The Ethereum Name Service (ENS) offchain resolver is a mechanism that shifts domain resolution data away from the Ethereum mainnet, storing it on alternative storage layers—such as Layer 2 networks, off-chain databases, or traditional web servers—while preserving the same user-facing functionality as standard ENS resolvers. This architecture reduces onchain gas costs and enables faster updates, but introduces trade-offs in trust assumptions and data availability.
How Offchain Resolution Changes the ENS Architecture
A conventional ENS resolver stores all resolution records—like wallet addresses, content hashes, and text records—directly in smart contracts on Ethereum. When a user queries an ENS name, the resolver contract on Ethereum returns the desired record. Offchain resolvers break this pattern by introducing a two-step process: the ENS registry still points to an offchain resolver contract on Ethereum, but that resolver contract looks up the actual records from an external data source via a callback mechanism defined by the CCIP-Read standard (Cross-Chain Interoperability Protocol).
The practical effect is that the core ENS registry remains on Ethereum, providing a stable root of trust, while the resolver’s data—the records associated with a name—can live on a system that is cheaper to write to and faster to update. For example, a domain owner might store all subdomain records on a Layer 2 rollup, reducing the per-transaction cost of updating a record from tens of dollars to a few cents. Vendors implementing offchain resolvers typically publish a verifiable proof that the offchain data has not been tampered with, though the specifics of that proof vary by implementation.
Key Benefits and Use Cases for Offchain Resolvers
Adopting an offchain resolver yields several practical advantages, particularly for high-volume or dynamic ENS use cases. First, gas costs for writing records drop dramatically because the resolver contract does not store or update data directly on Ethereum—the costly onchain storage is only used for the resolver’s address pointer and a small proof verification step. Second, record updates become near-instant, as they write to a system that confirms transactions in seconds rather than the tens of seconds typical of Ethereum blocks.
A common use case is subdomain management. Operators of ENS subdomain registries (for example, “.eth” subdomain marketplaces) can offer thousands of subdomains without paying onchain gas for each individual record. Instead, the offchain resolver handles the vast majority of subdomain lookups cheaply, and only the registry’s top-level domain (the “.eth” name) pays onchain costs. Another use case is dynamic content resolution: domains that serve frequently changing data, such as IPFS content hashes for decentralized websites or frequently rotated wallet addresses, benefit from the offchain resolver’s ability to update records without incurring repeated onchain transaction fees.
Users who want to explore how offchain resolution interacts with existing ENS infrastructure can find more details through the ENS onion link that provides an alternative access method to ENS domain data over Tor, illustrating how resolution paths can be customized.
Trust Model and Security Considerations
Offchain resolvers introduce a different trust model than standard ENS resolvers. With a conventional onchain resolver, users trust only the Ethereum protocol and the smart contract logic—records are immutable without a new onchain transaction. With an offchain resolver, users must trust the operator of the offchain data store not to return altered records, unless a cryptographic proof (typically a Merkle proof or similar) is published alongside the offchain data and can be verified onchain. The CCIP-Read standard handles this by defining a way for wallets or dapps to request the proof from an off-chain gateway, which the wallet then verifies on the Ethereum resolver contract.
If the offchain resolver does not provide a verifiable proof (sometimes called an “optimistic” resolver), users must trust that the resolver operator is honest—a more centralised model. In practice, many implementations do inject proof data, but the wallet or client software must be configured to require this verification. Without it, a malicious offchain operator could serve user wallet addresses that direct funds to an attacker’s account. Developers building on offchain resolvers should ensure that their gateway either generates verifiable proofs or that the resolver is used only in controlled, low-risk environments.
Data availability is another concern. If the offchain storage system goes offline, users cannot resolve the ENS name until the operator restores the service. This contrasts with onchain storage, where data persists as long as Ethereum exists. Some projects address this by storing the offchain data on multiple decentralised storage networks simultaneously, such as IPFS and Arweave, though this adds complexity.
Practical Implementation Overview for Developers
Implementing an offchain resolver for an ENS domain typically requires three components: an offchain resolver contract on Ethereum (which provides the CCIP-Read interface), an offchain data store (a database, IPFS, Layer 2, or other storage), and a gateway server that responds to CCIP-Read requests from wallets. The standard approach uses the “ENS Offchain Resolver” library by the ENS team, which defines a callback function that returns the requested record along with a proof. The gateway retrieves data from the offchain store, formats it, and returns it to the wallet, which then submits the proof to the resolver contract.
For name owners who want to keep their domain registration active while exploring offchain resolution, it is possible to extend ENS registration for an existing .eth domain through standard onchain methods, and then change its resolver using the ENS manager interface to point to a custom offchain resolver contract—decoupling registration from resolution completely.
Testing an offchain resolver setup requires running a local gateway and using a supported wallet that can handle CCIP-Read callbacks. As of 2025, major wallets including MetaMask and ENS-native dapps support CCIP-Read out of the box, but older wallets may not prompt for proof verification, exposing users to counterfeit record risks. Developers are therefore encouraged to write client-side assertions that explicitly check that the resolver contract’s “resolve” function returned a valid proof, especially when the resolved data involves financial transactions.
Limitations and Current Ecosystem Maturity
Offchain resolvers are not a panacea. The primary limitation is wallet compatibility: only wallets that support CCIP-Read can resolve offchain records correctly. Widespread adoption has increased, but a significant minority of wallets and dapps still cannot complete the proof fetching step, resulting in resolution failures. This fragmentation forces domain operators to either maintain both onchain and offchain record sets, or accept that some users cannot resolve their names correctly.
Second, the offchain resolver model introduces latency. A CCIP-Read request requires a normal DNS lookup (for the domain name, if it’s a DNS-based configuration), an HTTP request to the gateway, and then an onchain call to verify the proof. In testing, this round-trip can add one to three seconds compared to a direct onchain resolver call, which may be noticeable in high-frequency use cases like blockchain gaming or real-time payments.
Third, the cryptographic proof verification step itself costs gas, albeit much less than storing the full record onchain. For high-value or frequently used records, the cumulative gas of many verifications could outweigh the initial savings. Domain operators should therefore model their traffic patterns before committing to an offchain resolver architecture. Some vendors recommend keeping static, high-value records (like the primary ETH address) onchain while using the offchain resolver for dynamic or rarely accessed records.
Finally, community standards around offchain resolver proofs are still evolving. The ENS DAO has not mandated a single proof format; multiple implementations (Merkle trees, SNARKs, STARKs) exist, and wallets must support each format individually. Until a dominant standard emerges, developers face a technical debt risk if they commit to a specific proof scheme that later becomes unsupported by major wallet vendors.
In summary, ENS offchain resolvers offer a pragmatic trade-off between cost, speed, and trust for domain owners who need to manage many records or frequently update data. They are not trivial to implement and require careful consideration of the trust model and wallet support. However, for use cases like large-scale subdomain registries, dynamic content resolution, and cross-chain ENS integration, they provide a viable path forward that reduces dependence on Ethereum mainnet for everyday domain management. As wallet support matures and proof standards converge, offchain resolvers are likely to become a standard component of the ENS ecosystem, especially for operators who prioritise operational efficiency over strict decentralisation for record storage.