Public DNS (Recursive) Resolver

/ server / Leave a Comment / 3 minutes of reading

Last updated on September 3rd, 2022 02:01 am EDT. May contain outdated information.

Table Of Contents
  1. Important Update!!!
  2. Overview
  3. Specification
  4. Filters
  5. Network
  6. Usage
  7. Notice
  8. Upcoming Updates
  9. Alternatives

Important Update!!!

Due to the potential risk of DNS amplification attack, the fact that I failed to obtain the domain I wanted to operate this service on, and the fact that most queries on Plain DNS port are spam (or potential DNS Amplification attacker, or stupid SEO bots, or security scanners), I’ve decided to block Plain DNS Port (Port 53, TCP & UDP) for good.

Overview

I spawned some instances of AdGuard Home and opened it for public use at dns.stevenz.net. The instances support plain DNS, DoT, DoH and DoQ.
Please note that the AdGuard Home instances validate DNSSEC by default, support ECS and also have some filter lists deployed.
All instances locations are in U.S. (with other countries in beta) so the experience might not be the best for other regions.

Specification

Instances powered by AdGuard Home.
Service Address: dns.stevenz.net
Protocols: DoT/DoQ (853), DoH (443), Regular DNS (53).
Features: DNSSEC-enabled, ECS-enabled, DNS Filtering-enabled, IP Anonymized (Aggregate Log).
Upstream DNS Providers: Local IP (Unbound), AdGuard DNS (v2), NextDNS (custom), ControlD, Google, CloudFlare ZeroTrust Gateway and Quad9.
Upstream Type: Parallel Requests
DNS-over-HTTPS currently supports up to HTTP/2 on both IPv4 and IPv6, HTTP/3 will be supported whenever Nginx completes their release.

Filters

  1. OISD Fullhttps://abp.oisd.nl/
  2. CHN: anti-AD https://anti-ad.net/easylist.txt No longer individually included. Merged with OISD Full.
  3. The Big List of Hacked Malware Web Sites https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hosts No longer individually included. Merged with OISD Full.
  4. Self-maintained Public Resolver Blocklisthttps://raw.githubusercontent.com/stevenzhu25/BrowserScripts/main/PublicResolverBlocklist.txt
  5. Pi-Hole Community Allowlisthttps://raw.githubusercontent.com/stevenzhu25/BrowserScripts/main/PiHoleWhitelist.txt

Network

Data center locations: Las Vegas, Virginia (US-East-1), Texas and New York City. All instances are dual stack (IPv4 + IPv6)
I will try to keep the current IP sets as long as possible. Since instance IP and availability might change at anytime, a stable “definitive” list of IP will not be provided.
Unsure which server you connected to? Simply lookup server.dns.stevenz.net‘s TXT record!

Usage

If your device support sdns:// protocol(DNS Stamps), you can use following links:
DNS over TLS
DNS over HTTPS
DNS over QUIC
Otherwise:
DNS over TLS: tls://dns.stevenz.net
DNS over HTTPS: https://dns.stevenz.net/dns-query
DNS over QUIC: quic://dns.stevenz.net
Regular/Plain DNS: dns.stevenz.net
Android Private DNS: dns.stevenz.net
Apple: Signed MobileConfig with DoT and DoH

Notice

Since the resolver are public-facing and provided free of charge, the service is provided “AS-IS” without uptime guarantee.
If you are not happy with this fact, you are welcome to host your own servers with AdGuard Home or PiHole or anything else that works for you.

In addition, All PTR lookups to private facing IP address will be blocked. I have no interest in the network infrastructure of your place.

Upcoming Updates

Soon, a status page would be provided to help you understand whether there’s an outage for the servers. I don’t want to write my own code so it would be a simple test to see whether the Nginx server respond.
I was thinking of making a Newsletter subscribe list, but I then realized only my immediate family members and some of my friends are using the server, so it’s simple enough to let them know. All other queries are spam/trash.
For : I’ll soon serve a default site with no content on each IP I used in order to block clients that do not support SNI for DoH, so if you attempt to scan the sites with no valid SNI.. You know what’ll happen.

Alternatives

There’s a list of known DNS Providers on AdGuard website, and it can be useful: AdGuard DNS – Known DNS Providers
In Short, Few I trust:
AdGuard DNS (Public): https://adguard-dns.io/en/public-dns.html
AdGuard DNS (v2, customizable): https://adguard-dns.io/en/license.html
Cloudflare Public DNS (Public): https://developers.cloudflare.com/1.1.1.1/setup/
Cloudflare ZeroTrust Gateway (Customizable: limited options): https://developers.cloudflare.com/cloudflare-one/tutorials/secure-dns-network/
Google Public DNS (Public): https://developers.google.com/speed/public-dns/docs/using
NextDNS (Customizable): https://nextdns.io/pricing | Affiliate Link (By clicking on the link, I can earn 30% of your subscription fee for the first 12 months)
Quad9 (Public): https://www.quad9.net/service/service-addresses-and-features/

Public means it’s likely free. Most “customizable” ones have a free version that allows you to use, should be enough for personal or home usage.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top