DNS Providers#
Reference of public recursive DNS resolvers, authoritative DNS providers, and DNS-layer security services. Useful for egress hardening, censorship circumvention, ad-blocking, domain hosting, and threat blocking.
For broader networking, see Network Protocols. For DNS-based intel sources, see OSINT Sources. For CDN-bundled DNS, see CDNs & Edge.
Public recursive resolvers#
Operator |
Country |
IPv4 / IPv6 |
Notes |
|---|---|---|---|
Cloudflare 1.1.1.1 |
US/global |
1.1.1.1, 1.0.0.1 / 2606:4700:4 |
700::1111, ::1001 Privacy-focused; DoH / DoT; 1.1.1.2 (mal), 1.1.1.3 (mal+adult). |
Google Public DNS |
US/global |
8.8.8.8, 8.8.4.4 / 2001:4860:4 |
860::8888, ::8844 DoH / DoT. |
Quad9 |
CH/global |
9.9.9.9 (filter), 9.9.9.10 (no |
filter), 149.112.112.112 / 2620:fe::fe Threat-blocking; based in Switzerland; Quad9 Foundation. |
OpenDNS / Umbrella |
Cisco |
208.67.222.222, 208.67.220.220 |
/ 2620:119:35::35, ::53 Family / Umbrella enterprise. |
AdGuard DNS |
CY/global |
94.140.14.14, 94.140.15.15 |
Ad-block + family + non-filtering tiers. |
NextDNS |
US/global |
Per-account DoH endpoints |
Per-account customisable filtering. |
Comodo Secure DNS |
US |
8.26.56.26, 8.20.247.20 |
Threat-blocking. |
DNS.SB |
Various |
185.222.222.222, 45.11.45.11 |
No-logs. |
Mullvad DNS |
SE |
194.242.2.2, 194.242.2.3 |
Ad-block + tracker-block; no-logs. |
CleanBrowsing |
US |
185.228.168.168 (family); .169 |
(adult); .9 (security) Family / adult-block / security. |
Yandex.DNS |
RU |
77.88.8.8, 77.88.8.1 |
Basic / safe / family. |
NIC.cz Free DNS |
CZ |
193.17.47.1, 185.43.135.1 |
OARC. |
DeNIC / Dyn Standard |
DE/global |
n/a |
Operator-specific. |
ControlD |
CA |
Per-config endpoints |
Per-policy resolver. |
LibreDNS |
GR |
116.202.176.26 |
Greek community. |
Verisign Public DNS |
US |
64.6.64.6, 64.6.65.6 |
Verisign. |
Encrypted DNS endpoints#
Provider |
DoH / DoT / DoQ endpoints |
|---|---|
Cloudflare |
https://cloudflare-dns.com/dns-query (DoH); tls://1.1.1.1 (DoT); quic://1.1.1.1 (DoQ). |
https://dns.google/dns-query (DoH); tls://dns.google. |
|
Quad9 |
https://dns.quad9.net/dns-query (DoH); tls://dns.quad9.net. |
NextDNS |
https://dns.nextdns.io/<configID>. |
AdGuard |
|
Mullvad |
https://doh.mullvad.net/dns-query (DoH); tls://dns.mullvad.net. |
DNS.SB |
DNS-layer security#
Service |
Vendor |
Notes |
|---|---|---|
Cisco Umbrella |
Cisco |
Cloud DNS + secure web; OpenDNS-derived. |
Cloudflare Gateway |
Cloudflare |
DNS + secure web; Zero Trust. |
Zscaler Internet Acce ss |
Zscaler |
Cloud secure web; DNS filtering. |
Palo Alto Prisma Acce ss |
Palo Alto |
SASE. |
Netskope |
Netskope |
SASE. |
ForcePoint Cloud |
ForcePoint |
Web gateway. |
DNSFilter |
DNSFilter |
SMB-friendly. |
Webroot DNS |
Webroot |
DNS protection. |
WatchGuard DNSWatch |
WatchGuard |
Firebox DNS. |
Akamai Secure Internet Access |
Akamai |
ETP. |
SafeDNS |
SafeDNS |
DNS filter. |
Surfshark CleanWeb 2. |
0 Surfshark |
VPN with DNS-block. |
DNS protocols#
Protocol |
Notes |
|---|---|
DNS / 53 / UDP+TCP |
Plaintext; the historical default. |
DoT (RFC 7858) |
DNS over TLS; port 853. |
DoH (RFC 8484) |
DNS over HTTPS; port 443. |
DoQ (RFC 9250) |
DNS over QUIC; port 853 + QUIC. |
ODoH (Oblivious DoH) |
IETF; client → relay → resolver; relay sees src IP, resolver sees query; oblivious to both. |
DNSCrypt |
Open / Frank Denis; v1 + v2; pre-DoH protocol. |
DNSSEC |
Authentication of records; RRSIG / DS / DNSKEY; not encryption. |
DNS Cookies (RFC 7873 |
) Mitigation of off-path forgery. |
EDNS0 |
Extension framework; DNSSEC + cookies + ECS depend on it. |
ECS (RFC 7871) |
Client subnet hint; controversial for privacy. |
ANAME / ALIAS / CNAME flat |
Various proprietary; flatten apex aliases. |
Operator notes#
Default to encrypted DNS, DoT for system resolvers, DoH for browsers; legacy clear-text DNS leaks every hostname.
Quad9 + Cloudflare 1.1.1.2 are the easy-mode threat-blocking choices for personal / family use.
Don’t trust ECS, many resolvers strip / spoof client subnet; CDNs may misroute as a result.
DNSSEC adoption is patchy, ~85% of TLDs but only ~40% of resolvers validate; check with dnssec-name.org.
DoH on port 443 bypasses host-firewalls easily, which is great for users and a problem for enterprises, ECH + DoH together hide more.
Authoritative DNS provider redundancy, run two providers (e.g. Route 53 + NS1) to survive a Dyn-style outage.
NXNSAttack / Slipstream, legacy resolver attacks, patched widely; check vendor.
Subdomain takeover, dangling CNAMEs to deprovisioned cloud resources; scan with takeover or subjack.
Logs, recursive resolvers see every domain a host resolves; this is rich detection telemetry but also a privacy choke-point.
References#
dnstool / dig / drill / kdig