DNS Resolver

A private, application-specific DNS resolver integrated into your mobile app. Standard DoH, DoT, and DoQ. Resolves and caches entirely inside Cambodia.


The CNX DNS Resolver is a private DNS resolver dedicated to a single mobile or web application. It is provisioned per customer, tuned to that application's own domains and dependencies, and answers over standard encrypted DNS transports: DoH (RFC 8484), DoT (RFC 7858), and DoQ (RFC 9250). Integration is a standard resolver client pointed at the assigned endpoint, and every answer comes from inside Cambodia.

What problem it solves

When a carrier or ISP loses its connection to the outside world — a cut submarine cable, a congested international gateway, a peering dispute — any application whose DNS resolution depends on an overseas resolver goes down with it, even though the app's own servers and authoritative DNS never left Cambodia. The domain simply stops resolving. This is a resilience problem first: DNS is one of the quietest ways a domestic service ends up depending on infrastructure outside the country, because nobody chose it deliberately. Field testing across Cambodian public WiFi networks found that most access points hand out a resolver that answers from outside Cambodia — Google's 8.8.8.8 is common, resolving from Vietnam, Singapore, or Hong Kong — and several networks silently forward all DNS traffic overseas regardless of which resolver a device actually requests.

That silent dependency is also a sovereignty problem. A guarantee that traffic stays inside Cambodia is only as strong as its weakest link, and DNS resolution is very often the one link nobody audited. The CNX DNS Resolver removes the ambiguity: every query the app makes is answered inside Cambodia, by infrastructure under Cambodian jurisdiction — not a best effort, a guarantee.

Keeping resolution in-country is also dramatically faster — a cold DNS lookup drops from as much as 300 ms to single-digit milliseconds:

ScenarioMeasured latency
Resolver overseas, authoritative in-country200–340 ms
Both resolver and authoritative overseas~70 ms
Both resolver and authoritative in-country5–15 ms
How to integrate it

The app points a standard resolver client at its assigned CNX endpoint, using whichever of the three transports fits its stack:

Encrypting DNS protects the application from network-level DNS hijacking and manipulation of DNS records — an on-path attacker cannot read, spoof, or redirect a query it cannot see inside. The CNX resolver service only offers secure DNS access: plain DNS over UDP or TCP (RFC 1035) is not offered.

What the service delivers
Measured performance (in-country resolver + authoritative)
NetworkTotal DNS timeBreakdown
WiFi3–15 msDNS ~1 ms · Radio 3–15 ms
Mobile (4G/5G)35–55 msDNS ~1 ms · Radio 30–40 ms
Capacity and SLA

The instance is sized to the application's concurrent query volume at launch, and scales as usage grows — tell us what you need today and what you expect at peak, and capacity is provisioned accordingly.

AllocationA dedicated instance and cache, sized to your application's query volume
Platform ceiling500,000+ QPS recursive capacity available on the platform
RedundancyAcross Phnom Penh PoPs — no single point of failure
Standards

The resolver answers DNS over HTTPS per RFC 8484, DNS over TLS per RFC 7858, and DNS over QUIC per RFC 9250 — no other transport is offered. All three are served from the same dedicated instance; there is no separate product tier per transport.