This text is based on CC BY-NC-SA 4.0 and modified from Sukka's 《如何选择适合的公共 DNS? [2020] 》.
Some of the public DNS evaluation content has been removed, and only the recommended public DNS has been retained, while some DNS information has been improved.
What to consider when choosing a public DNS#
There are many public DNS services available, built by large companies, non-profit organizations, and individuals, which can be overwhelming. When choosing a DNS that is important for our internet access, we need to consider many aspects in order to find the DNS that suits our needs. When choosing a DNS that is important for our internet access, we need to consider the following aspects:
- SLA service uptime. DNS is a crucial part of internet access, and the reliability of DNS directly affects the internet experience. If the DNS goes down, a large number of websites will become inaccessible.
- Response speed. When accessing a new website, the response speed of the DNS to this website directly affects the perceived loading speed of the current website.
- Accuracy. The accuracy of DNS results for website access is very important, even without considering DNS pollution and poisoning.
- EDNS. In short, EDNS (the correct abbreviation should be ECS) helps you obtain the most accurate CDN resolution results.
- Other features. Some personally built DNS servers provide ad-blocking or patriotic internet access functions.
- DNS exit. In general, the entry and exit of public DNS are different. You can use dig to check your DNS exit IP:
$ dig whoami.akamai.net
DNS exit is very important for CDN. Public DNS essentially forwards your query requests to upstream DNS servers. Without EDNS, the authoritative DNS servers of CDNs will determine your ISP and location based on the request IP used by the public DNS (i.e., the DNS exit), and return the IP of the nearest node to you. Therefore, theoretically, the DNS assigned to you by your ISP should be the fastest and CDN-friendly. The CDN optimization and CDN friendliness mentioned in this article also refer to whether the IP of the DNS exit can allow you to access the fastest CDN node.
Recommended public DNS services for mainland China#
Tencent DNSPod#
- Anycast: Shenzhen, Shanghai, Tianjin, Hong Kong, and North America
- DNS exit: 84 routes
- TCP queries: Not supported
- DoT, DoH: Supported. Domain names dns.pub and doh.pub support both DoH and DoT.
- ECS: Partial support
| Protocol | Primary | Secondary |
|---|---|---|
| IPv4 | 119.29.29.29 | 119.28.28.28 |
| IPv6 | 2402:4e00:: | 2402:4e00:1:: |
| DoH | https://doh.pub/dns-query | https://dot.pub/dns-query |
| DoH (IP) | https://1.12.12.12/dns-query | https://1.12.12.12/dns-query |
| DoH (SM2) | https://sm2.doh.pub/dns-query | |
| DoT | dot.pub | doh.pub |
| DoT (IP) | 1.12.12.12 | 1.12.12.12 |
This is a public DNS established by DNSPod, which is now operated by Tencent Cloud after being acquired by Tencent. Tencent DNSPod's public DNS is configured with Anycast and includes nodes from all available regions of Tencent Cloud (including overseas), so the speed is good. In addition to supporting ECS, it also has some optimizations for DNS exit selection, so the CDN resolution results are relatively accurate. However, its SLA is not excellent— it has experienced frequent DDoS attacks that caused resolution failures. In addition, due to its relative fame and large number of users, it is a target for ISP hijacking.
It is worth mentioning that DNSPod's public DNS provides free HTTPDNS. You can see a demo here.
Note that DNSPod's public DNS does not support cookie queries. If you are using the latest version of the built-in dig tool in Bind and querying with @119.29.29.29, you need to add the additional parameter +nocookie.
Alibaba Cloud Public DNS#
- Anycast: Nationwide + United States, Singapore, Germany, Australia, Japan, United Kingdom, India, Indonesia
- DNS exit: Chengdu, Shenzhen, Hangzhou
- TCP queries: Not supported
- DoT, DoH: Both supported. Can be used directly with IP or the domain name dns.alidns.com.
- ECS: Partial support (DNS JSON API supports edns_client_subnet)
| Protocol | Primary | Secondary |
|---|---|---|
| IPv4 | 223.5.5.5 | 223.6.6.6 |
| IPv6 | 2400:3200::1 | 2400:3200:baba::1 |
| DoH | https://dns.alidns.com/dns-query | |
| DoH (IP) | https://223.5.5.5/dns-query | https://223.6.6.6/dns-query |
| DoT | dns.alidns.com | |
| DoT (IP) | 223.5.5.5 | 223.6.6.6 |
Alibaba's public DNS is built by Alibaba and is also hosted on their own cloud service, Alibaba Cloud. Alibaba's public DNS does not support ECS but has optimizations for DNS exit. There have been no reports of frequent downtime or unavailability related to Alibaba's public DNS.
Recommended public DNS services for overseas regions#
OpenDNS#
- Anycast: OpenDNS's 32 data centers
- DNS exit: Not tested
- TCP queries: Supported
- DoT, DoH: Supported
- ECS: Supported
| Protocol | Primary | Secondary |
|---|---|---|
| IPv4 | 208.67.222.222 | 208.67.220.220 |
| IPv6 | 2620:119:35::35 | 2620:119:53::53 |
| DoH | https://doh.opendns.com/dns-query | https://doh.familyshield.opendns.com/dns-query |
| DoT | dns.opendns.com |
OpenDNS, which was acquired by Cisco, was once the fastest public DNS in the world. OpenDNS has more than 30 nodes worldwide and is well-configured with Anycast. It supports ECS and has an SLA of 100. OpenDNS also opens up non-standard port 5353 queries and TCP queries, making it less susceptible to pollution and hijacking even when directly requested from China. If you are using tools like ChinaDNS and do not have a dedicated encrypted tunnel prepared for it, connecting directly to OpenDNS's 5353 is a good alternative.
Cloudflare DNS#
- Anycast: Cloudflare's 160+ data centers
- DNS exit: Cloudflare's 160+ data centers
- TCP queries: Supported
- DoT, DoH: Both supported, can be used with the domain name one.one.one.one or directly with IP
- ECS: Not supported (contradicts Cloudflare DNS's privacy protection)
| Protocol | Primary | Secondary |
|---|---|---|
| IPv4 | 1.0.0.1 | 1.1.1.1 |
| IPv6 | 2606:4700:4700::1111 | 2606:4700:4700::1001 |
| DoH | https://cloudflare-dns.com/dns-query | |
| DoH (IP) | https://1.0.0.1/dns-query | https://1.1.1.1/dns-query |
| DoT | 1dot1dot1dot1.cloudflare-dns.com | one.one.one.one |
| DoT (IP) | 1.1.1.1 | 1.0.0.1 |
After Cloudflare took over the IP ranges 1.0.0.0/24 and 1.1.1.0/24 from APNIC and deployed public DNS, it became the fastest public DNS in the world, surpassing OpenDNS, thanks to its extensive global network infrastructure (Cloudflare has 185+ data centers, but its public DNS is not deployed on Baidu Cloud Acceleration nodes), BGP Anycast, and technologies like Cloudflare Argo. It supports DoT, DoH, and other common encrypted resolution solutions. Due to its privacy policy, Cloudflare's public DNS does not record user IP addresses, which means it cannot use ECS and other technologies. However, relying on its large number of nodes and global coverage of DNS exits, it is also suitable as the main DNS.
Google Public DNS#
- Anycast: Google's 36 data centers (excluding Google Global Cache)
- DNS exit: Google's global edge network
- TCP queries: Supported
- DoT, DoH: Both supported. Can be used directly with IP or the domain name dns.google
- ECS: Supported (DNS JSON API supports edns_client_subnet)
| Protocol | Primary | Secondary |
|---|---|---|
| IPv4 | 8.8.8.8 | 8.8.4.4 |
| IPv6 | 2001:4860:4860::8888 | 2001:4860:4860::8844 |
| DoH | https://dns.google/dns-query | |
| DoT | dns.google |
Google Public DNS is the most famous public DNS (even in China). Thanks to Google's extensive global network infrastructure (although Google Public DNS does not use Google Global Cache and does not have nodes in Africa and Oceania), the speed is not the fastest but at least not slow. It supports ECS, DoH, DoT, and has an SLA that is close to 100 (Google Search's SLA is 99.9999%). Overseas CDNs are optimized for Google DNS, so it is strongly recommended for resolving overseas websites.
Recommended public DNS services for overseas servers#
DNS.sb#
- Anycast: Yes
- DNS exit: Upstream IP of SB Network
- TCP queries: Supported
- DoT, DoH: Supported, can be used with IP or the domain name
- ECS: Not supported
| Protocol | Primary | Secondary |
|---|---|---|
| IPv4 | 185.222.222.222 | 45.11.45.11 |
| IPv6 | 2a09:: | 2a11:: |
| DoH | https://doh.dns.sb/dns-query | https://doh.sb/dns-query |
| DoH (IP) | https://45.11.45.11/dns-query | https://185.222.222.222/dns-query |
| DoT | dot.sb | |
| DoT (IP) | 185.222.222.222 | 45.11.45.11 |
Like Cloudflare, it supports mainstream DoT, DoH, and other encrypted DNS resolutions. It has Anycast enabled and may not have as many nodes as Cloudflare, but it still covers most regions. In addition, if you have a VPS, you can try tracing 185.222.222.222. You may find that your VPS and dns.sb are in the same internal network.
Best practices for public DNS#
In summary, if you need to choose a public DNS and want to obtain CDN resolution results that are as friendly as possible:
For resolving domestic websites, it is recommended to use Alibaba DNS and Tencent DNSPod.
For resolving overseas websites, it is recommended to use Cloudflare DNS or OpenDNS as the primary DNS, with Google Public DNS as the backup.