Tiers
Choose the filtering level that fits your network. Each tier runs on dedicated hardware with the same privacy and DNSSEC guarantees.
| Tier | Blocking | Best for | Configure |
|---|---|---|---|
| Full | Strong Hagezi RPZ — ads, malware, trackers, NSFW, gambling, scam/phishing | Families, schools, households | full.html |
| Lite | oisd Big — ads, malware, phishing, tracking (no NSFW/gambling) | Work networks, lighter protection | lite.html |
| Open | None — unfiltered recursive DNS | Maximum compatibility, development | open.html |
Mission
Public RDNS provides three free public DNS resolvers — Full, Lite and Open — with no signup, no logging, and no paywall. Every tier runs validating recursive DNS with DNSSEC enforced, QNAME minimisation, and support for DoH, DoT and plain DNS over IPv4 and IPv6. The Full tier uses Hagezi RPZ feeds for strong family-safe blocking of ads, malware, trackers, NSFW and gambling. Lite offers lighter protection via oisd Big. Open is completely unfiltered for maximum compatibility.
The resolver is operated as a public good: hardware, bandwidth, and time are donated, the configuration is boring on purpose, and the privacy guarantees are structural rather than promised. Everything on this page — the endpoints, the policy, and the operational stack — is documented so anyone can reproduce, audit, or take over the setup if they need to.
Privacy
We do not log DNS queries. No query data is stored, sold, or shared with third parties.
- No query logging — DNS queries are never written to disk.
- Encrypted storage — all data at rest is protected with ZFS native encryption.
- No shell history — operator sessions leave no command history on the server.
- Headless server — eliminating physical access vectors.
- QNAME minimisation — upstream authoritative servers only see the minimum necessary part of each query (RFC 9156).
- No EDNS Client Subnet — ECS is not forwarded upstream; client IPs do not leak to authoritatives.
- No analytics or trackers — this site is static HTML and sets no cookies.
- Hidden version and identity —
version.bindandid.serverprobes are refused.
Features
| Category | Detail |
|---|---|
| Query logging | Disabled |
| Data at rest | ZFS encrypted |
| QNAME minimisation | RFC 9156 |
| EDNS Client Subnet | Not forwarded |
| DNSSEC | Enforced (hard fail) |
| Aggressive NSEC | RFC 8198 |
| DNS Cookies | Enabled |
| Serve-expired | 24 h grace |
| EDE errors | Returned on validation failure |
| ANY queries | Refused |
| DDR | RFC 9462 (_dns.resolver.arpa SVCB) |
| Protocols | DoH, DoT, Do53 |
| HTTP versions | HTTP/2 |
| Stacks | IPv4 and IPv6 |
| Rate limit | ~100 qps per source IP |
| Cost | $0 |
Infrastructure
| Component | Detail |
|---|---|
| Operating system | FreeBSD |
| Resolver | Unbound — DNSSEC, QNAME minimisation, RPZ, native DoH |
| HTTP versions | HTTP/2 |
| Filesystem | ZFS — native encryption, snapshots |
| Cache | 1 GiB message, 16 GiB rrset, 4 GiB key |
| TTL bounds | min/max normalised to 24 h to reduce upstream traffic |
| Rate limiting | 100 queries/sec per source IP |
| Operator session | No shell history retained |
The system has no remote console exposed to the public internet beyond the services listed above.
Troubleshooting
Some DNSSEC-signed names fail to resolve
This resolver enforces DNSSEC. Domains with broken signatures will return SERVFAIL. Check with dig +dnssec +cd @your-tier.public-rdns.com name; if +cd (checking disabled) returns an answer but the normal query does not, the domain is bogus.
Android Private DNS shows "Couldn't connect"
Confirm the device can reach the internet. Captive-portal Wi-Fi often blocks port 853 until you sign in — connect to the portal first, then enable Private DNS.
Browser DoH not used
Browser DoH may be silently disabled when an enterprise policy or parental-control profile is detected, or when the OS already specifies a system DNS provider it considers protective. Check the browser's secure-DNS status page.
DoT TLS errors
The TLS certificate is issued for public-rdns.com (wildcard, covers *.public-rdns.com). If your client connects by IP, set the SNI / hostname explicitly to the tier you use (e.g. full.public-rdns.com). If the certificate is rejected as not yet valid or expired, your system clock is wrong — pair this resolver with public-utc.com.
Rate limited
If you query at more than ~100 qps from a single source, packets will be dropped. If you need that volume, run a local Unbound and forward to your chosen tier over DoT.
FAQ
Is this really free?
Yes. There is no charge, no sign-up, no API key. Donations via Bitcoin are appreciated but not required — see Contact.
Do you log my queries?
No. We do not log DNS queries.
What's the difference between DoH and DoT?
Both encrypt DNS. DoH wraps queries in HTTPS and looks like ordinary web traffic; DoT runs on its own port (853) and is a clean fit for OS-level configuration. Use whichever your client supports best.
Is DNSSEC enforced?
Yes. Bogus answers are refused with SERVFAIL plus an EDE explaining why. If you publish your own zones and want them DNSSEC-signed automatically, see public-adns.com.
What about EDNS Client Subnet (ECS)?
ECS is not forwarded to upstream authoritatives. This protects client privacy at a small cost in CDN locality.
Can I use this for production?
Yes. Each tier runs on dedicated hardware. Use the hostname (e.g. full.public-rdns.com) for DoT/DoH; plain DNS uses the IPv4/IPv6 listed on each tier page.
Is this a family-safe DNS?
The Full tier is. It blocks NSFW, gambling, ads, malware, trackers, and scam/phishing domains via Hagezi RPZ feeds. Lite uses oisd Big (ads and malware/phishing, no NSFW/gambling). Open has none.
Why is some content blocked?
Full applies Hagezi RPZ blocklists. Lite uses oisd Big. Open applies none. There is no opt-out on Full.
What's the SLA?
Best-effort. The service is operated as a public good, not a paid product.
Acceptable Use
- Use sane query rates. Normal client behaviour is fine; tens of thousands of qps from one source is not.
- Do not hardcode
public-rdns.comin shipping consumer products or appliances without contacting us first. - Do not use the service to amplify or proxy traffic to third parties. ANY queries are refused.
- Abusive sources may be rate limited or blocked without notice.
Managed Services
Beyond the public resolver, we offer managed private resolvers and DNS infrastructure for organizations that need their own controlled instance — regulated environments, ISPs, schools, enterprises, and anyone who wants the same operational model we run here.
Typical engagements include:
- Dedicated Unbound resolvers (native DoH) with custom RPZ policy.
- Anycast / multi-region recursive DNS for latency-sensitive deployments.
- Logging-on-demand resolvers for environments that legally require query retention.
- Hardened resolver appliances built on FreeBSD + ZFS + Unbound.
- Bare-metal management — provisioning, OS hardening, monitoring, patching, and on-call response.
- Migration from existing setups (Pi-hole, AdGuard Home, BIND, dnsmasq) to a leaner, validating, RPZ-driven design.
For pricing and scoping, see Contact.
Sponsors
Public RDNS is operated as a public good and runs on volunteer time, donated bandwidth, and out-of-pocket hardware. Sponsorships keep it that way — no ads, no tracking, no paywalled tiers.
Sponsors receive a logo and link on this page for the duration of the sponsorship, with no influence over editorial or operational decisions. If you need operational support, SLAs, or a dedicated resolver, see Managed Services instead.
Any contribution helps — there are no fixed amounts and no tiers. Sponsorships can be invoiced (EUR, SEPA / SWIFT) or paid in BTC. To set one up, see Contact.
No sponsors yet.
Legal
Trademarks
All project names, logos, and marks referenced on this site — including Hagezi, Unbound, nginx, FreeBSD, ZFS, Android, iOS, iPadOS, macOS, Windows, Firefox, Chrome, Edge, Brave, OpenWrt, pfSense, OPNsense — are the property of their respective owners. Public RDNS is an independent resolver operator and is not affiliated with, endorsed by, or sponsored by any of these projects unless explicitly stated.
Content
Public RDNS performs DNS recursion and applies RPZ feeds maintained by third parties. Block decisions reflect those upstream feeds; we add nothing, remove nothing, and re-sign nothing.
Warranty disclaimer
This service is provided "as is" and "as available", without warranty of any kind, express or implied. Use of this resolver is at your own risk.
Limitation of liability
To the maximum extent permitted by applicable law, the operators of Public RDNS shall not be liable for any damages arising from the use of, or inability to use, this service.
Abuse and takedowns
To report abusive use or submit a good-faith takedown request, contact us via Contact with the name(s) and the basis for the request.
Privacy
We do not log individual queries, set cookies, or run analytics. See Privacy for details.
Other Projects
| Site | Service |
|---|---|
| public-consortium.com | Project home and operations |
| public-adns.com | Public authoritative DNS service |
| public-rdns.com | Public recursive DNS service (this site) |
| public-blank.com | Public static / parking service |
| public-repo.com | Public mirror service |
| public-utc.com | Public NTP / NTS time service |