DNSBUNKER is a hardened, privacy-first DNS resolver located in Germany. Designed to block ads, malware, and surveillance — with zero logs, zero compromise.
Apple Device Setup
Deploy mobile configuration for iOS/macOS securely:
Deploy Config ProfileScan to Configure:
Server Specs
| IPv4 | 87.106.108.91 | 87.106.32.13 |
|---|---|---|
| IPv6 | 2a01:239:295:e800::1 | 2a01:239:290:e700::1 |
| Location | Berlin, Germany | |
| Uptime | 99.9% (Redundant Infrastructure) |
Encrypted Protocols
| DoH & DoH3 | https://dnsbunker.org/dns-query |
|---|---|
| DoT & QUIC | dnsbunker.org |
Filter Intelligence
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/whitelist-referral-native.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/refs/heads/main/adblock/pro.plus.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/refs/heads/main/adblock/tif.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.amazon.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.apple.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.huawei.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.winoffice.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.samsung.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.tiktok.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.lgwebos.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.roku.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.vivo.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.oppo-realme.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.xiaomi.txt
https://raw.githubusercontent.com/xRuffKez/NRD/refs/heads/main/lists/30-day_dga/adblock/nrd-30day-dga_adblock_part1.txt
https://raw.githubusercontent.com/xRuffKez/NRD/refs/heads/main/lists/30-day_dga/adblock/nrd-30day-dga_adblock_part2.txt
https://raw.githubusercontent.com/xRuffKez/NRD/refs/heads/main/lists/30-day_phishing/adblock/nrd-phishing-30day_adblock.txt
Technical Configuration
| ECS (EDNS Client Subnet) | Disabled |
|---|---|
| DNSSEC Validation | Enabled |
Security Brief
| No Censorship | Only Ads, Trackers & Malware are blocked |
|---|---|
| DNS Rebinding Protection | Private/reserved networks rejected |
| No Logging | Compliant with GDPR & privacy laws |
| Location | Berlin, Germany |
| Redundancy | High Availability with failover nodes |
About Me and DNSBunker.org
Hi, I'm xRuffKez – a privacy advocate and someone who works mostly behind the scenes on the Hagezi Blocklist Project. With DNSBunker.org, my goal is to offer a free and privacy-respecting public DNS service that blocks ads, tracking, malware, scam sites, and fake shops – all powered by Hagezi's blocklists and additional lists I maintain.
I contribute to the community by creating and maintaining NRD (Newly Registered Domains) and NRD DGA (Domain Generation Algorithm) blocklists. These are designed to block malicious domains right from their creation – a critical step in stopping malware and phishing campaigns early.
I believe that online ads have evolved into a real threat to users. They are not only annoying, but often used as vectors for malware (malvertising) and invasive tracking. The internet should be a place where users are safe and in control – not constantly monitored and targeted.
My project does not censor the internet like some ISPs or institutions do – for example, via lists like the German CUII list. I strongly oppose such forms of censorship as they can violate the fundamental right to freedom of expression. DNSBunker.org is about protection – not suppression.
This project is completely non-commercial and run out of passion for helping others. I don't track users, I don’t sell data – I just want to provide a simple, fast, and secure DNS experience for everyone.
Thank you for trusting DNSBunker.org.
Privacy Policy
DNSBunker operates this public DNS resolver with a strong commitment to privacy and security. Below is a clear explanation of how DNS query data is handled.
1. No Logging of Personal Data
DNSBunker does not log any personally identifiable information (PII), including:
IP addresses of clients
Specific queries
Resolved domains
User agents or device data
DNSBunker does not use logs to track users or profile their behavior.
2. Temporary Logging on Abuse or Malfunction
Logging may be temporarily and selectively enabled in the following cases:
Detection of abuse (e.g., DNS amplification attacks, excessive query rates)
Debugging serious malfunctions or service degradation
These logs are strictly limited in scope and duration, and are only used to mitigate issues or maintain service integrity. Once the issue is resolved, any retained data is purged.
3. Anonymous Statistics
DNSBunker collects aggregated and anonymized statistics for operational and performance monitoring. This includes:
Number of queries
Query types (A, AAAA, MX, etc.)
Cache hit/miss ratios
Protocols used (DNS, DoT, DoH)
These statistics cannot be used to identify individual clients or endpoints.
4. DNSSEC Validation
DNSBunker performs full DNSSEC validation to ensure data integrity and authenticity of DNS responses.
5. Query Filtering and Security
To protect users and the internet at large, DNSBunker implements strict filtering and protection measures:
Blocks zone transfers (AXFR/IXFR)
Drops ANY type queries to prevent abuse and amplification
Rejects queries or responses involving private or reserved IP ranges (e.g., RFC1918)
Enforces per-client rate limiting
6. Contact
For questions or concerns, please contact: xruffkez@dnsbunker.org