HN
Today

Choosing a Public DNS Resolver

This comprehensive guide demystifies the complex world of public DNS resolvers, offering an interactive tool to select the best option based on individual privacy, security, and performance needs. It's a technical deep dive that appeals to Hacker News's penchant for detailed analyses of internet infrastructure and security. The piece meticulously breaks down features like encrypted transports, logging policies, and jurisdiction, empowering users to make informed choices.

22
Score
3
Comments
#2
Highest Rank
18h
on Front Page
First Seen
Jun 28, 12:00 AM
Last Seen
Jun 28, 5:00 PM
Rank Over Time
42446788888891115202329

The Lowdown

This extensive guide serves as a definitive resource for individuals and organizations seeking to choose a public DNS resolver tailored to their specific requirements. It provides a structured approach to understanding the critical factors involved, moving beyond simple speed tests to encompass privacy, security, and technical capabilities.

  • Interactive Selection Tool: The guide features an interactive finder that allows users to filter through 29 global public resolvers based on priorities such as maximum privacy, malware/ad blocking, parental controls, top-tier speed, non-commercial operation, and support for encrypted DNS protocols (DoH, DoT, DoQ, DNSCrypt). It also considers DNSSEC validation, IPv6 support, and operator jurisdiction.
  • Detailed Resolver Comparison: A full comparison table outlines key details for each of the 29 resolvers, including their IPv4 and IPv6 addresses, specific filtering variants (e.g., malware, family), logging policies, EDNS Client Subnet (ECS) behavior, and support for various encrypted DNS transports.
  • Research-Backed Decision Notes: A dedicated section, "How to decide: what the research says," synthesizes findings from 12 peer-reviewed studies. This part explains crucial trade-offs and considerations:
    • Speed vs. Encryption: Encrypted DNS (DoH, DoT, DoQ) has minimal performance overhead, with DoQ often being the fastest.
    • Tamper Resistance: Encrypted DNS primarily resists tampering and snooping in transit, not from the resolver itself.
    • Privacy Limitations: Encryption hides queries from the network, but the resolver still sees everything; Oblivious DNS-over-HTTPS (ODoH) is highlighted for true privacy.
    • DNSSEC Importance: Essential for preventing forged answers and ensuring integrity.
    • ECS Trade-offs: Balances speed (better geo-routing) with privacy concerns.
    • Jurisdiction & Centralization: Emphasizes the legal and control implications of a resolver's operating country and the growing centralization of DNS traffic.
    • DNSCrypt: Discusses the oldest encrypted option, its unique features, and measurement challenges.
    • Traffic Analysis: Even encrypted DNS can be vulnerable to traffic analysis to identify visited domains.
    • Resolver Behavior: A recent study shows significant disagreement in error reporting among major resolvers, indicating varying implementation quality.
  • Additional Resources: Mentions smaller, community-run resolvers and lists legacy or discontinued services to avoid, ensuring users have the most current information.

By combining an interactive tool with a rigorous, research-backed explanation of the underlying technologies and trade-offs, the guide empowers users to make highly informed decisions about their DNS infrastructure, ensuring choices align with their personal privacy, security, and performance needs.