ISP DNS Servers

By /

We Analysed 109,644 DNS Resolvers. Your ISP’s Is Probably Doing Something Shady.

By PublicDNS.info Team · Updated March 2026

Your ISP gave you a DNS server when you signed up for internet. You never asked for it, you never configured it, and you’ve probably never questioned it. It came with the package, like the cheap router they shipped you, and it’s been silently handling every domain lookup your household makes ever since.

Here’s the problem: that server might be lying to you.

We run PublicDNS.info, a DNS Testing infrastructure that probes 109,644 resolvers every 72 hours. Each probe checks whether the server answers correctly, whether it hijacks failed queries, whether it validates DNSSEC, and whether it’s actually online. We’ve been doing this continuously, and the 2026 ISP DNS Report summarises what we found.

The short version: a lot of ISP DNS servers are not doing what you’d expect a DNS server to do.

The NXDOMAIN Hijacking Problem

This is the big one, and it’s worth explaining because it reveals a lot about how ISPs think about DNS.

When you type a URL wrong, say, gooogle.com with three o’s, the DNS system is supposed to come back with an NXDOMAIN response. “This domain doesn’t exist.” Your browser shows an error page. That’s the correct behaviour, defined in the DNS specification going back decades.

But a significant chunk of ISP resolvers do something different. They intercept the NXDOMAIN response, throw it away, and instead return the IP address of a search page filled with sponsored ads. You type gooogle.com, and instead of an error, you get a Yahoo-style search page owned by or licensed to your ISP, covered in advertising. Your typo just generated ad revenue for your internet provider.

You might think: so what? I get search results instead of an error. But it’s worse than it looks.

email servers use NXDOMAIN to verify recipient domains before sending. When NXDOMAIN is hijacked, email validation breaks. security tools use NXDOMAIN to identify non-existent domains in malware communication patterns. HSTS preloading relies on accurate NXDOMAIN responses. Certificate transparency checks break. Any software that makes DNS queries and expects standards-compliant responses gets corrupted data. Your ISP is fundamentally breaking the protocol for a few fractions of a cent in ad revenue.

You can check right now whether your ISP does this: run the DNS Privacy Check on PublicDNS.info. One of the tests specifically sends queries for domains that shouldn’t exist and checks if the response is a proper NXDOMAIN or a hijacked redirect. If your ISP is hijacking, the tool will show it.

Reliability Is Not What You’d Expect

ISP DNS servers are, on average, less reliable than public alternatives. This shouldn’t be surprising when you think about the economics: DNS is a cost centre for ISPs. They don’t make money from running it (NXDOMAIN hijacking aside). It’s just infrastructure they have to maintain, and it competes for budget with everything else.

Compare that to Cloudflare or Google, where DNS is a core product. They invest heavily in global infrastructure, redundancy, and monitoring because their reputation depends on it. The result is a measurable gap: major public DNS providers maintain near-perfect uptime, while ISP resolvers show noticeably higher timeout rates and inconsistent response times.

This is the real reason behind those random “internet isn’t working” moments that fix themselves after a minute. Your connection was fine. Your ISP’s DNS was having a moment.

DNSSEC: The Security Feature Most ISPs Ignore

DNSSEC is a protocol that cryptographically signs DNS records so your device can verify they haven’t been tampered with. It’s been around for over a decade and it’s the primary defence against DNS cache poisoning and spoofing attacks.

Every major public DNS provider, Cloudflare, Google, Quad9, OpenDNS, validates DNSSEC. Many ISP resolvers don’t. This means that even if a DNS response has been tampered with (say, by a man-in-the-middle attack redirecting your bank’s domain to a phishing server), your ISP’s DNS will happily pass it through because it’s not checking the signatures.

Is this a daily threat for most people? No. But it’s a completely unnecessary vulnerability when the fix is switching to a resolver that does validate DNSSEC. Which, again, takes two minutes.

The Privacy Angle

Beyond the technical issues, there’s the privacy dimension. Your ISP DNS server sees and logs every domain every device in your household visits. In many jurisdictions, ISPs are legally required to retain these logs:

— In the UK, the Investigatory Powers Act requires 12 months of “internet connection records.”

— In Australia, the Telecommunications Act requires two years of metadata retention.

— In the US, there’s no federal requirement, but ISPs are free to log and sell DNS data (and they do).

— In the EU, various member states have their own retention requirements despite the overturned Data Retention Directive.

Even where there’s no legal requirement, ISPs often log voluntarily for “network management” purposes, which sometimes includes selling anonymised (or not-so-anonymised) data to advertising networks and data brokers.

If you’re curious what your current DNS setup reveals about you, What Is My DNS shows which resolver you’re using. The WHOIS Lookup tool lets you check who owns any IP address, which is handy for figuring out whether a resolver belongs to your ISP or someone else. And the DNS Dig Lookup lets you query specific resolvers to compare their responses.

What To Do About All This

Switch. That’s really the answer. The entire process:

  1. Pick a provider. The Best DNS 2026 list on PublicDNS.info ranks them by tested reliability. If privacy is your main concern, the Best Private DNS list focuses on logging policies and jurisdiction. For gaming, Best for Gaming. You get the idea.
  2. Change DNS on your router. This covers every device on your network in one step. Log into the admin panel, find the DNS fields (usually under WAN or DHCP settings), enter the new addresses, save, reboot.
  3. Enable encrypted DNS if your devices support it. This prevents your ISP from intercepting the queries even after you’ve switched resolvers. The DoH vs DoT guide explains the protocols, and the encrypted DNS setup guide has the step-by-step.
  4. Verify everything. What Is My DNS confirms your resolver. The DNS Privacy Check confirms encryption and catches any leaks back to your ISP.
  5. Benchmark your speed. The DNS Speed Test measures actual latency from your network so you know you’ve picked something faster than what your ISP was giving you.

The whole thing takes maybe ten minutes. And once it’s done, your DNS is faster, more reliable, more private, and not run by a company whose incentives are misaligned with your interests.

For the Technically Curious

If you want to go deeper, PublicDNS.info publishes more detailed resources:

— The full 2026 ISP DNS Report with country-level hijacking breakdowns

— The DNS Issues page with live problem tracking across resolvers

ISP DNS servers by country with individual test results

— Guides for running your own recursive resolver with Unbound or setting up Pi-hole for network-wide filtering

The point of all of this isn’t to scare anyone. ISP DNS works most of the time for most people. But “works most of the time” is a low bar when the alternative is “works all of the time, faster, more securely, and without logging your browsing history.” It’s a free upgrade, and there’s no reason not to take it.

Related Posts

Scroll to Top