Public RDNS

Quick Start

Pick whichever fits your device:

DoH	`https://public-rdns.com/dns-query`
DoT	`public-rdns.com` on TCP `853`
Plain DNS	`public-rdns.com` on UDP/TCP `53`

For Android 9+: paste public-rdns.com into Settings → Network & internet → Private DNS. For Apple devices, install the configuration profile.

Privacy

We do not log DNS queries. No query data is stored, sold, or shared with third parties.

No query logging — DNS queries are never written to disk.
Encrypted storage — all data at rest is protected with ZFS native encryption.
No shell history — operator sessions leave no command history on the server.
Headless server — eliminating physical access vectors.
QNAME minimisation — upstream authoritative servers only see the minimum necessary part of each query (RFC 9156), limiting exposure to third parties.
No analytics or trackers — this website serves static HTML and sets no cookies.
Hidden version and identity — version.bind and id.server probes are refused.

Endpoints

Hostname	`public-rdns.com`
IPv4	`37.27.71.154`, `95.216.30.96`
IPv6	`2a01:4f9:3070:1218::1`, `2a01:4f9:fff1:63::2`
DoH URL	`https://public-rdns.com/dns-query`
DoT	TCP `853`
Plain DNS	UDP/TCP `53`
HTTP versions for DoH	HTTP/2 and HTTP/3 (QUIC)
DDR (Discovery of Designated Resolvers)	SVCB records published under `_dns.resolver.arpa` (RFC 9462)

How to Use

DNS over HTTPS (DoH)

Encrypts DNS traffic over HTTPS. Supported by most modern browsers, operating systems, and DNS clients.

URL	`https://public-rdns.com/dns-query`

Test with curl (RFC 8484 GET form):

curl -s -H 'accept: application/dns-message' \
  "https://public-rdns.com/dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE" | xxd

Test with kdig (knot-dnsutils):

kdig @public-rdns.com +https example.com

DNS over TLS (DoT)

Encrypts DNS traffic over TLS on TCP 853. Supported by Android 9+, systemd-resolved, and many DNS clients.

Hostname	`public-rdns.com`
Port	`853`

Test with kdig:

kdig @public-rdns.com +tls example.com

Plain DNS (UDP/TCP)

Standard unencrypted DNS on port 53. Use only on trusted networks; prefer DoH or DoT when possible.

Hostname	`public-rdns.com`
Port	`53`

Test with dig:

dig @public-rdns.com example.com

Android

Android 9 and later support DNS over TLS natively via the Private DNS setting — no app required.

Open Settings → Network & internet → Advanced → Private DNS.
Select Private DNS provider hostname.
Enter public-rdns.com and tap Save.

All DNS queries will now be encrypted over TLS on port 853 system-wide. To disable, return to the same screen and select Automatic.

For DoH inside a browser, set the custom DoH URL to https://public-rdns.com/dns-query in your browser's privacy or security settings.

Apple (iOS / iPadOS / macOS)

Apple devices support DNS over TLS via a signed configuration profile. Download the profile and follow the steps below to install it.

Download DNS Profile (.mobileconfig)

iOS / iPadOS

Tap the link above on your iPhone or iPad — Safari will prompt you to allow the download.
Open Settings → General → VPN & Device Management.
Tap the downloaded profile and then tap Install. Enter your passcode if prompted.
Tap Install again to confirm. The profile is now active.

macOS

Click the link above — the profile will be downloaded and opened automatically.
Open System Settings → Privacy & Security → Profiles (or System Preferences → Profiles on older macOS).
Double-click the profile and click Install. Enter your administrator password if prompted.

Once installed, all DNS queries on the device will use public-rdns.com over TLS automatically. The profile can be removed at any time from the same Profiles screen.

Browsers

Most browsers support DoH natively. Set the custom DoH URL to https://public-rdns.com/dns-query:

Firefox — Settings → Privacy & Security → DNS over HTTPS → Max Protection → Custom, then paste the URL.
Chrome / Edge — Settings → Privacy and security → Security → Use secure DNS → With: Custom, then paste the URL.
Brave — Settings → Privacy and security → Security → Use secure DNS.

Browser-level DoH only protects the browser. For system-wide protection, configure the OS instead.

systemd-resolved (Linux)

Edit /etc/systemd/resolved.conf:

[Resolve]
DNS=37.27.71.154#public-rdns.com 2a01:4f9:3070:1218::1#public-rdns.com
FallbackDNS=95.216.30.96#public-rdns.com 2a01:4f9:fff1:63::2#public-rdns.com
DNSOverTLS=yes
DNSSEC=allow-downgrade

Then:

sudo systemctl restart systemd-resolved
resolvectl status
resolvectl query example.com

Unbound or dnscrypt-proxy as a forwarder

If you run a local resolver, point its forwarders at public-rdns.com over DoT or DoH. Example unbound.conf snippet:

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 37.27.71.154@853#public-rdns.com
    forward-addr: 95.216.30.96@853#public-rdns.com
    forward-addr: 2a01:4f9:3070:1218::1@853#public-rdns.com
    forward-addr: 2a01:4f9:fff1:63::2@853#public-rdns.com

Windows 11

Windows 11 supports DoH natively per-adapter:

Open Settings → Network & internet and select your active connection.
Click Edit next to DNS server assignment and choose Manual.
Enable IPv4 and enter 37.27.71.154; set DNS over HTTPS to On (manual template) with https://public-rdns.com/dns-query.
Optionally repeat for IPv6 with 2a01:4f9:3070:1218::1.

Windows 10 does not have a built-in DoH UI; use a client like dnscrypt-proxy or YogaDNS, or configure DoH at the router.

Routers

Most consumer routers accept plain DNS only. Set:

Primary DNS:   37.27.71.154
Secondary DNS: 95.216.30.96
IPv6 Primary:  2a01:4f9:3070:1218::1
IPv6 Secondary: 2a01:4f9:fff1:63::2

OpenWrt, pfSense, and OPNsense can forward over DoT — point their resolver at public-rdns.com:853.

Blocking

Blocked names are answered with a CNAME to sinkhole.public-rdns.com, which resolves to 0.0.0.0 (A) and :: (AAAA). This is implemented as Unbound RPZ zones loaded from upstream feeds.

Active blocklists (Hagezi RPZ)

Ultimate — broad ad/tracker/malware coverage
Threat Intelligence Feeds (TIF) — known malicious infrastructure
Pop-up Ads
Fake — fraudulent / phishing / scam domains
DynDNS — dynamic DNS providers commonly abused by malware
DoH / VPN / Proxy bypass — services used to circumvent filtering
Spam TLDs (aggressive)
Hosters — bulk hosters frequently used to host abuse
URL Shorteners
Anti-piracy
Gambling
NSFW
Native trackers — Amazon, Apple, Huawei, Microsoft / Windows / Office, Samsung, TikTok (extended), LG webOS, Roku, Vivo, Oppo / Realme, Xiaomi

Lists are pulled directly from the Hagezi project; full credit to its maintainers.

Test that blocking works

dig @public-rdns.com doubleclick.net
# Expect a CNAME to sinkhole.public-rdns.com → 0.0.0.0 / ::

False positives

If a legitimate domain is blocked, the issue is almost always upstream in the Hagezi list. Please report it to the Hagezi project; once fixed there, the change will flow into this resolver on the next refresh.

Features

Full DNSSEC validation with hardened algorithm checks (no downgrade)
Aggressive use of NSEC for negative answers (RFC 8198)
QNAME minimisation
EDNS Extended DNS Errors (EDE) returned to clients, including for serve-expired
Serve-expired with up to 24 h grace, so transient upstream outages don't break browsing
DNS Cookies enabled to mitigate spoofing
ANY queries refused (anti-amplification)
HTTP/2 and HTTP/3 (QUIC) support for DoH
IPv4 and IPv6, with two addresses in each family for redundancy
Per-source IP rate limiting
DDR (Discovery of Designated Resolvers, RFC 9462) advertised on _dns.resolver.arpa

Infrastructure

OS: FreeBSD
Resolver: Unbound
HTTPS frontend: nginx, terminating TLS for DoH on /dns-query and forwarding to Unbound
Filesystem: ZFS with native encryption
Cache: 1 GiB message cache, 16 GiB rrset cache, 4 GiB key cache
TTL bounds: minimum and maximum cache TTLs are normalised to 24 h to reduce upstream traffic
Rate limiting: 100 queries per second per source IP

Operator does not retain shell history, and the system has no remote console exposed to the public internet beyond the services listed above.

Troubleshooting

Some DNSSEC-signed names fail to resolve

This resolver enforces DNSSEC. Domains with broken signatures will return SERVFAIL. That is the correct behaviour — the domain owner needs to fix their DNSSEC. Check with dig +dnssec +cd @public-rdns.com name; if +cd (checking disabled) returns an answer but the normal query does not, the domain is bogus.

Android Private DNS shows "Couldn't connect"

Confirm the device can reach the internet (try 1.1.1.1 in a browser). Captive-portal Wi-Fi often blocks port 853 until you sign in — connect to the portal first, then enable Private DNS.

Browser DoH not used

Browser DoH may be silently disabled when an enterprise policy or parental-control profile is detected, or when the OS already specifies a system DNS provider it considers protective. Check the browser's secure-DNS status page.

DoT TLS errors

The TLS certificate is issued for public-rdns.com. If your client connects by IP, set the SNI / hostname explicitly to public-rdns.com, otherwise validation will fail. If the certificate looks valid but is rejected as not yet valid or expired, your system clock is wrong — pair this resolver with an authenticated time source like public-utc.com.

Rate limited

If you query at more than ~100 qps from a single source, packets will be dropped. That is far above any normal client. If you need that volume, run a local Unbound and forward to public-rdns.com over DoT.

A site I want is blocked

See Blocking above. Report false positives to the upstream Hagezi list.

FAQ

Is this really free?

Yes. There is no charge, no signup, no API key. Donations via Bitcoin are appreciated but not required — see the Contact section.

Do you log my queries?

No. DNS query traffic is not written to disk. Operational logs cover the daemon's own state and RPZ hits (used to count blocks), not client identities.

What's the difference between DoH and DoT?

Both encrypt DNS. DoH wraps queries in HTTPS and looks like ordinary web traffic; it is easy to deploy in browsers and hard to selectively block. DoT runs on its own port (853) and is a clean fit for OS-level configuration. Use whichever your client supports best.

Is DNSSEC enforced?

Yes. Bogus answers are refused with SERVFAIL plus an EDE explaining why. If you publish your own zones and want them DNSSEC-signed automatically, see public-adns.com.

What about ECH / ECS?

EDNS Client Subnet (ECS) is not forwarded to upstream authoritatives — this protects client privacy at a small cost in CDN locality.

Can I use this for production?

Yes, but always configure multiple resolvers from independent operators so a single one going offline does not take you with it. public-rdns.com exposes two IPv4 and two IPv6 addresses; pair it with another provider for true redundancy.

Why is some content blocked?

The resolver applies the Hagezi RPZ blocklists listed under Blocking. They are tuned for ad/tracker/malware/scam suppression. If you want unfiltered recursion, use a different resolver — there is no opt-out endpoint here.

What's the SLA?

Best-effort. The service is operated as a public good, not a paid product. If high availability is critical, configure several independent resolvers and let your client pick a healthy one.

Acceptable Use

Use sane query rates. Normal client behaviour is fine; tens of thousands of qps from one source is not.
Do not hardcode public-rdns.com in shipping consumer products or appliances without contacting us first.
Do not use the service to amplify or proxy traffic to third parties. ANY queries are refused.
Abusive sources may be rate limited or blocked without notice.

Other Projects

public-common.com Management node

public-adns.com Public authoritative DNS service

public-rdns.com Public recursive DNS service

public-blank.com Public static / parking service

public-repo.com Public mirror service

public-utc.com Public NTP / NTS time service