Public DNS (Recursive) Resolver

Important Update!!!

Due to the potential risk of DNS amplification attack, the fact that I failed to obtain the domain I wanted to operate this service on, and the fact that most queries on Plain DNS port are spam (or potential DNS Amplification attacker, or stupid SEO bots, or security scanners), I’ve decided to block Plain DNS Port (Port 53, TCP & UDP) for good.


I spawned some instances of AdGuard Home and opened it for public use at The instances support plain DNS, DoT, DoH and DoQ.
Please note that the AdGuard Home instances validate DNSSEC by default, support ECS and also have some filter lists deployed.
All instances locations are in U.S. (with other countries in beta) so the experience might not be the best for other regions.


Instances powered by AdGuard Home.
Service Address:
Protocols: DoT/DoQ (853), DoH (443), Regular DNS (53).
Features: DNSSEC-enabled, ECS-enabled, DNS Filtering-enabled, IP Anonymized (Aggregate Log).
Upstream DNS Providers: Local IP (Unbound), AdGuard DNS (v2), NextDNS (custom), ControlD, Google, CloudFlare ZeroTrust Gateway and Quad9.
Upstream Type: Parallel Requests
DNS-over-HTTPS currently supports up to HTTP/2 on both IPv4 and IPv6, HTTP/3 will be supported whenever Nginx completes their release.


  1. OISD Full
  2. CHN: anti-AD No longer individually included. Merged with OISD Full.
  3. The Big List of Hacked Malware Web Sites No longer individually included. Merged with OISD Full.
  4. Self-maintained Public Resolver Blocklist
  5. Pi-Hole Community Allowlist


Data center locations: Las Vegas, Virginia (US-East-1), Texas and New York City. All instances are dual stack (IPv4 + IPv6)
I will try to keep the current IP sets as long as possible. Since instance IP and availability might change at anytime, a stable “definitive” list of IP will not be provided.
Unsure which server you connected to? Simply lookup‘s TXT record!


If your device support sdns:// protocol(DNS Stamps), you can use following links:
DNS over TLS
DNS over TLS: tls://
DNS over QUIC: quic://
Regular/Plain DNS:
Android Private DNS:
Apple: Signed MobileConfig with DoT and DoH


Since the resolver are public-facing and provided free of charge, the service is provided “AS-IS” without uptime guarantee.
If you are not happy with this fact, you are welcome to host your own servers with AdGuard Home or PiHole or anything else that works for you.

In addition, All PTR lookups to private facing IP address will be blocked. I have no interest in the network infrastructure of your place.

Upcoming Updates

Soon, a status page would be provided to help you understand whether there’s an outage for the servers. I don’t want to write my own code so it would be a simple test to see whether the Nginx server respond.
I was thinking of making a Newsletter subscribe list, but I then realized only my immediate family members and some of my friends are using the server, so it’s simple enough to let them know. All other queries are spam/trash.
For : I’ll soon serve a default site with no content on each IP I used in order to block clients that do not support SNI for DoH, so if you attempt to scan the sites with no valid SNI.. You know what’ll happen.


There’s a list of known DNS Providers on AdGuard website, and it can be useful: AdGuard DNS – Known DNS Providers
In Short, Few I trust:
AdGuard DNS (Public):
AdGuard DNS (v2, customizable):
Cloudflare Public DNS (Public):
Cloudflare ZeroTrust Gateway (Customizable: limited options):
Google Public DNS (Public):
NextDNS (Customizable): | Affiliate Link (By clicking on the link, I can earn 30% of your subscription fee for the first 12 months)
Quad9 (Public):

Public means it’s likely free. Most “customizable” ones have a free version that allows you to use, should be enough for personal or home usage.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top