Choosing a Public DNS Resolver

Infrastructure
Privacy
Security
Networking
Open Source

The post is a buyer’s guide for public DNS resolvers. It compares 29 services across features people actually shop for now, including DNS over HTTPS and TLS, logging claims, filtering options, and the legal regime each operator sits under. That framing landed well, but the useful conclusion was narrower than the catalog suggests. Picking a resolver is not really about finding “the best DNS.” It is about choosing who gets to see your queries, whether you want filtering, whether you need to dodge ISP or state DNS tampering, and whether you are willing to trade some CDN locality for privacy.

A lot of technically experienced readers said the obvious answer for them is to run their own recursive resolver with Unbound, dnsdist, dnsmasq, or AdGuard Home. That avoids outsourcing trust, gives you local policy control, and works well in practice for many home setups. The catch is that self-hosting does not hide your queries from your ISP unless you tunnel them to a remote resolver with DoH, DoT, or DoQ, and recursive resolution still leaks some metadata further upstream because authoritative DNS is not universally encrypted. So the trust question never disappears. You are deciding whether to trust your ISP, a public DNS operator, or your own remote infrastructure. The strongest technical theme was that resolver choice can change application performance in ways the usual “faster ping to the resolver” metric misses. Several comments pointed to EDNS Client Subnet and CDN steering. Some public resolvers, notably Cloudflare, do not forward client subnet hints for privacy reasons. That can send users to worse cache nodes for services like YouTube, Akamai, or ISP-integrated caches. In the best-connected networks this is often irrelevant. In markets with poor peering or aggressive ISP routing policies, it can be very noticeable. That pushed the conversation away from blanket recommendations. A privacy-focused resolver may be slower for streaming and downloads, while an ISP resolver may be fastest but more logged, more filtered, or easier for governments and courts to coerce. Privacy claims also got a reality check. Moving away from plaintext port 53 to DoH or DoT absolutely reduces what your ISP can see about your DNS traffic. That is already useful. But it does not make browsing private end to end, because SNI still leaks destination names on many connections and ECH deployment remains incomplete. Several readers thought “DNS privacy is pointless until ECH is universal” was too cynical. The practical view that emerged is simpler: encrypted DNS is worth using today, just do not confuse it with total traffic privacy. People were also skeptical of polished marketing labels like “maximum privacy.” Bus factor, independent auditing, data protection oversight, and operator incentives matter more than a checkbox list. A one-person resolver may be fragile. A large company may be reliable but still subject to corporate data use or government access. Comments singled out independent privacy audits and clear legal accountability as more meaningful signals than branding. That same skepticism showed up around filtered resolvers. Malware and ad blocking at the DNS layer can improve browsing and mobile app experience, but false positives are common enough that many prefer either an unfiltered resolver or one they control with a whitelist. The practical mood was not anti-public-DNS so much as anti-handwaving. Managed services like NextDNS got straightforward praise from people tired of maintaining Pi-hole style setups. Quad9 got support, but also reports of blocklist mistakes and outages. Cloudflare was seen as fast and polished, but its privacy positioning and ECS choice drew scrutiny. The post’s author quickly added a DoH speed test after people asked for region-specific benchmarking, which fit the consensus nicely: you cannot choose well from a generic list alone. You have to test from your own network and optimize for your own threat model.

Treat public DNS as a trust and networking decision, not a simple speed tweak. If you care about privacy, censorship resistance, or filtering, test resolvers from your own network and decide whether a managed service like NextDNS or a self-hosted resolver gives you the control you actually need.

June 28, 2026
evilbit.de
Discuss on HN

Discussion mood

Engaged and pragmatic. People liked having a structured resolver comparison, but the dominant mood was skeptical of one-size-fits-all recommendations and especially of simplistic privacy claims. The comments kept dragging the topic back to first principles: who you trust, whether you should self-host, how much CDN performance you are willing to give up, and whether filtering will break things you care about.

Key insights

Audits matter more than headcount

A resolver run by one person has bus-factor risk, but a resolver run by many employees is not automatically safer. Corporate abuse usually happens through normal management channels, not because a rogue operator went off script. The better signal is whether anyone has subjected the service to outside scrutiny or legal accountability. Cloudflare’s published privacy audit and EU-based services that fall under GDPR oversight were cited as stronger evidence than vague claims about being privacy friendly.

When you evaluate a resolver, look for independent audits, privacy policies with specifics, and a regulator that can actually compel answers. Treat anonymous ownership and hand-wavy trust language as risk, even if the service is popular.

Attribution:

JdeBP #1 #2
duskwuff #1

CDN locality depends on resolver behavior

The fastest resolver is not the one with the lowest query latency. It is the one that helps large content networks send you to a good cache node. Services like Akamai, Netflix, YouTube, and some ISP caches still depend on DNS-based steering, and Cloudflare’s choice not to send EDNS Client Subnet can produce noticeably worse paths in some networks. Anycast on its own does not remove this issue, because the recursive resolver still reaches authoritative servers from its own infrastructure and those answers can be geotargeted differently.

Benchmark streaming, downloads, and app behavior, not just DNS lookup time. If your users depend on CDN-heavy traffic, test at least one privacy-focused resolver and one ISP-friendly or ECS-capable resolver from the same connection.

Attribution:

ratorx #1
vimda #1
adithyassekhar #1
amaccuish #1
progval #1
zinekeller #1

Encrypted DNS helps before ECH arrives

The useful correction on privacy was that DoH and DoT already hide DNS lookups from passive observation by your ISP, even if they do not solve everything. SNI still leaks destination names on many connections, and ECH deployment is real but not yet broad enough to erase that gap. Calling encrypted DNS worthless until ECH is universal misses the immediate benefit. It narrows exposure today, especially where ISPs are not doing full-scale deep packet inspection.

Turn on DoH or DoT if your platform supports it, but do not sell it internally as full browsing privacy. If destination confidentiality matters, track ECH support in your browsers, CDNs, and reverse proxies as a separate rollout question.

Attribution:

tredre3 #1
marginalia_nu #1
llm_nerd #1
miniBill #1
ekr____ #1

Self-hosting changes who you trust

Running your own recursive resolver gives you control over policy, logging, blocklists, and reliability. It does not magically make DNS private. Direct recursive lookups still traverse your ISP unless you tunnel them to a remote endpoint you control or to a third party. That leaves you with a more honest framing: self-hosting is mostly about control and independence, while privacy still depends on what network path you choose upstream.

If you self-host, decide separately whether you want local recursion, an encrypted upstream, or your own remote public resolver. Write that choice down as an explicit trust decision instead of assuming self-hosting solved privacy by itself.

Attribution:

exiguus #1 #2 #3

Filtered resolvers fail in annoying ways

The appeal of malware and ad blocking at the resolver layer is obvious, but false positives and opaque failures are common enough to shape provider choice. Quad9 was praised, then immediately hit with examples of blacklist mistakes and confusion over endpoint features. Cloudflare’s normal resolver was defended as unfiltered, yet people still reported real-world failures and archive.today oddities that are indistinguishable from censorship when you are the end user. Reliability is not just uptime. It is also whether the resolver surprises you with policy.

Use filtered DNS only if you can switch profiles easily or maintain a whitelist. For businesses and less technical households, an unfiltered default plus optional filtering is usually easier to support than blanket blocking.

Attribution:

mzajc #1
johnhtodd #1
Scroll_Swe #1 #2
jaychandra68 #1
degenerate #1
chopin #1

Against the grain

ISP DNS can be the right performance choice

Using your ISP’s resolver was defended on network engineering grounds, not brand loyalty. In some regions the ISP resolver gives the shortest path to ISP-hosted caches and better CDN placement than generic public DNS. The same comment paired that with local filtering on a router like UniFi, which keeps ad blocking on-net while preserving the ISP’s topology advantages upstream.

If your priority is video, downloads, or app-store performance on a specific ISP, do not assume public DNS is better. Try local filtering with the ISP resolver as upstream before you accept a permanent performance penalty.

Attribution:

aetherspawn #1 #2 #3

Public resolver shopping misses the local-first option

One commenter rejected the whole premise of comparing public resolvers as if that were the main privacy decision. Their setup keeps bulk DNS data locally and avoids remote lookups during ordinary web access, which makes resolver choice mostly irrelevant for them. That is an edge case, but it usefully punctures the assumption that everyone should optimize around a third-party recursive service.

If DNS is mission-critical in your environment, consider whether local data, forward proxies, or other architecture changes can remove dependency on public recursive DNS altogether. Resolver comparison sites are most useful when you accept the premise of remote DNS in the first place.

Attribution:

1vuio0pswjnm7 #1 #2

In plain english

AdGuard Home ↩

A self-hosted network-wide DNS filtering and blocking service for ads, trackers, and malicious domains.

anycast ↩

A routing technique where many servers share the same IP address and the network sends users to a nearby instance.

CDN ↩

Content Delivery Network, a distributed system of servers that delivers content from locations closer to users for speed and reliability.

DNS ↩

Domain Name System, the internet service that turns domain names like example.com into IP addresses computers use to connect.

dnsdist ↩

A DNS load balancer and traffic management tool often paired with recursive or authoritative DNS servers.

dnsmasq ↩

A lightweight DNS forwarder and DHCP server often used on routers and small networks.

DoH ↩

DNS over HTTPS, a way to send DNS requests inside encrypted web traffic so they are harder for networks in the middle to read or tamper with.

DoQ ↩

DNS over QUIC, a newer encrypted DNS transport that uses the QUIC network protocol.

DoT ↩

DNS over TLS, a way to send DNS requests over an encrypted Transport Layer Security connection.

ECH ↩

Encrypted Client Hello, a TLS feature designed to hide information like SNI so observers cannot easily see the destination hostname.

ECS ↩

EDNS Client Subnet, the DNS extension used to expose part of the client’s network location for traffic steering.

EDNS Client Subnet ↩

An extension to DNS that lets a recursive resolver send part of the user’s network location to authoritative servers so they can return a nearby CDN endpoint.

GDPR ↩

General Data Protection Regulation, the European Union’s main privacy law governing how personal data can be collected and used.

Pi-hole ↩

A popular self-hosted DNS filtering tool commonly used to block ads and trackers on home networks.

SNI ↩

Server Name Indication, a field sent during many TLS connections that can reveal which hostname a user is connecting to.

Unbound ↩

An open source recursive DNS resolver often used for self-hosted local DNS caching and validation.

Reference links

Resolver privacy and policy documents

Cloudflare 1.1.1.1 public DNS resolver privacy examination
Cited as one of the few concrete examples of outside privacy review for a public resolver.
DNS4EU Public DNS Resolver policy 2025
Referenced as an example of an EU resolver operating under specific data-protection rules.
AdGuard DNS privacy policy
Used to discuss where personal data is handled and under which regulator.
DNS.SB privacy policy
Referenced for its claim that it stores no personal data.
Cloudflare 1.1.1.1 privacy examination 2026
Cited by the post author to justify Cloudflare’s privacy positioning in the guide.

Regulators and oversight bodies

Czech Data Protection Authority
Named as the regulator that could oversee DNS4EU and some other Czech services under GDPR.
German Federal Commissioner for Data Protection and Freedom of Information
Referenced as a privacy oversight body relevant to German-based resolver operators.
Hesse Data Protection Authority
Mentioned because Frankfurt-hosted services could fall under its jurisdiction.
Danish Data Protection Agency
Named as the oversight authority for a Denmark-based one-person resolver.

Benchmarks and tooling

cleanbrowsing dnsperftest
Suggested as a way to benchmark resolver performance from your own network.
GRC DNS Benchmark
Referenced as a model for region-specific DNS performance ranking.
dnscrypt-proxy public resolvers list
Offered as a broader catalog of public resolvers and their features.

Protocol references and technical background

TLS ECH deployment tracker
Shared in the context of enabling Encrypted Client Hello on a self-hosted DNS setup.
RFC 9849 Encrypted Client Hello
Linked as the formal specification behind ECH when discussing SNI privacy limits.
Research paper on SNI exposure and censorship
Used as evidence that SNI-based censorship and surveillance has been a known issue for over a decade.
Cloudflare 1.1.1.1 ECS FAQ
Cited to confirm that Cloudflare does not send EDNS Client Subnet headers.

CDN routing and DNS steering

DNS is the new BGP
Suggested reading on why DNS answers increasingly determine where traffic ends up.
How LinkedIn used PoPs and RUM to make dynamic content download 25% faster
Shared as a concrete case study in latency and content-routing optimization.
Wikimedia CDN geo maps
Referenced as an example of how large sites map users to delivery locations.

Resolver services and setup references

CIRA Canadian Shield DNS resolver addresses
Pointed out as a public resolver option for Canadian users.
LVV DoH profile generator
Suggested for configuring DNS over HTTPS profiles on macOS and iOS.
Quad9 DNSSEC on all service endpoints
Used to correct an outdated claim about Quad9’s feature support.