Important Update: Enhanced Security
To enhance security and combat abuse, plain DNS (port 53, both TCP and UDP) has been disabled on sz-dns.com
. The vast majority of queries on this port are spam, potential DNS amplification attacks, or automated scans. Blocking plain DNS significantly reduces risk to the service.
Overview
sz-dns.com
offers DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ) through multiple AdGuard Home instances. These instances are configured with DNSSEC validation, ECS support, and content filtering for a safer and more efficient browsing experience. While the primary server locations are in the US (with other countries in beta), coverage is being actively expanded.
Specification
Instances powered by: AdGuard Home
Service Address: doh.sz-dns.com, dot.sz-dns.com, doq.sz-dns.com
Protocols: DoT/DoQ (853), DoH (443)
Features:
– DNSSEC-enabled
– ECS-enabled
– DNS Filtering-enabled
– IP Anonymized (Aggregate Log)
Upstream DNS Providers:
– AdGuard DNS (v2)
– NextDNS (custom)
– ControlD
Upstream Type: Parallel Requests
DNS-over-HTTPS: Currently supports up to HTTP/3 on both IPv4 and IPv6.
Certificates: DoH/DoT/DoQ utilizes Let’s Encrypt ECC chain.
Filters
- OISD Full:
https://abp.oisd.nl/
- Self-maintained Public Resolver Blocklist:
https://raw.githubusercontent.com/szhu25/BrowserScripts/main/PublicResolverBlocklist.txt
- Pi-Hole Community Allowlist:
https://raw.githubusercontent.com/szhu25/BrowserScripts/main/PiHoleWhitelist.txt
Network
Data center locations: All Frantech BuyVM Locations (Las Vegas, New York, Luxemburg, Miami), Oracle Virginia (US-East-1), ClawCloud Hong Kong. All instances are dual stack (IPv4 + IPv6)
Server Selection: Instance IP and availability may change. To determine the server you are connected to, look up the TXT record for host.sz-dns.com
.
Usage
DNS Stamps: If your device supports the sdns:// protocol, you can use these links:
– DNS over TLS: sdns://AwMAAAAAAAAAAAAOZG90LnN6LWRucy5jb20
– DNS over HTTPS: sdns://AgMAAAAAAAAAAAAOZG9oLnN6LWRucy5jb20KL2Rucy1xdWVyeQ
– DNS over QUIC: sdns://BAMAAAAAAAAAAAAOZG9xLnN6LWRucy5jb20
Manual Configuration:
– DNS over TLS: tls://dot.sz-dns.com
– DNS over HTTPS: https://doh.sz-dns.com/dns-query
– DNS over QUIC: quic://doq.sz-dns.com
– Android Private DNS: doh.sz-dns.com
– Apple: signed MobileConfig with DoT and DoH
Notice
This resolver is public-facing and provided free of charge, “AS-IS” without an uptime guarantee. If you need higher reliability, consider hosting your own server using AdGuard Home, Pi-hole, or another solution.
All PTR lookups to private IP addresses are blocked.
Upcoming Updates
SNI Blocking: The service will soon block clients that do not support SNI for DoH.
Status Page: A simple status page will be provided to indicate server outages.
Newsletter: There might be a contact form that allows you to sign up for newsletter in the future.
Alternatives
Here are some public and customizable DNS providers:
AdGuard DNS (Public): https://adguard-dns.io/en/public-dns.html
AdGuard DNS (v2, customizable): https://adguard-dns.io/en/license.html
Cloudflare Public DNS (Public): https://developers.cloudflare.com/1.1.1.1/setup/
Cloudflare Zero Trust Gateway (Customizable): https://developers.cloudflare.com/cloudflare-one/tutorials/secure-dns-network/
Google Public DNS (Public): https://developers.google.com/speed/public-dns/docs/using
NextDNS (Customizable): https://nextdns.io/pricing
Quad9 (Public): https://www.quad9.net/service/service-addresses-and-features/
Most customizable providers offer a free tier sufficient for personal or home use.
AdGuard also has a comprehensive list of DNS Providers: https://adguard-dns.io/kb/general/dns-providers/