Public RDNS Full

Transport	DoH, DoT, Do53
Network	IPv4 and IPv6
Logging	None
DNSSEC	Enforced
Tier	Full — strong Hagezi blocking

Quick Start

Configure your device or resolver to use the Full tier. See Lite for lighter oisd protection or Open for no blocking.

Android 9+ (Private DNS)

Settings → Network & internet → Private DNS → Private DNS provider hostname:

full.public-rdns.com

All queries are encrypted system-wide over DoT (port 853).

iOS / iPadOS / macOS (profiles)

Download and install a configuration profile from Settings → General → VPN & Device Management (iOS) or System Settings → Privacy & Security → Profiles (macOS). DoT is recommended.

full-dns-dot.mobileconfig (DoT)

full-dns-doh.mobileconfig (DoH)

Firefox (DoH)

Settings → Privacy & Security → DNS over HTTPS → Max Protection → Custom:

https://full.public-rdns.com/dns-query

Chrome / Edge / Brave (DoH)

Settings → Privacy and security → Security → Use secure DNS → With: Custom:

https://full.public-rdns.com/dns-query

Browser DoH only protects the browser. For system-wide protection, configure the OS instead.

systemd-resolved (Linux)

Edit /etc/systemd/resolved.conf:

[Resolve]
DNS=37.27.125.218#full.public-rdns.com 2a01:4f9:3070:2feb::218#full.public-rdns.com
DNSOverTLS=yes
DNSSEC=allow-downgrade

Then:

sudo systemctl restart systemd-resolved
resolvectl status

Unbound forwarder (Linux / BSD)

Add to unbound.conf (inside server: section):

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 37.27.125.218@853#full.public-rdns.com
    forward-addr: 2a01:4f9:3070:2feb::218@853#full.public-rdns.com

Windows 11 (DoH)

Settings → Network & internet → Adapter → Edit DNS. Set DNS server assignment to Manual:

IPv4: 37.27.125.218     DoH: https://full.public-rdns.com/dns-query
IPv6: 2a01:4f9:3070:2feb::218   DoH: https://full.public-rdns.com/dns-query

Windows 10 has no native DoH UI; use dnscrypt-proxy, YogaDNS, or configure DoH at the router.

Routers (plain / DoT)

Consumer routers — plain DNS only:

Primary: 37.27.125.218     IPv6: 2a01:4f9:3070:2feb::218

OpenWrt / pfSense / OPNsense — forward over DoT to full.public-rdns.com:853.

Command line (dig, kdig, curl)

dig @full.public-rdns.com example.com
kdig @full.public-rdns.com +tls example.com
kdig @full.public-rdns.com +https example.com
curl -s -H 'accept: application/dns-message' \
  "https://full.public-rdns.com/dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE" | xxd

Endpoints

Transport	Address
DoH	`https://full.public-rdns.com/dns-query`
DoT	`full.public-rdns.com:853`
Plain DNS	`full.public-rdns.com`
IPv4	`37.27.125.218`
IPv6	`2a01:4f9:3070:2feb::218`

This resolver publishes _dns.resolver.arpa SVCB records for DDR auto-discovery.

Android

Android 9 and later support DNS over TLS natively via Private DNS — no app required.

Open Settings → Network & internet → Advanced → Private DNS.
Select Private DNS provider hostname.
Enter full.public-rdns.com and tap Save.

All DNS queries are then encrypted over TLS on port 853 system-wide.

Apple (iOS, iPadOS, macOS)

Apple devices support encrypted DNS via configuration profiles (iOS 14+ / macOS Big Sur+). Download a profile from the Quick Start section above (DoT recommended).

iOS / iPadOS

Tap the profile link — Safari will prompt you to allow the download.
Open Settings → General → VPN & Device Management.
Tap the downloaded profile and Install. Enter your passcode if prompted.

macOS

Click the profile link — it will be downloaded and opened automatically.
Open System Settings → Privacy & Security → Profiles.
Double-click the profile and click Install.

Browsers

Set the custom DoH URL to:

https://full.public-rdns.com/dns-query

Firefox — Settings → Privacy & Security → DNS over HTTPS → Max Protection → Custom
Chrome / Edge — Settings → Privacy and security → Security → Use secure DNS → With: Custom
Brave — Settings → Privacy and security → Security → Use secure DNS

systemd-resolved and Unbound

systemd-resolved (Linux)

[Resolve]
DNS=37.27.125.218#full.public-rdns.com 2a01:4f9:3070:2feb::218#full.public-rdns.com
DNSOverTLS=yes
DNSSEC=allow-downgrade

sudo systemctl restart systemd-resolved
resolvectl status
resolvectl query example.com

Unbound or dnscrypt-proxy as a forwarder

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 37.27.125.218@853#full.public-rdns.com
    forward-addr: 2a01:4f9:3070:2feb::218@853#full.public-rdns.com

Windows

Windows 11 supports DoH natively per-adapter:

Open Settings → Network & internet and select your active connection.
Click Edit next to DNS server assignment and choose Manual.
Enable IPv4 and enter 37.27.125.218; set DNS over HTTPS to On (manual template) with URL https://full.public-rdns.com/dns-query.
Optionally repeat for IPv6 using the addresses in Endpoints.

Windows 10 does not have a built-in DoH UI; use dnscrypt-proxy or YogaDNS, or configure DoH at the router.

Routers

Most consumer routers accept plain DNS only:

Primary: 37.27.125.218     IPv6: 2a01:4f9:3070:2feb::218

OpenWrt, pfSense, and OPNsense can forward over DoT to full.public-rdns.com:853.

Transports

DNS over HTTPS (DoH)

curl -s -H 'accept: application/dns-message' \
  "https://full.public-rdns.com/dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE" | xxd
kdig @full.public-rdns.com +https example.com

DNS over TLS (DoT)

kdig @full.public-rdns.com +tls example.com

Plain DNS

dig @full.public-rdns.com example.com

Blocking

The Full tier is a family-safe resolver: ads, malware, trackers, NSFW, and gambling are sunk at the DNS layer via Hagezi RPZ feeds. Blocked names are answered with a CNAME to sinkhole.public-rdns.com (0.0.0.0 / ::).

Active blocklists on Full (Hagezi RPZ)

Most coverage is provided by Hagezi Ultimate, with additional specialized feeds:

Ultimate — broad ad/tracker/malware coverage
Threat Intelligence Feeds (TIF) — known malicious infrastructure
Fake — fraudulent / phishing / scam domains
DynDNS — dynamic DNS providers commonly abused by malware
DoH / VPN / Proxy bypass — services used to circumvent filtering
Spam TLDs (aggressive)
Hosters — bulk hosters frequently used to host abuse
URL Shorteners
Anti-piracy
Gambling
NSFW
Native trackers — Amazon, Apple, Huawei, Microsoft, Samsung, TikTok, and others

Lists are pulled from the Hagezi project. Refreshed several times per day.

Test that blocking works

dig @full.public-rdns.com doubleclick.net
# Expect a CNAME to sinkhole.public-rdns.com → 0.0.0.0 / ::

False positives

Report false positives to the Hagezi project; changes flow into the Full resolver on the next refresh.

Comparison

Quick reference against other popular resolvers:

	Public RDNS Full	Cloudflare 1.1.1.1	Quad9	NextDNS	AdGuard
Logs queries?	No	Yes (24h+)	No	Configurable	Yes
DNSSEC enforced	Yes (hard fail)	Yes	Yes	Yes	Yes
Family-safe blocking	Strong (Hagezi RPZ)	Malware only	Malware + some	Configurable	Strong
NSFW / Gambling blocks	Yes	No	Limited	Paid tiers	Paid tiers
Native tracker blocking	Extensive	No	No	Paid	Paid
QNAME minimisation	Yes	Yes	Yes	Yes	Yes
ECS (client IP leak)	Disabled	Enabled	Disabled	Optional	Optional
Cost	$0	$0	$0	Free tier limited	Free tier limited
Transparent operator	Yes (this page)	US corp	Non-profit	For-profit	For-profit