Is the author suggesting this represents the actual number of open resolvers on today's internet
How can any consideration of "privacy" or "security" of DNS not also consider SNI
SNI allows third parties to see when the user tries to connect to an address published for a domain name. It can allow third parties to interfere with such connections
DNS only allows third parties to see when a user looks up an address published for a domain name. To associate non-DNS traffic with these queries requires assumptions about the software that is sending them
Hence it is not surprising the advertising companies that control the popular web browsers want users to choose DoH _within the browser_ or corporate mobile OS, deceptively labeled as "private DNS"^1, so these third parties can more effectively link these queries to non-DNS traffic from browsers or software running on corporate mobile OS
1. Perhaps these companies will be sued for these deceptive claims. For example, users have successfully sued for deceptive claims about "private browsing"
JdeBP
Every time that this comes up, be it a general list like this or someone announcing a new service, my reaction, and that that I see of surprisingly many other people on Hacker News, is fairly unmoved. I've run my own proxy DNS service for about a quarter of a century at this point, using three different sets of softwares on six different operating systems, and every single point on the filter tab is something that I can (and do) just do for myself.
The list is not so much interesting for the options that it presents, as far as I am concerned, but for the things that it reveals. Every single entry that is explicitly marked 'China' also has 'operates under Chinese regulations'; which is, in 2026, something that is of concern for more than just the Chinese entries on the list, to people on my continent for starters.
'Run by one individual in Denmark.' is an interesting statement of bus factor, but I don't think that all of the other entries should be assumed to be better just because they are mute on the point. There's far less information about who is behind DNS.Watch than there is about Thomas Steen Rasmussen. And it appears that DNS.Watch went off the air at least once in recent years, so it is a legitimate concern.
Then there are all sorts of things not on this list that might matter to people, such as Quad101 looking like it has geographic restrictions on whom it is available to and Gcore being an AI company.
show comments
aetherspawn
Use your ISPs official DNS so that you get the shortest path possible from the ISPs handoff location to the CDN (and overseas trunks), not a generic DNS that doesn’t know about your ISPs layout.
ISP: 1ms to Cloudflare
Cloudflare: 10ms to Cloudflare
Thank you for your attention to this matter.
Edit: will clarify, this advice applies to countries with good privacy laws and no national surveillance i.e. not the USA
show comments
asploder
For my fellow Canadians, CIRA operates public resolvers over IPv4/IPv6/DoH/DoT.
Does anyone have advice on how to use public wifi alongside DNS resolver?
Many public wifi network works need you to use their DNS, so they can redirect you to a gated "accept ToS" screen (and may even require re-approval every 30-60 minutes).
To resolve the issue is so frustrating:
1. realize the internet stopped working
2. ping google.com, wait for timeouts to show up.
3. try to guess if its a ISP issue, but then realize the wifi probably timed out.
4. Switch the dns. Flush DNS.
5. try to access a non-TLS domain
6. approve the gate
7. switch the DNS back
There has to be something that manages this
show comments
sevg
Happy NextDNS user. Lots of configurability, including which filterlists to enable, configurable logging etc.
Plus it’s reliable and fast from basically anywhere (which is harder to achieve if I ran my own resolvers in the cloud, and anyway I don’t want to have to maintain that).
show comments
Bender
I use Unbound locally as a DoH server. The Alpine Linux Unbound package is compiled with libnghttp2, required for the built in DoH listener. That's more than enough to enable ECH [1].
I pre-cache all the domains I use hourly via cron. My ISP is not going to dork with my DNS requests and their employees are bigger deviants than I. If I ever started browsing the web from a phone I would just set up my own public DoH server. It only takes a few minutes and gives me my own query logs for debugging weird issues.
Most important and super privacy/security related topic: DNS.
Instead of choosing a public one. Host your own infrastructure.
You don't need public instances. Just run ADGUARD or unbound/dnsmasq/dnsdist in recursive mode on your router or machine.
And you can set limits and block-lists to your needs.
show comments
kingo55
It would be nice if a site like this could offer a basic speed comparison test to your local network.
Imagine seeing response times at P90 for a series of random lookups and comparing the median response times.
show comments
rswail
What would be the additional load if everyone ran a local caching recursive resolver like unbound?
It would need to be built into iOS/Android/Linux/Windows/MacOS but what would be the disadvantages?
I can see greater load on root servers but caching is specifically designed to reduce that.
I can see potential problems for CDNs and equivalent geo-based resolvers.
But are they really that bad?
show comments
_def
quad9 seems fine. Glad there are a bunch of alternatives though. We should never stop practicing decentralization in the net.
show comments
xorcist
Without a purpose for why you should use a public resolver it is an impossible choice to make.
If it is this hard to choose a resolver, imagine how hard it is to choose a web browser, which is a choice that actually matters.
The nearest resolver is
$ sudo apt-get install unbound
and now your own host is your resolver. The complexity of this is roughly a millionth of a percent of that of your web browser.
kev009
I always just set up root recursors at my home and other locations. I've never noticed any downside.
show comments
nativeforks
I've been using 1.1.1.1 for performance rather than privacy. Maybe I should revisit that decision after reading this.
show comments
adithyassekhar
Should add one more filter: EDNS client subnets.
Some like cloudflare doesn’t support that in the name of privacy.
EDNS lets the dns server of the site you are visiting know from where you are connecting and can give you the closest server. 1.1.1.1 does not do that. This breaks all sorts of ISP cache and peering arrangements.
Here’s an example: My ISP’s google global cache is broken every time I use cloudflare. With google dns, opendns, isp’s own dns I get my ISP’s own ip address for the domain “googlevideo.com” which is where youtube videos load from. With cloudflare dns I get an ip address of an actual google server which may or may not be in my country.
Result: my downloads from google drive/youtube/play store all are faster with a dns server with proper EDNS support.
Now imagine this on a global scale for smaller websites, your request might go to a different continent.
I understand the product decision for cloudflare and I don’t want them to change but this is something people should know about. There are numerous reports on their forums which are always locked with no activity.
I am not saying it’s a conspiracy but this doesn’t affect sites on cloudflare btw due to their global anycast routing/infra setup which I don’t know enough to explain.
show comments
flyingzucchini
Interesting puzzle on the top level url… what’s that all about ?
show comments
opengears
take a look at adguard home, dnsmask or unbound. the best is to run your own infra
amaccuish
Shame there is no client subnet filter. I've had issues in the past with various websites when using resolvers that don't add that hint.
import
Why cloudflare is listed under maximum privacy?
show comments
degenerate
9.9.9.9 with 1.1.1.1 as secondary
show comments
vzaliva
unfortunately many DNS resolvers are integrated with CDNs. I do want privacy of an independent non-tracking DNS but I also want my video streaming work fast. :(
show comments
EbNar
ControlD is pretty cool.
ValentineC
Random, but I don't understand why anyone would choose a "block ads and trackers" DNS server as a default.
Even if it's configuring something for boomer family, that sounds like a recipe for "why is this website not working"?
Why only 29
Is the author suggesting this represents the actual number of open resolvers on today's internet
How can any consideration of "privacy" or "security" of DNS not also consider SNI
SNI allows third parties to see when the user tries to connect to an address published for a domain name. It can allow third parties to interfere with such connections
DNS only allows third parties to see when a user looks up an address published for a domain name. To associate non-DNS traffic with these queries requires assumptions about the software that is sending them
Hence it is not surprising the advertising companies that control the popular web browsers want users to choose DoH _within the browser_ or corporate mobile OS, deceptively labeled as "private DNS"^1, so these third parties can more effectively link these queries to non-DNS traffic from browsers or software running on corporate mobile OS
1. Perhaps these companies will be sued for these deceptive claims. For example, users have successfully sued for deceptive claims about "private browsing"
Every time that this comes up, be it a general list like this or someone announcing a new service, my reaction, and that that I see of surprisingly many other people on Hacker News, is fairly unmoved. I've run my own proxy DNS service for about a quarter of a century at this point, using three different sets of softwares on six different operating systems, and every single point on the filter tab is something that I can (and do) just do for myself.
The list is not so much interesting for the options that it presents, as far as I am concerned, but for the things that it reveals. Every single entry that is explicitly marked 'China' also has 'operates under Chinese regulations'; which is, in 2026, something that is of concern for more than just the Chinese entries on the list, to people on my continent for starters.
'Run by one individual in Denmark.' is an interesting statement of bus factor, but I don't think that all of the other entries should be assumed to be better just because they are mute on the point. There's far less information about who is behind DNS.Watch than there is about Thomas Steen Rasmussen. And it appears that DNS.Watch went off the air at least once in recent years, so it is a legitimate concern.
Then there are all sorts of things not on this list that might matter to people, such as Quad101 looking like it has geographic restrictions on whom it is available to and Gcore being an AI company.
Use your ISPs official DNS so that you get the shortest path possible from the ISPs handoff location to the CDN (and overseas trunks), not a generic DNS that doesn’t know about your ISPs layout.
ISP: 1ms to Cloudflare
Cloudflare: 10ms to Cloudflare
Thank you for your attention to this matter.
Edit: will clarify, this advice applies to countries with good privacy laws and no national surveillance i.e. not the USA
For my fellow Canadians, CIRA operates public resolvers over IPv4/IPv6/DoH/DoT.
https://www.cira.ca/en/canadian-shield/configure/summary-cir...
Does anyone have advice on how to use public wifi alongside DNS resolver?
Many public wifi network works need you to use their DNS, so they can redirect you to a gated "accept ToS" screen (and may even require re-approval every 30-60 minutes).
To resolve the issue is so frustrating:
1. realize the internet stopped working 2. ping google.com, wait for timeouts to show up. 3. try to guess if its a ISP issue, but then realize the wifi probably timed out. 4. Switch the dns. Flush DNS. 5. try to access a non-TLS domain 6. approve the gate 7. switch the DNS back
There has to be something that manages this
Happy NextDNS user. Lots of configurability, including which filterlists to enable, configurable logging etc.
Plus it’s reliable and fast from basically anywhere (which is harder to achieve if I ran my own resolvers in the cloud, and anyway I don’t want to have to maintain that).
I use Unbound locally as a DoH server. The Alpine Linux Unbound package is compiled with libnghttp2, required for the built in DoH listener. That's more than enough to enable ECH [1].
I pre-cache all the domains I use hourly via cron. My ISP is not going to dork with my DNS requests and their employees are bigger deviants than I. If I ever started browsing the web from a phone I would just set up my own public DoH server. It only takes a few minutes and gives me my own query logs for debugging weird issues.
[1] - https://tls-ech.dev/
DNScryptProxy maintains a extensive list of public DNS servers. It also lists if if they do Dnssec, filetering, logging.
https://download.dnscrypt.info/dnscrypt-resolvers/v3/public-...
Most important and super privacy/security related topic: DNS. Instead of choosing a public one. Host your own infrastructure. You don't need public instances. Just run ADGUARD or unbound/dnsmasq/dnsdist in recursive mode on your router or machine. And you can set limits and block-lists to your needs.
It would be nice if a site like this could offer a basic speed comparison test to your local network.
Imagine seeing response times at P90 for a series of random lookups and comparing the median response times.
What would be the additional load if everyone ran a local caching recursive resolver like unbound?
It would need to be built into iOS/Android/Linux/Windows/MacOS but what would be the disadvantages?
I can see greater load on root servers but caching is specifically designed to reduce that.
I can see potential problems for CDNs and equivalent geo-based resolvers.
But are they really that bad?
quad9 seems fine. Glad there are a bunch of alternatives though. We should never stop practicing decentralization in the net.
Without a purpose for why you should use a public resolver it is an impossible choice to make.
If it is this hard to choose a resolver, imagine how hard it is to choose a web browser, which is a choice that actually matters.
The nearest resolver is
and now your own host is your resolver. The complexity of this is roughly a millionth of a percent of that of your web browser.I always just set up root recursors at my home and other locations. I've never noticed any downside.
I've been using 1.1.1.1 for performance rather than privacy. Maybe I should revisit that decision after reading this.
Should add one more filter: EDNS client subnets.
Some like cloudflare doesn’t support that in the name of privacy.
EDNS lets the dns server of the site you are visiting know from where you are connecting and can give you the closest server. 1.1.1.1 does not do that. This breaks all sorts of ISP cache and peering arrangements.
Here’s an example: My ISP’s google global cache is broken every time I use cloudflare. With google dns, opendns, isp’s own dns I get my ISP’s own ip address for the domain “googlevideo.com” which is where youtube videos load from. With cloudflare dns I get an ip address of an actual google server which may or may not be in my country. Result: my downloads from google drive/youtube/play store all are faster with a dns server with proper EDNS support.
Now imagine this on a global scale for smaller websites, your request might go to a different continent.
I understand the product decision for cloudflare and I don’t want them to change but this is something people should know about. There are numerous reports on their forums which are always locked with no activity.
I am not saying it’s a conspiracy but this doesn’t affect sites on cloudflare btw due to their global anycast routing/infra setup which I don’t know enough to explain.
Interesting puzzle on the top level url… what’s that all about ?
take a look at adguard home, dnsmask or unbound. the best is to run your own infra
Shame there is no client subnet filter. I've had issues in the past with various websites when using resolvers that don't add that hint.
Why cloudflare is listed under maximum privacy?
9.9.9.9 with 1.1.1.1 as secondary
unfortunately many DNS resolvers are integrated with CDNs. I do want privacy of an independent non-tracking DNS but I also want my video streaming work fast. :(
ControlD is pretty cool.
Random, but I don't understand why anyone would choose a "block ads and trackers" DNS server as a default.
Even if it's configuring something for boomer family, that sounds like a recipe for "why is this website not working"?
9.9.9.9 is all you need
jabberwocky !
ok now add benchmarking a-la https://www.grc.com/dns/benchmark.htm to rank them on performance for your specific region etc.
note on privacy: if you are using port 53 you are cooked so make sure you are using dns-over-tls or dns-over-https.