Updated 24-Apr-2026
There are several places to put in DNS resolvers and Secure DNS servers to use, and variations of those services. The following are for Quad9.
DNS resolvers
Resolvers resolve DNS names to IP addresses. These are usually one or two IPv4 and/or IPv6 addresses. These can be set at your home router, so that all DHCP leases have them. For Quad9 (my current resolver of choice) these are:
IPv4 Resolver
9.9.9.9
149.112.112.112
IPv6 Resolver
2620:fe::fe
2620:fe::9
Private DNS Resolver
Private DNS uses a secure connection (prevents snooping). In Android, go to:
- > Settings > Connections > More connection settings > Private DNS
dns.quad9.net
Note that for some odd reason the highly useful archive.is cannot be reached using the Quad9 private DNS resolver though it can be through the standard Quad9 IPv4 resolver.
Therefore until this is sorted, use ControlD instead.
p0.freedns.controld.com
It is possible to run one's own resolver, and even secure Private DNS, though it takes a bit of configuring and resolvers are seen as an attack vector for various bad actors. Best to outsource these things (for free).
DNS Services (hosting)
There are several DNS services to choose from. Dyn and related companies is the worst. Free DNS services can be quite laggy and otherwise disappointing. However, there are a few cloud companies with decent free-tier DNS services. I prefer Gcore.
As with resolvers, basic DNS services can be run on one's own server, not including the Registrar functionality of placing the nameservers in the root domain servers of the Internet. Again, it takes a bit of configuring so that one has functionality, privacy, security, and is not seen as a target. Works, fine and they also have a free-tier CDN and other services.
DNS Records
NS Records
There are several records to worry about. The first are nameservers, which are put into the registrar database. This can be as few as two or as many as six (possibly more).
A Records
Depending on the DNS Server, these can have wildcards or not. Generally there are at least three A records to have:
Root domainwww subdomain* wildcard
For certain services, it is required to have a www. and also people mistype this, so it is best to have it as a domain, to have it on the SSL certificate, and to have a reroute from www. to the root domain.
CNAME Records
Usually only Bing Webmaster Tools requires a CNAME record. Otherwise these are generally worthless.
MX Records
These are for the mailserver. Usually a few are needed, one plus two backups. Gsuite has five records, but that is overkill. The top three make the most sense. Also, there are priority numbers, e.g, 1, 5, 10 to govern the round robbin-style resolving.
- 1, aspmx.l.google.com.
- 5, alt1.aspmx.l.google.com.
- 5, alt2.aspmx.l.google.com.
TXT Records
TXT records are the go to place for every third party to put their info. Several examples of TXT Records include:
- Yandex Webmaster Tools validation
- Google Webmaster Tools/Analytics/GSuite/etc. validation
- _acme-challenge records for DNS-based authentication for LetsEncrypt
PTR Records
PTR records are essentially a reverse so that an IP address is associated with a host.domain.tld. This is key for sending email.
DKIM, SPF, DMARC
These are all records for email security, at various levels. DKIM and DMARC are TXT records, and SPF can be TXT or specific SPF records, depending on the DNS service provider.
- Setting up Gsuite DKIM, SPF, DMARC
- Google on DMARC records
- Test SPF and DKIM
- Google on SPF
- DKIM on Gsuite
- Google: About DKIM
SPF Records
SPF looks like:
host.domain.com / "v=spf1 include:_spf.google.com ~all"
SPF are one of the earliest and easiest email records to set up for security, and specifically states which hosts can send email for the domain.
CAA Records
These records help tell SSL Cert providers which of those providers can generate a cert for the domain records. Each host needs two records:
- Name (host), Type: iodef, Value: "mailto:address@domain.com"
- Name (host), Type: issue, Value: "letsencrypt.org"