private zones.

NS1

IBM

Traffic management; bought 2024.

Dyn

Oracle

Acquired 2016.

DNSimple

DNSimple

Developer-focused.

DigitalOcean DNS

DO

Free with droplet.

Linode DNS

Akamai

Free.

Hurricane Electric

HE

Free DNS hosting (he.net).

Constellix

Tiggee

Performance-focused.

Akamai Edge DNS

Akamai

Anycast.

UltraDNS

Vercara

Enterprise.

Verisign Managed DNS

Verisign

Enterprise.

Bluecat

Bluecat

DDI (DNS / DHCP / IPAM).

Infoblox

Infoblox

Enterprise DDI.

EfficientIP

EfficientIP

Enterprise DDI.

PowerDNS

PowerDNS

OSS PowerDNS server.

NSD / Knot DNS

NLnet / CZ.NIC

OSS authoritative.

BIND 9

ISC

The reference DNS implementation.

Unbound

NLnet

Recursive resolver (OSS).

DNS-layer security#

Service

Vendor

Notes

Cisco Umbrella

Cisco

Cloud DNS + secure web; OpenDNS-derived.

Cloudflare Gateway

Cloudflare

DNS + secure web; Zero Trust.

Zscaler Internet Acce ss

Zscaler

Cloud secure web; DNS filtering.

Palo Alto Prisma Acce ss

Palo Alto

SASE.

Netskope

Netskope

SASE.

ForcePoint Cloud

ForcePoint

Web gateway.

DNSFilter

DNSFilter

SMB-friendly.

Webroot DNS

Webroot

DNS protection.

WatchGuard DNSWatch

WatchGuard

Firebox DNS.

Akamai Secure Internet Access

Akamai

ETP.

SafeDNS

SafeDNS

DNS filter.

Surfshark CleanWeb 2.

0 Surfshark

VPN with DNS-block.

DNS protocols#

Protocol

Notes

DNS / 53 / UDP+TCP

Plaintext; the historical default.

DoT (RFC 7858)

DNS over TLS; port 853.

DoH (RFC 8484)

DNS over HTTPS; port 443.

DoQ (RFC 9250)

DNS over QUIC; port 853 + QUIC.

ODoH (Oblivious DoH)

IETF; client → relay → resolver; relay sees src IP, resolver sees query; oblivious to both.

DNSCrypt

Open / Frank Denis; v1 + v2; pre-DoH protocol.

DNSSEC

Authentication of records; RRSIG / DS / DNSKEY; not encryption.

DNS Cookies (RFC 7873

) Mitigation of off-path forgery.

EDNS0

Extension framework; DNSSEC + cookies + ECS depend on it.

ECS (RFC 7871)

Client subnet hint; controversial for privacy.

ANAME / ALIAS / CNAME flat

Various proprietary; flatten apex aliases.

Operator notes#

  • Default to encrypted DNS, DoT for system resolvers, DoH for browsers; legacy clear-text DNS leaks every hostname.

  • Quad9 + Cloudflare 1.1.1.2 are the easy-mode threat-blocking choices for personal / family use.

  • Don’t trust ECS, many resolvers strip / spoof client subnet; CDNs may misroute as a result.

  • DNSSEC adoption is patchy, ~85% of TLDs but only ~40% of resolvers validate; check with dnssec-name.org.

  • DoH on port 443 bypasses host-firewalls easily, which is great for users and a problem for enterprises, ECH + DoH together hide more.

  • Authoritative DNS provider redundancy, run two providers (e.g. Route 53 + NS1) to survive a Dyn-style outage.

  • NXNSAttack / Slipstream, legacy resolver attacks, patched widely; check vendor.

  • Subdomain takeover, dangling CNAMEs to deprovisioned cloud resources; scan with takeover or subjack.

  • Logs, recursive resolvers see every domain a host resolves; this is rich detection telemetry but also a privacy choke-point.

References#