Public recursive name server explained

A public recursive name server (also called public DNS resolver) is a name server service that networked computers may use to query the Domain Name System (DNS), the decentralized Internet naming system, in place of (or in addition to) name servers operated by the local Internet service provider (ISP) to which the devices are connected. Reasons for using these services include:

• speed, compared to using ISP DNS services^[1]
• filtering (security, ad-blocking, porn-blocking, etc.)^[2]
• reporting^[3]
• avoiding censorship^[4]
• redundancy (smart caching)^[5]
• access to unofficial alternative top level domains not found in the official DNS root zone
• temporary unavailability of the ISP's name server

Public DNS resolver operators often cite increased privacy as an advantage of their services; critics of public DNS services have cited the possibility of mass data collection targeted at the public resolvers as a potential risk of using these services. Most services now support secure DNS lookup transport services such as DNS over TLS (DoT), DNS over HTTPS (DoH) and DNS over QUIC (DoQ).

Public DNS resolvers are operated either by commercial companies, offering their service for free use to the public, or by private enthusiasts to help spread new technologies and support non-profit communities.

Notable public DNS service operators

Provider	Privacy policy	DNS over UDP/TCP (Do53)	DNSSEC	DNS over TLS (DoT)	DNS over HTTPS (DoH)	DNS over QUIC (DoQ)	EDNS Padding	DNSCrypt	Hostname	IPv4 addresses	IPv6 addresses	Filters	Remarks
AdGuard			[6]	[7]	dns.adguard-dns.com			Default: ads and trackers[8]
	family.adguard-dns.com			Family: ads, trackers, and adult content
	unfiltered.adguard-dns.com			None
Alibaba	?		?				?		dns.alidns.com	223.5.5.5223.6.6.6	2400:3200::12400:3200:baba::1		Chinese regulations
CleanBrowsing		[9]		[10]	family-filter-dns.cleanbrowsing.org			Family	Designed to be used on devices of kids under 13.
	adult-filter-dns.cleanbrowsing.org			Adult
	security-filter-dns.cleanbrowsing.org			Security
Cloudflare		[11]	[12]		one.one.one.one[13] 1dot1dot1dot1.cloudflare-dns.com			None
	security.cloudflare-dns.com			Malware, Phishing
	family.cloudflare-dns.com			Malware, Phishing, Adult content
	dns64.cloudflare-dns.com			None	Intended to be IPv6-only.[14] See NAT64 and DNS64.
	Dyn	[15]								resolver1.dyndnsinternetguide.com resolver2.dyndnsinternetguide.com				Planned shutdown on May 31, 2023.
Google					dns.google[16]			None
	dns64.dns.google			None	Intended for networks with NAT64 gateway.[17]
	Gcore	! [18]	!	!	!	!	!	!	!				None
Mullvad		dns.mullvad.net[19]			None	Can be used without its VPN service
	adblock.dns.mullvad.net				Ads, and trackers
	base.dns.mullvad.net				Ads, trackers, and malware
	extended.dns.mullvad.net				Ads, trackers, malware, and social media
	all.dns.mullvad.net				Ads, trackers, malware, social media, gambling and adult content
Vercara (formerly Neustar Security Services)					?	64.6.64.6 64.6.65.6	2620:74:1b::1:1 2620:74:1c::2:2	None	Verisign transferred its public DNS to Neustar.[20]
			Malware, ransomware, spyware, phishing
			Low security + gambling, pornography, violence, hate
			Medium security + gaming, adult, drugs, alcohol, anonymous proxies
			None	Will not redirect non-existent domains to a landing page.
OpenDNS				[21]	dns.opendns.com			Basic Security filtering + user defined policies
	familyshield.opendns.com			FamilyShield: adult content
	sandbox.opendns.com			None	Sandbox addresses that provide no filtering.
Quad9		[22]	[23]		dns.quad9.net			Phishing, malware, and exploit kit domains
		dns11.quad9.net				Phishing, malware, and exploit kit domains	Passes EDNS Client Subnet.
	[24]	dns10.quad9.net				None
	Wikimedia	[25]	[26]	[27]	[28]	[29]		[30]		wikimedia-dns.org[31]			None[32]
Yandex					dns.yandex.ru secondary.dns.yandex.ru			None
	safe.dns.yandex.ru secondary.safe.dns.yandex.ru			Safe: fraudulent / infected / bot sites
	family.dns.yandex.ru secondary.family.dns.yandex.ru			Family: fraudulent / infected / bot / adult sites

External links

• Home page of the DNSCrypt project: Public DNS servers

Notes and References

1. News: How to Change Your Default DNS to Google DNS for Fast Internet Speeds. 2016-08-20. TechWorm. en-US. 2016-10-22.
2. News: A simple way to get around Rogers' DNS re-directing. IT Business. 2016-10-22.
3. Web site: OpenDNS Adds Centralized Reporting, IP-Layer Enforcement to Umbrella. mspmentor.net. 2016-10-22. https://web.archive.org/web/20161022224758/http://mspmentor.net/managed-services/110415/opendns-adds-centralized-reporting-ip-layer-enforcement-umbrella. 2016-10-22. dead.
4. News: Austrian Pirate Bay Blockade Censors Slovak Internet - TorrentFreak. 2015-12-03. TorrentFreak. en-US. 2016-10-22.
5. Web site: DNS devastation: Top websites whacked offline as Dyn dies again. Security. Iana. The Register. 2016-10-22.
6. https://adguard.com/en/blog/dns-over-quic.html AdGuard DNS-over-QUIC
7. https://adguard.com/en/blog/adguard-dns-now-supports-dnscrypt.html Adguard DNS now supports DNSCrypt
8. https://adguard-dns.io/en/public-dns.html AdGuard DNS Setup guide
9. Web site: Parental Control with DNS over TLS Support.
10. Web site: NOC.org / dcid . Parental Control with DNSCrypt Support . Cleanbrowsing.org . 2019-01-04.
11. Web site: Cloudflare Inc . DNS over TLS - Cloudflare Resolver . Developers.cloudflare.com . 2018-03-31 . 2019-01-04.
12. Web site: DNS over QUIC (DoQ). Cloudflare Community. 2022-09-12.
13. Web site: Test DNS owner one.one.one.one. 2018-08-21.
14. Web site: Supporting IPv6-only Networks . 2019-01-20 . 2020-12-09 . https://web.archive.org/web/20201209005501/https://developers.cloudflare.com/1.1.1.1/support-nat64 . dead .
15. Web site: Oracle's Privacy Policy. dyn.com. en-US. 2018-12-31.
16. Web site: Get Started | Public DNS.
17. https://developers.google.com/speed/public-dns/docs/dns64 Google Public DNS64
18. https://gcore.com/legal?tab=privacy_policy
19. Web site: 2023-08-08 . DNS over HTTPS and DNS over TLS - Guides . 2023-08-23 . Mullvad . en.
20. Web site: Verisign Public DNS Offers DNS Stability And Security – Verisign. 2020-12-05. www.verisign.com. en-US. 2021-03-31. https://web.archive.org/web/20210331041511/https://www.verisign.com/en_US/security-services/public-dns/index.xhtml. dead.
21. https://support.opendns.com/hc/en-us/articles/227989147 OpenDNS: OpenDNS and DNSCrypt
22. https://www.quad9.net/support/faq/#dnssec Quad9 FAQ: Does Quad9 implement DNSSEC?
23. https://www.quad9.net/support/faq/#doh Quad9 FAQ: Does Quad9 support DNS over HTTPS (DoH)?
24. https://www.quad9.net/support/faq/#services Quad9 FAQ: Is there a service that Quad9 offers that does not have the blocklist or other security?
25. https://meta.wikimedia.org/wiki/Wikimedia_DNS#Privacy_policy Wikimedia DNS: Privacy Policy
26. https://wikitech.wikimedia.org/wiki/Wikimedia_DNS#Encrypted_DNS Wikimedia DNS: Encrypted DNS"
27. https://wikitech.wikimedia.org/wiki/Wikimedia_DNS#DNSSEC Wikitech: Wikimedia DNS: DNSSEC
28. https://wikitech.wikimedia.org/wiki/Wikimedia_DNS Wikitech: Wikimedia DNS
29. https://wikitech.wikimedia.org/wiki/Wikimedia_DNS Wikitech: Wikimedia DNS
30. https://wikitech.wikimedia.org/wiki/Wikimedia_DNS#EDNS.280.29_Padding Wikitech: Wikimedia DNS: EDNS.280.29 Padding
31. https://meta.wikimedia.org/wiki/Wikimedia_DNS/Instructions Wikimedia DNS: Instructions
32. https://meta.wikimedia.org/wiki/Wikimedia_DNS Wikimedia DNS