Public DNS (Recursive) Resolver

Important Update: Enhanced Security

To enhance security and combat abuse, plain DNS (port 53, both TCP and UDP) has been disabled on sz-dns.com. The vast majority of queries on this port are spam, potential DNS amplification attacks, or automated scans. Blocking plain DNS significantly reduces risk to the service.

Overview

sz-dns.com offers DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) through multiple AdGuard Home instances. These instances are configured with DNSSEC validation, ECS support, and content filtering for a safer and more efficient browsing experience. While the primary server locations are in the US (with other countries in beta), coverage is being actively expanded.

Specification

Instances powered by: AdGuard Home
Service Address: doh.sz-dns.com, dot.sz-dns.com, doq.sz-dns.com
Protocols: DoT/DoQ (853), DoH (443)
Features:
– DNSSEC-enabled
– ECS-enabled
– DNS Filtering-enabled
– IP Anonymized (Aggregate Log)
Upstream DNS Providers:
– AdGuard DNS (v2)
– NextDNS (custom)
– ControlD
Upstream Type: Parallel Requests
DNS-over-HTTPS: Currently supports up to HTTP/3 on both IPv4 and IPv6.
Certificates: DoH/DoT/DoQ utilizes Let’s Encrypt ECC chain.

Filters

  1. OISD Full: https://abp.oisd.nl/
  2. Self-maintained Public Resolver Blocklist: https://raw.githubusercontent.com/szhu25/BrowserScripts/main/PublicResolverBlocklist.txt
  3. Pi-Hole Community Allowlist: https://raw.githubusercontent.com/szhu25/BrowserScripts/main/PiHoleWhitelist.txt

Network

Data center locations: All Frantech BuyVM Locations (Las Vegas, New York, Luxemburg, Miami), Oracle Virginia (US-East-1), ClawCloud Hong Kong. All instances are dual stack (IPv4 + IPv6)
Server Selection: Instance IP and availability may change. To determine the server you are connected to, look up the TXT record for host.sz-dns.com.

Usage

DNS Stamps: If your device supports the sdns:// protocol, you can use these links:
– DNS over TLS: sdns://AwMAAAAAAAAAAAAOZG90LnN6LWRucy5jb20
– DNS over HTTPS: sdns://AgMAAAAAAAAAAAAOZG9oLnN6LWRucy5jb20KL2Rucy1xdWVyeQ
– DNS over QUIC: sdns://BAMAAAAAAAAAAAAOZG9xLnN6LWRucy5jb20

Manual Configuration:
– DNS over TLS: tls://dot.sz-dns.com
– DNS over HTTPS: https://doh.sz-dns.com/dns-query
– DNS over QUIC: quic://doq.sz-dns.com
– Android Private DNS: doh.sz-dns.com
– Apple: signed MobileConfig with DoT and DoH

Notice

This resolver is public-facing and provided free of charge, “AS-IS” without an uptime guarantee. If you need higher reliability, consider hosting your own server using AdGuard Home, Pi-hole, or another solution.
All PTR lookups to private IP addresses are blocked.

Upcoming Updates

SNI Blocking: The service will soon block clients that do not support SNI for DoH.
Status Page: A simple status page will be provided to indicate server outages.
Newsletter: There might be a contact form that allows you to sign up for newsletter in the future.

Alternatives

Here are some public and customizable DNS providers:

AdGuard DNS (Public): https://adguard-dns.io/en/public-dns.html
AdGuard DNS (v2, customizable): https://adguard-dns.io/en/license.html
Cloudflare Public DNS (Public): https://developers.cloudflare.com/1.1.1.1/setup/
Cloudflare Zero Trust Gateway (Customizable): https://developers.cloudflare.com/cloudflare-one/tutorials/secure-dns-network/
Google Public DNS (Public): https://developers.google.com/speed/public-dns/docs/using
NextDNS (Customizable): https://nextdns.io/pricing
Quad9 (Public): https://www.quad9.net/service/service-addresses-and-features/

Most customizable providers offer a free tier sufficient for personal or home use.

AdGuard also has a comprehensive list of DNS Providers: https://adguard-dns.io/kb/general/dns-providers/

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top