Public RDNS Lite

Quick Start

Configure your device to use the Lite tier. See Full for strong family-safe blocking or Open for none.

lite.public-rdns.com

https://lite.public-rdns.com/dns-query

[Resolve]
DNS=37.27.125.217#lite.public-rdns.com 2a01:4f9:3070:2feb::217#lite.public-rdns.com
DNSOverTLS=yes
DNSSEC=allow-downgrade

sudo systemctl restart systemd-resolved
resolvectl status

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 37.27.125.217@853#lite.public-rdns.com
    forward-addr: 2a01:4f9:3070:2feb::217@853#lite.public-rdns.com

IPv4: 37.27.125.217     DoH: https://lite.public-rdns.com/dns-query
IPv6: 2a01:4f9:3070:2feb::217   DoH: https://lite.public-rdns.com/dns-query

Primary: 37.27.125.217     IPv6: 2a01:4f9:3070:2feb::217

dig @lite.public-rdns.com example.com
kdig @lite.public-rdns.com +tls example.com
kdig @lite.public-rdns.com +https example.com

Endpoints

This resolver publishes _dns.resolver.arpa SVCB records for DDR auto-discovery.

Android

Settings → Network & internet → Advanced → Private DNS → Private DNS provider hostname:

lite.public-rdns.com

Apple (iOS, iPadOS, macOS)

Download a profile from Quick Start (DoT recommended) and install via Settings → General → VPN & Device Management (iOS) or System Settings → Privacy & Security → Profiles (macOS).

Browsers

https://lite.public-rdns.com/dns-query

Browser DoH only protects the browser. For system-wide protection, configure the OS instead.

systemd-resolved and Unbound

[Resolve]
DNS=37.27.125.217#lite.public-rdns.com 2a01:4f9:3070:2feb::217#lite.public-rdns.com
DNSOverTLS=yes
DNSSEC=allow-downgrade

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 37.27.125.217@853#lite.public-rdns.com
    forward-addr: 2a01:4f9:3070:2feb::217@853#lite.public-rdns.com

Windows

Windows 11: Settings → Network & internet → Edit DNS → Manual. IPv4: 37.27.125.217, DoH URL: https://lite.public-rdns.com/dns-query.

Routers

Primary: 37.27.125.217     IPv6: 2a01:4f9:3070:2feb::217

OpenWrt, pfSense, and OPNsense can forward over DoT to lite.public-rdns.com:853.

Transports

curl -s -H 'accept: application/dns-message' \
  "https://lite.public-rdns.com/dns-query?dns=q80BAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE" | xxd
kdig @lite.public-rdns.com +tls example.com
dig @lite.public-rdns.com example.com

Blocking

The Lite tier uses the oisd Big list for lighter ad, malware, phishing and tracking protection (no NSFW or gambling blocks). Blocked names are answered with a CNAME to sinkhole.public-rdns.com.

The Lite tier uses the oisd Big RPZ feed from big.oisd.nl. It targets ads, malware, phishing, ransomware, spyware, cryptojacking, and non-essential telemetry — while deliberately avoiding breakage in NSFW, gambling, torrents, shopping, social media, and similar categories.

Test that blocking works

dig @lite.public-rdns.com doubleclick.net
# Expect a CNAME to sinkhole.public-rdns.com → 0.0.0.0 / ::

False positives

Report false positives via oisd.nl. For stronger blocking see Full; for none see Open.

Comparison