Hi, I'm Ozy-666. Building and running DNSDOH.ART is a personal project — an encrypted DNS resolver that blocks ads & trackers and keeps your lookups private from your internet provider. It costs nothing, the code is open, and there's no company or catch behind it. I'm not selling anything — I just think this should exist.
Every time you open a website, your device looks up its address — like a phone book for the internet. DNSDOH.ART does that lookup for you, but privately and cleanly. Here's what it does:
Ads, trackers, and known malicious sites are stopped before they ever load — in every app on your device, not just your web browser.
Your lookups are encrypted, so your internet provider (or the café Wi-Fi) can't see which websites you visit or sell that history.
With less junk to download and answers served in a fraction of a millisecond, pages frequently feel snappier — not slower.
No account, no app on most devices, no cost — and nothing about your activity is recorded or stored. It runs entirely in memory.
How do I use it? Pick your device, copy one address into its DNS / "Private DNS" setting, and you're protected everywhere. The guides cover phones, laptops, and routers step by step.
Set it up →It runs on a single, carefully-tuned server — and stays steady even under heavy traffic, while keeping CPU and memory use low. The numbers below come from synthetic stress testing, well past everyday use.
| Lookups per second | 8,000 | sustained · ≈600× normal load |
| Answered correctly | 100% | zero dropped under that load |
| Logs kept | 0 | memory-only, nothing saved |
This is the resolver itself: public, no-logs, and open-source. It works with every modern connection type, and you don't need any technical knowledge to point your device at it.
| Cost | None | no account · no app needed |
| Logs kept | 0 | nothing recorded, ever |
| Transports | DoH · DoT · DoQ · H3 | phone · laptop · router |
You don't need to read any of this to use the service — but if you're technical, here's the open-source work behind it. I rewrote the core DNS software to be faster and leaner, and every change is proven with real benchmarks (not guesses) before it ships.
The brain of the service. I stripped ~13k lines of anything that leaks data or wastes time (DHCP, cloud lookups, client-subnet), rebuilt the request pipeline to allocate nothing, and made the hot paths lock-free so it holds up under flood. A built-in front cache means most repeat lookups never travel further than this box.
How requests travel in and out. I rebuilt the UDP and TCP paths to allocate nothing, made upstream timing lock-free, and pooled connections instead of reopening one per query — then spread the listener across every CPU core. It also caps QUIC streams and DoH request sizes so a single client can't exhaust it.
The part that encrypts your DNS on its way out to the wider internet. I rebuilt its busy paths to allocate nothing, made server-selection lock-free, and stripped everything that phones home — the web UI, auto-updates, and remote list downloads. Then had it security-audited; it now rejects forged upstream replies too.
The list-matcher that decides what's an ad or tracker. I changed how it indexes its trickiest rules (regular expressions) so they're found instantly instead of scanned one by one — closing a path attackers could use to slow it down with floods of fake subdomains. The lookup allocates nothing, and I verified the rebuilt engine returns identical results to the original across 39,983 real domains plus 130,000 fuzz runs.
The resolver that finds each address and proves it's genuine. Checking those security signatures was eating nearly half the server's effort, so I rebuilt Unbound on Google's faster, formally-verified math library (BoringSSL) — keeping a one-command undo ready in case anything misbehaved.
When you look up a website, your request stays protected the whole way — each step has one job, and your data never travels in the open.
Cloudflare's 1.1.1.1 and Quad9 are the public resolvers most people know. They're genuinely excellent — and I'm not pretending to match them. Here's the honest difference.
They run on global anycast networks — hundreds of locations worldwide, so a server is always physically close to you. That reach is their real strength, and it's not something one person can replicate.
DNSDOH.ART is one carefully-tuned server. The goal was never to out-scale them — it was to make a single node that's genuinely stable and reliable, with zero tolerance for DDoS and abuse: strict rate-limiting, a hardened firewall, and an engine that stays fast under pressure. And unlike a big company, every line of how it works is open to read.
Every speed claim is measured on real production hardware with proper tools — never guessed, never tested on a laptop.
When an idea doesn't actually help, I write that down too. The wins and the dead-ends are both documented in the open.
Anything that could leak what you do is removed by default. No telemetry, no tracking, nothing kept on disk.
Every change can be switched off in one step. If something ever acts up in production, it's undone instantly — no drama.