diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index 8fe368445f..70bf9ef037 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -392,20 +392,38 @@ static bool
 adbentry_overquota(dns_adbentry_t *entry);
 
 /*
- * MUST NOT overlap DNS_ADBFIND_* flags!
+ * Private flag(s) for adbfind objects. These are used internally and
+ * are not meant to be seen or used by the caller; however, we use the
+ * same flags field as for DNS_ADBFIND_xxx flags, so we must be careful
+ * that there is no overlap between these values and those. To make it
+ * easier, we will number these starting from the most significant bit
+ * instead of the least significant.
  */
-#define FIND_EVENT_SENT	  0x40000000
+enum {
+	FIND_EVENT_SENT = 1 << 31,
+};
 #define FIND_EVENTSENT(h) (((h)->flags & FIND_EVENT_SENT) != 0)
 
-#define NAME_IS_DEAD	 0x40000000
-#define NAME_STARTATZONE DNS_ADBFIND_STARTATZONE
-#define NAME_DEAD(n)	 (((n)->flags & NAME_IS_DEAD) != 0)
+/*
+ * Private flag(s) for adbname objects.
+ */
+enum {
+	NAME_IS_DEAD = 1 << 31,
+};
+#define NAME_DEAD(n) (((n)->flags & NAME_IS_DEAD) != 0)
 
 /*
- * Private flag(s) for entries.
- * MUST NOT overlap FCTX_ADDRINFO_xxx and DNS_FETCHOPT_NOEDNS0.
+ * Private flag(s) for adbentry objects.  Note that these will also
+ * be used for addrinfo flags, and in resolver.c we'll use the same
+ * field for FCTX_ADDRINFO_xxx flags to store information about remote
+ * servers, so we must be careful that there is no overlap between
+ * these values and those. To make it easier, we will number these
+ * starting from the most significant bit instead of the least
+ * significant.
  */
-#define ENTRY_IS_DEAD 0x00400000
+enum {
+	ENTRY_IS_DEAD = 1 << 31,
+};
 #define ENTRY_DEAD(e) (((e)->flags & ENTRY_IS_DEAD) != 0)
 
 /*
@@ -449,8 +467,9 @@ adbentry_overquota(dns_adbentry_t *entry);
  * glue, and compare this to the appropriate bits set in o, to see if
  * this is ok.
  */
-#define STARTATZONE_MATCHES(nf, o) \
-	(((nf)->flags & NAME_STARTATZONE) == ((o)&DNS_ADBFIND_STARTATZONE))
+#define STARTATZONE_MATCHES(nf, o)                  \
+	(((nf)->flags & DNS_ADBFIND_STARTATZONE) == \
+	 ((o)&DNS_ADBFIND_STARTATZONE))
 
 #define ENTER_LEVEL  ISC_LOG_DEBUG(50)
 #define CLEAN_LEVEL  ISC_LOG_DEBUG(100)
@@ -1007,7 +1026,7 @@ new_adbname(dns_adb_t *adb, const dns_name_t *dnsname, bool start_at_zone) {
 
 	name->key.size = dnsname->length + sizeof(bool);
 	if (start_at_zone) {
-		name->flags |= NAME_STARTATZONE;
+		name->flags |= DNS_ADBFIND_STARTATZONE;
 		name->key.start_at_zone = true;
 	}
 
@@ -2786,14 +2805,14 @@ dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype) {
 	 * We need to specify whether to search static-stub zones (if
 	 * configured) depending on whether this is a "start at zone" lookup,
 	 * i.e., whether it's a "bailiwick" glue.  If it's bailiwick (in which
-	 * case NAME_STARTATZONE is set) we need to stop the search at any
-	 * matching static-stub zone without looking into the cache to honor
+	 * case DNS_ADBFIND_STARTATZONE is set) we need to stop the search at
+	 * any matching static-stub zone without looking into the cache to honor
 	 * the configuration on which server we should send queries to.
 	 */
-	result = dns_view_find(adb->view, &adbname->name, rdtype, now,
-			       DNS_DBFIND_GLUEOK, true,
-			       ((adbname->flags & NAME_STARTATZONE) != 0), NULL,
-			       NULL, fname, &rdataset, NULL);
+	result = dns_view_find(
+		adb->view, &adbname->name, rdtype, now, DNS_DBFIND_GLUEOK, true,
+		((adbname->flags & DNS_ADBFIND_STARTATZONE) != 0), NULL, NULL,
+		fname, &rdataset, NULL);
 
 	switch (result) {
 	case DNS_R_GLUE:
@@ -3596,7 +3615,7 @@ dns_adb_flushname(dns_adb_t *adb, const dns_name_t *name) {
 	RWLOCK(&adb->names_lock, isc_rwlocktype_write);
 again:
 	/*
-	 * Delete both entries - without and with NAME_STARTATZONE set.
+	 * Delete both entries - without and with DNS_ADBFIND_STARTATZONE set.
 	 */
 	key.start_at_zone = start_at_zone;
 	memmove(&key.name, name->ndata, name->length);
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index d094f58d84..5faa165e02 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -105,41 +105,38 @@ typedef enum { dns_quotatype_zone = 0, dns_quotatype_server } dns_quotatype_t;
 /*
  * Options that modify how a 'fetch' is done.
  */
-#define DNS_FETCHOPT_TCP	 0x00000001 /*%< Use TCP. */
-#define DNS_FETCHOPT_UNSHARED	 0x00000002 /*%< See below. */
-#define DNS_FETCHOPT_RECURSIVE	 0x00000004 /*%< Set RD? */
-#define DNS_FETCHOPT_NOEDNS0	 0x00000008 /*%< Do not use EDNS. */
-#define DNS_FETCHOPT_FORWARDONLY 0x00000010 /*%< Only use forwarders. */
-#define DNS_FETCHOPT_NOVALIDATE	 0x00000020 /*%< Disable validation. */
-#define DNS_FETCHOPT_OBSOLETE1	 0x00000040 /*%< Obsolete */
-#define DNS_FETCHOPT_WANTNSID	 0x00000080 /*%< Request NSID */
-#define DNS_FETCHOPT_PREFETCH	 0x00000100 /*%< Do prefetch */
-#define DNS_FETCHOPT_NOCDFLAG	 0x00000200 /*%< Don't set CD flag. */
-#define DNS_FETCHOPT_NONTA	 0x00000400 /*%< Ignore NTA table. */
-/* RESERVED ECS				0x00000000 */
-/* RESERVED ECS				0x00001000 */
-/* RESERVED ECS				0x00002000 */
-/* RESERVED TCPCLIENT			0x00004000 */
-#define DNS_FETCHOPT_NOCACHED  0x00008000 /*%< Force cache update. */
-#define DNS_FETCHOPT_QMINIMIZE 0x00010000 /*%< Use qname minimization. */
-#define DNS_FETCHOPT_NOFOLLOW                                                  \
-	0x00020000 /*%< Don't retrieve the NS RRset from the child zone when a \
-		    *   delegation is returned in response to a NS query. */
-#define DNS_FETCHOPT_QMIN_STRICT                                         \
-	0x00040000 /*%< Do not work around servers that return errors on \
-		    *   non-empty terminals. */
-#define DNS_FETCHOPT_QMIN_SKIP_IP6A                                        \
-	0x00080000 /*%< Skip some labels when doing qname  minimization on \
-		    *   ip6.arpa. */
-#define DNS_FETCHOPT_NOFORWARD \
-	0x00100000 /*%< Do not use forwarders if possible. */
+enum {
+	DNS_FETCHOPT_TCP = 1 << 0,	       /*%< Use TCP. */
+	DNS_FETCHOPT_UNSHARED = 1 << 1,	       /*%< See below. */
+	DNS_FETCHOPT_RECURSIVE = 1 << 2,       /*%< Set RD? */
+	DNS_FETCHOPT_NOEDNS0 = 1 << 3,	       /*%< Do not use EDNS. */
+	DNS_FETCHOPT_FORWARDONLY = 1 << 4,     /*%< Only use forwarders. */
+	DNS_FETCHOPT_NOVALIDATE = 1 << 5,      /*%< Disable validation. */
+	DNS_FETCHOPT_WANTNSID = 1 << 6,	       /*%< Request NSID */
+	DNS_FETCHOPT_PREFETCH = 1 << 7,	       /*%< Do prefetch */
+	DNS_FETCHOPT_NOCDFLAG = 1 << 8,	       /*%< Don't set CD flag. */
+	DNS_FETCHOPT_NONTA = 1 << 9,	       /*%< Ignore NTA table. */
+	DNS_FETCHOPT_NOCACHED = 1 << 10,       /*%< Force cache update. */
+	DNS_FETCHOPT_QMINIMIZE = 1 << 11,      /*%< Use qname minimization. */
+	DNS_FETCHOPT_NOFOLLOW = 1 << 12,       /*%< Don't retrieve the NS RRset
+						* from the child zone when a
+						* delegation is returned in
+						* response to a NS query. */
+	DNS_FETCHOPT_QMIN_STRICT = 1 << 13,    /*%< Do not work around servers
+						* that return errors on
+						* non-empty terminals. */
+	DNS_FETCHOPT_QMIN_SKIP_IP6A = 1 << 14, /*%< Skip some labels when
+						* doing qname minimization
+						* on ip6.arpa. */
+	DNS_FETCHOPT_NOFORWARD = 1 << 15,      /*%< Do not use forwarders if
+						* possible. */
+	DNS_FETCHOPT_TRYSTALE_ONTIMEOUT = 1 << 16,
 
-/* UNUSED			0x00200000 */
-/* Reserved in use by adb.c		0x00400000 */
-#define DNS_FETCHOPT_EDNSVERSIONSET	0x00800000
-#define DNS_FETCHOPT_EDNSVERSIONMASK	0xff000000
-#define DNS_FETCHOPT_EDNSVERSIONSHIFT	24
-#define DNS_FETCHOPT_TRYSTALE_ONTIMEOUT 0x01000000
+	/*% EDNS version bits: */
+	DNS_FETCHOPT_EDNSVERSIONSET = 1 << 23,
+	DNS_FETCHOPT_EDNSVERSIONSHIFT = 24,
+	DNS_FETCHOPT_EDNSVERSIONMASK = 0xff000000,
+};
 
 /*
  * Upper bounds of class of query RTT (ms).  Corresponds to
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 477f6b9519..17bc362601 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -602,15 +602,17 @@ struct dns_resolver {
 #define VALID_RESOLVER(res) ISC_MAGIC_VALID(res, RES_MAGIC)
 
 /*%
- * Private addrinfo flags.  These must not conflict with DNS_FETCHOPT_NOEDNS0
- * (0x008) which we also use as an addrinfo flag.
+ * Private addrinfo flags.
  */
-#define FCTX_ADDRINFO_MARK	0x00001
-#define FCTX_ADDRINFO_FORWARDER 0x01000
-#define FCTX_ADDRINFO_EDNSOK	0x04000
-#define FCTX_ADDRINFO_NOCOOKIE	0x08000
-#define FCTX_ADDRINFO_BADCOOKIE 0x10000
-#define FCTX_ADDRINFO_DUALSTACK 0x20000
+enum {
+	FCTX_ADDRINFO_MARK = 1 << 0,
+	FCTX_ADDRINFO_FORWARDER = 1 << 1,
+	FCTX_ADDRINFO_EDNSOK = 1 << 2,
+	FCTX_ADDRINFO_NOCOOKIE = 1 << 3,
+	FCTX_ADDRINFO_BADCOOKIE = 1 << 4,
+	FCTX_ADDRINFO_DUALSTACK = 1 << 5,
+	FCTX_ADDRINFO_NOEDNS0 = 1 << 6,
+};
 
 #define UNMARKED(a)    (((a)->flags & FCTX_ADDRINFO_MARK) == 0)
 #define ISFORWARDER(a) (((a)->flags & FCTX_ADDRINFO_FORWARDER) != 0)
@@ -2419,18 +2421,19 @@ resquery_send(resquery_t *query) {
 	 * The ADB does not know about servers with "edns no".  Check
 	 * this, and then inform the ADB for future use.
 	 */
-	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0 &&
+	if ((query->addrinfo->flags & FCTX_ADDRINFO_NOEDNS0) == 0 &&
 	    peer != NULL &&
 	    dns_peer_getsupportedns(peer, &useedns) == ISC_R_SUCCESS &&
 	    !useedns)
 	{
 		query->options |= DNS_FETCHOPT_NOEDNS0;
 		dns_adb_changeflags(fctx->adb, query->addrinfo,
-				    DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0);
+				    FCTX_ADDRINFO_NOEDNS0,
+				    FCTX_ADDRINFO_NOEDNS0);
 	}
 
 	/* Sync NOEDNS0 flag in addrinfo->flags and options now. */
-	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0) {
+	if ((query->addrinfo->flags & FCTX_ADDRINFO_NOEDNS0) != 0) {
 		query->options |= DNS_FETCHOPT_NOEDNS0;
 	}
 
@@ -2472,7 +2475,7 @@ resquery_send(resquery_t *query) {
 	 * the remote server doesn't like it.
 	 */
 	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-		if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
+		if ((query->addrinfo->flags & FCTX_ADDRINFO_NOEDNS0) == 0) {
 			uint16_t peerudpsize = 0;
 			unsigned int version = DNS_EDNS_VERSION;
 			unsigned int flags = query->addrinfo->flags;
@@ -8054,7 +8057,8 @@ rctx_edns(respctx_t *rctx) {
 			&query->addrinfo->sockaddr, DNS_LOGCATEGORY_RESOLVER,
 			DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), fctx->mctx);
 		dns_adb_changeflags(fctx->adb, query->addrinfo,
-				    DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0);
+				    FCTX_ADDRINFO_NOEDNS0,
+				    FCTX_ADDRINFO_NOEDNS0);
 	} else if (rctx->opt == NULL &&
 		   (query->rmessage->flags & DNS_MESSAGEFLAG_TC) == 0 &&
 		   !EDNSOK(query->addrinfo) &&
@@ -8079,7 +8083,8 @@ rctx_edns(respctx_t *rctx) {
 			&query->addrinfo->sockaddr, DNS_LOGCATEGORY_RESOLVER,
 			DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), fctx->mctx);
 		dns_adb_changeflags(fctx->adb, query->addrinfo,
-				    DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0);
+				    FCTX_ADDRINFO_NOEDNS0,
+				    FCTX_ADDRINFO_NOEDNS0);
 	}
 
 	/*