2026 ISP DNS Report: Which Internet Providers Intercept Your Queries?
Analysis of 109,644 resolvers across 240 countries —
Key Findings
- NXDOMAIN hijacking affects 1.7% of live resolvers globally. Out of 30,205 servers that passed our probes, 520 redirect non-existent domain queries to their own servers instead of returning a proper NXDOMAIN error. This practice exposes users to tracking, ad injection, and broken application behaviour.
- DNSSEC adoption stands at 143%. 43,180 out of 109,644 tested resolvers validate DNSSEC signatures. The highest adoption rates are in Bangladesh (98.5%), Canada (96.2%), and the United States (94.4%). Africa and Central Asia lag behind with single-digit validation rates in many countries.
- 101 countries have at least one hijacking resolver. The highest absolute numbers of hijacking resolvers are in the United States (175), Cambodia (25), Egypt (23), and the British Virgin Islands (20). However, the hijacking rate relative to total servers is highest in smaller networks with concentrated infrastructure.
- Public DNS providers vastly outperform ISP defaults. The global average reliability for all tested resolvers is 85.4%. By comparison, well-known public providers like Cloudflare (1.1.1.1), Google (8.8.8.8), and Quad9 (9.9.9.9) maintain 99.9%+ reliability with DNSSEC validation and zero NXDOMAIN hijacking.
- The situation is improving year-over-year. DNSSEC adoption continues to rise as major resolver software defaults to validation-enabled configurations. However, NXDOMAIN hijacking persists primarily among smaller regional ISPs and hosting providers that monetise failed lookups through search redirect pages.
Country Breakdown
The table below shows DNS server behaviour by country. Click any column header to sort. Only countries with 10 or more live-tested servers are included.
| Country | Servers | Hijack % | DNSSEC % | Avg Reliability | Verdict |
|---|---|---|---|---|---|
| United States | 9,379 | 1% | 95.9% | 96% | Good |
| France | 1,618 | 0.6% | 93.8% | 95.8% | Good |
| Germany | 1,249 | 0.4% | 93.1% | 95.8% | Good |
| Russia | 1,203 | 0.2% | 50.7% | 93.6% | Good |
| XX | 1,099 | 0.6% | 99.4% | 94.3% | Good |
| Canada | 1,015 | 0.5% | 96.3% | 95.8% | Good |
| United Kingdom | 940 | 0.7% | 94.7% | 95.4% | Good |
| Bangladesh | 672 | 0% | 98.8% | 94.6% | Good |
| Netherlands | 672 | 0.6% | 96.6% | 95.7% | Good |
| Brazil | 567 | 0.7% | 90.8% | 94.7% | Good |
| Singapore | 499 | 1.2% | 82.2% | 96% | Mixed |
| South Africa | 488 | 0% | 96.1% | 93.7% | Good |
| Mexico | 407 | 0.5% | 89.4% | 94.7% | Good |
| Poland | 367 | 0.3% | 79.6% | 94.4% | Good |
| Colombia | 349 | 0% | 84.2% | 93.9% | Good |
| Sweden | 349 | 1.4% | 96.3% | 95.6% | Mixed |
| Japan | 321 | 0% | 79.4% | 95.6% | Good |
| Australia | 316 | 0.6% | 91.5% | 95.5% | Good |
| Switzerland | 309 | 3.9% | 90% | 95.4% | Mixed |
| India | 291 | 0% | 80.4% | 95.2% | Good |
| Ecuador | 268 | 0% | 95.9% | 94.3% | Good |
| Hong Kong | 267 | 5.2% | 81.3% | 94.9% | Poor |
| Indonesia | 251 | 0.4% | 83.3% | 93% | Good |
| Italy | 249 | 0% | 87.1% | 95% | Good |
| South Korea | 224 | 2.2% | 52.2% | 95.7% | Mixed |
| Spain | 198 | 0% | 77.3% | 94.4% | Good |
| Philippines | 179 | 0% | 33.5% | 95.3% | Good |
| Ukraine | 178 | 0.6% | 82.6% | 93.5% | Good |
| Peru | 154 | 0% | 70.8% | 94% | Good |
| Argentina | 151 | 0.7% | 88.7% | 93.4% | Good |
| Czechia | 151 | 0% | 91.4% | 95.2% | Good |
| Finland | 145 | 0.7% | 95.9% | 95.6% | Good |
| Dominican Republic | 140 | 0% | 100% | 94.7% | Good |
| Thailand | 135 | 0% | 68.1% | 95.1% | Good |
| Greece | 128 | 0% | 88.3% | 92.5% | Good |
| Cambodia | 125 | 15.2% | 28% | 92.1% | Poor |
| Guatemala | 112 | 0.9% | 75% | 93.1% | Good |
| Uganda | 102 | 9.8% | 21.6% | 93.1% | Poor |
| Myanmar | 101 | 4% | 23.8% | 92.8% | Mixed |
| Romania | 99 | 2% | 75.8% | 94.9% | Mixed |
Data reflects probe results as of March 2026. ISP-level breakdowns available on individual country pages.
What is NXDOMAIN Hijacking?
When you type a web address that does not exist — a misspelled domain, a removed website, or an internal hostname — your DNS resolver should return an NXDOMAIN (Non-Existent Domain) response. This tells your browser, email client, or application that the domain genuinely does not exist, allowing it to handle the error appropriately.
NXDOMAIN hijacking occurs when an ISP or resolver operator intercepts this error response and replaces it with an IP address pointing to their own server. Instead of seeing a browser error page, you are redirected to a search page filled with advertisements, often operated by the ISP or a third-party monetisation partner. This breaks application behaviour, leaks your browsing intent to the ISP, and can interfere with security software, email validation, and internal network services that rely on proper NXDOMAIN responses.
Methodology
PublicDNS.info maintains a database of 109,644 DNS resolver IP addresses discovered through a combination of BGP routing data analysis, passive DNS observation, public resolver lists, and network scanning. Every resolver is probed on a 72-hour cycle by our automated infrastructure.
Each probe sends a standard A-record query to verify the resolver is responsive, then queries a guaranteed non-existent random domain to test for NXDOMAIN hijacking. If the resolver returns an A record instead of NXDOMAIN, it is flagged as a hijacker. DNSSEC validation is tested by querying dnssec-failed.org, a domain with an intentionally broken DNSSEC chain — resolvers that validate DNSSEC return SERVFAIL, while non-validating resolvers return the record.
Limitations: Resolver behaviour may vary under load or for specific query types. Some resolvers may apply hijacking selectively. IPv6 resolver coverage is thinner than IPv4. Reliability scores use an exponential moving average and may not reflect very recent changes. Our probe infrastructure is located in Europe, which affects latency measurements.
Recommendations
For consumers
If your ISP hijacks NXDOMAIN responses, switch to a public DNS provider that respects standards:
- Cloudflare DNS (1.1.1.1 / 1.0.0.1) — fastest, no-log policy, DNSSEC, DoH/DoT
- Quad9 (9.9.9.9 / 149.112.112.112) — security-focused, blocks malicious domains, DNSSEC
- Google Public DNS (8.8.8.8 / 8.8.4.4) — reliable, global anycast, DNSSEC
Use our DNS Privacy Check to test if your current DNS hijacks queries, and our DNS Benchmark to find the fastest option for your location.
For ISPs
ISPs that have corrected NXDOMAIN hijacking behaviour or wish to submit resolver data for inclusion in our directory can reach us via our contact page.
For researchers
Summary probe data is available for academic and journalistic use. Contact us for data access details. Individual resolver status can be queried via our server check API.
Share & Cite This Report
PublicDNS.info. "2026 ISP DNS Report: NXDOMAIN Hijacking & Privacy Across 109,644 Resolvers." March 2026. https://publicdns.info/reports/isp-dns-report-2026.html