diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index 9f553a1003..449fe34ed3 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -375,28 +375,44 @@ static void
 log_quota(dns_adbentry_t *entry, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
 
 /*
- * MUST NOT overlap DNS_ADBFIND_* flags!
+ * Private flag(s) for adbfind objects. These are used internally and
+ * are not meant to be seen or used by the caller; however, we use the
+ * same flags field as for DNS_ADBFIND_xxx flags, so we must be careful
+ * that there is no overlap between these values and those. To make it
+ * easier, we will number these starting from the most significant bit
+ * instead of the least significant.
  */
-#define FIND_EVENT_SENT	   0x40000000
-#define FIND_EVENT_FREED   0x80000000
+enum {
+	FIND_EVENT_SENT = 1 << 31,
+	FIND_EVENT_FREED = 1 << 30,
+};
 #define FIND_EVENTSENT(h)  (((h)->flags & FIND_EVENT_SENT) != 0)
 #define FIND_EVENTFREED(h) (((h)->flags & FIND_EVENT_FREED) != 0)
 
-#define NAME_NEEDS_POKE	  0x80000000
-#define NAME_IS_DEAD	  0x40000000
-#define NAME_HINT_OK	  DNS_ADBFIND_HINTOK
-#define NAME_GLUE_OK	  DNS_ADBFIND_GLUEOK
-#define NAME_STARTATZONE  DNS_ADBFIND_STARTATZONE
+/*
+ * Private flag(s) for adbname objects.
+ */
+enum {
+	NAME_IS_DEAD = 1 << 31,
+	NAME_NEEDS_POKE = 1 << 30,
+};
 #define NAME_DEAD(n)	  (((n)->flags & NAME_IS_DEAD) != 0)
 #define NAME_NEEDSPOKE(n) (((n)->flags & NAME_NEEDS_POKE) != 0)
-#define NAME_GLUEOK(n)	  (((n)->flags & NAME_GLUE_OK) != 0)
-#define NAME_HINTOK(n)	  (((n)->flags & NAME_HINT_OK) != 0)
+#define NAME_GLUEOK(n)	  (((n)->flags & DNS_ADBFIND_GLUEOK) != 0)
+#define NAME_HINTOK(n)	  (((n)->flags & DNS_ADBFIND_HINTOK) != 0)
 
 /*
- * Private flag(s) for entries.
- * MUST NOT overlap FCTX_ADDRINFO_xxx and DNS_FETCHOPT_NOEDNS0.
+ * Private flag(s) for adbentry objects.  Note that these will also
+ * be used for addrinfo flags, and in resolver.c we'll use the same
+ * field for FCTX_ADDRINFO_xxx flags to store information about remote
+ * servers, so we must be careful that there is no overlap between
+ * these values and those. To make it easier, we will number these
+ * starting from the most significant bit instead of the least
+ * significant.
  */
-#define ENTRY_IS_DEAD 0x00400000
+enum {
+	ENTRY_IS_DEAD = 1 << 31,
+};
 
 /*
  * To the name, address classes are all that really exist.  If it has a
@@ -445,8 +461,9 @@ log_quota(dns_adbentry_t *entry, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
 #define GLUE_OK(nf, o)	   (!NAME_GLUEOK(nf) || (((o)&DNS_ADBFIND_GLUEOK) != 0))
 #define HINT_OK(nf, o)	   (!NAME_HINTOK(nf) || (((o)&DNS_ADBFIND_HINTOK) != 0))
 #define GLUEHINT_OK(nf, o) (GLUE_OK(nf, o) || HINT_OK(nf, o))
-#define STARTATZONE_MATCHES(nf, o) \
-	(((nf)->flags & NAME_STARTATZONE) == ((o)&DNS_ADBFIND_STARTATZONE))
+#define STARTATZONE_MATCHES(nf, o)                  \
+	(((nf)->flags & DNS_ADBFIND_STARTATZONE) == \
+	 ((o)&DNS_ADBFIND_STARTATZONE))
 
 #define ENTER_LEVEL  ISC_LOG_DEBUG(50)
 #define EXIT_LEVEL   ENTER_LEVEL
@@ -2989,13 +3006,13 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 		adbname = new_adbname(adb, name);
 		link_name(adb, bucket, adbname);
 		if (FIND_HINTOK(find)) {
-			adbname->flags |= NAME_HINT_OK;
+			adbname->flags |= DNS_ADBFIND_HINTOK;
 		}
 		if (FIND_GLUEOK(find)) {
-			adbname->flags |= NAME_GLUE_OK;
+			adbname->flags |= DNS_ADBFIND_GLUEOK;
 		}
 		if (FIND_STARTATZONE(find)) {
-			adbname->flags |= NAME_STARTATZONE;
+			adbname->flags |= DNS_ADBFIND_STARTATZONE;
 		}
 	} else {
 		/* Move this name forward in the LRU list */
@@ -3711,15 +3728,16 @@ dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype) {
 	 * We need to specify whether to search static-stub zones (if
 	 * configured) depending on whether this is a "start at zone" lookup,
 	 * i.e., whether it's a "bailiwick" glue.  If it's bailiwick (in which
-	 * case NAME_STARTATZONE is set) we need to stop the search at any
-	 * matching static-stub zone without looking into the cache to honor
+	 * case DNS_ADBFIND_STARTATZONE is set) we need to stop the search at
+	 * any matching static-stub zone without looking into the cache to honor
 	 * the configuration on which server we should send queries to.
 	 */
-	result = dns_view_find(adb->view, &adbname->name, rdtype, now,
-			       NAME_GLUEOK(adbname) ? DNS_DBFIND_GLUEOK : 0,
-			       NAME_HINTOK(adbname),
-			       ((adbname->flags & NAME_STARTATZONE) != 0), NULL,
-			       NULL, fname, &rdataset, NULL);
+	result =
+		dns_view_find(adb->view, &adbname->name, rdtype, now,
+			      NAME_GLUEOK(adbname) ? DNS_DBFIND_GLUEOK : 0,
+			      NAME_HINTOK(adbname),
+			      ((adbname->flags & DNS_ADBFIND_STARTATZONE) != 0),
+			      NULL, NULL, fname, &rdataset, NULL);
 
 	/* XXXVIX this switch statement is too sparse to gen a jump table. */
 	switch (result) {
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index 8e55f30789..4de314c90d 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -90,41 +90,38 @@ typedef enum { dns_quotatype_zone = 0, dns_quotatype_server } dns_quotatype_t;
 /*
  * Options that modify how a 'fetch' is done.
  */
-#define DNS_FETCHOPT_TCP	 0x00000001 /*%< Use TCP. */
-#define DNS_FETCHOPT_UNSHARED	 0x00000002 /*%< See below. */
-#define DNS_FETCHOPT_RECURSIVE	 0x00000004 /*%< Set RD? */
-#define DNS_FETCHOPT_NOEDNS0	 0x00000008 /*%< Do not use EDNS. */
-#define DNS_FETCHOPT_FORWARDONLY 0x00000010 /*%< Only use forwarders. */
-#define DNS_FETCHOPT_NOVALIDATE	 0x00000020 /*%< Disable validation. */
-#define DNS_FETCHOPT_OBSOLETE1	 0x00000040 /*%< Obsolete */
-#define DNS_FETCHOPT_WANTNSID	 0x00000080 /*%< Request NSID */
-#define DNS_FETCHOPT_PREFETCH	 0x00000100 /*%< Do prefetch */
-#define DNS_FETCHOPT_NOCDFLAG	 0x00000200 /*%< Don't set CD flag. */
-#define DNS_FETCHOPT_NONTA	 0x00000400 /*%< Ignore NTA table. */
-/* RESERVED ECS				0x00000000 */
-/* RESERVED ECS				0x00001000 */
-/* RESERVED ECS				0x00002000 */
-/* RESERVED TCPCLIENT			0x00004000 */
-#define DNS_FETCHOPT_NOCACHED  0x00008000 /*%< Force cache update. */
-#define DNS_FETCHOPT_QMINIMIZE 0x00010000 /*%< Use qname minimization. */
-#define DNS_FETCHOPT_NOFOLLOW                                                  \
-	0x00020000 /*%< Don't retrieve the NS RRset from the child zone when a \
-		    *   delegation is returned in response to a NS query. */
-#define DNS_FETCHOPT_QMIN_STRICT                                         \
-	0x00040000 /*%< Do not work around servers that return errors on \
-		    *   non-empty terminals. */
-#define DNS_FETCHOPT_QMIN_SKIP_IP6A                                        \
-	0x00080000 /*%< Skip some labels when doing qname  minimization on \
-		    *   ip6.arpa. */
-#define DNS_FETCHOPT_NOFORWARD \
-	0x00100000 /*%< Do not use forwarders if possible. */
+enum {
+	DNS_FETCHOPT_TCP = 1 << 0,	       /*%< Use TCP. */
+	DNS_FETCHOPT_UNSHARED = 1 << 1,	       /*%< See below. */
+	DNS_FETCHOPT_RECURSIVE = 1 << 2,       /*%< Set RD? */
+	DNS_FETCHOPT_NOEDNS0 = 1 << 3,	       /*%< Do not use EDNS. */
+	DNS_FETCHOPT_FORWARDONLY = 1 << 4,     /*%< Only use forwarders. */
+	DNS_FETCHOPT_NOVALIDATE = 1 << 5,      /*%< Disable validation. */
+	DNS_FETCHOPT_WANTNSID = 1 << 6,	       /*%< Request NSID */
+	DNS_FETCHOPT_PREFETCH = 1 << 7,	       /*%< Do prefetch */
+	DNS_FETCHOPT_NOCDFLAG = 1 << 8,	       /*%< Don't set CD flag. */
+	DNS_FETCHOPT_NONTA = 1 << 9,	       /*%< Ignore NTA table. */
+	DNS_FETCHOPT_NOCACHED = 1 << 10,       /*%< Force cache update. */
+	DNS_FETCHOPT_QMINIMIZE = 1 << 11,      /*%< Use qname minimization. */
+	DNS_FETCHOPT_NOFOLLOW = 1 << 12,       /*%< Don't retrieve the NS RRset
+						* from the child zone when a
+						* delegation is returned in
+						* response to a NS query. */
+	DNS_FETCHOPT_QMIN_STRICT = 1 << 13,    /*%< Do not work around servers
+						* that return errors on
+						* non-empty terminals. */
+	DNS_FETCHOPT_QMIN_SKIP_IP6A = 1 << 14, /*%< Skip some labels when
+						* doing qname minimization
+						* on ip6.arpa. */
+	DNS_FETCHOPT_NOFORWARD = 1 << 15,      /*%< Do not use forwarders if
+						* possible. */
+	DNS_FETCHOPT_TRYSTALE_ONTIMEOUT = 1 << 16,
 
-/* UNUSED			0x00200000 */
-/* Reserved in use by adb.c		0x00400000 */
-#define DNS_FETCHOPT_EDNSVERSIONSET	0x00800000
-#define DNS_FETCHOPT_EDNSVERSIONMASK	0xff000000
-#define DNS_FETCHOPT_EDNSVERSIONSHIFT	24
-#define DNS_FETCHOPT_TRYSTALE_ONTIMEOUT 0x01000000
+	/*% EDNS version bits: */
+	DNS_FETCHOPT_EDNSVERSIONSET = 1 << 23,
+	DNS_FETCHOPT_EDNSVERSIONSHIFT = 24,
+	DNS_FETCHOPT_EDNSVERSIONMASK = 0xff000000,
+};
 
 /*
  * Upper bounds of class of query RTT (ms).  Corresponds to
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 25e402408e..66bb1ac78d 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -610,15 +610,17 @@ struct dns_resolver {
 #define VALID_RESOLVER(res) ISC_MAGIC_VALID(res, RES_MAGIC)
 
 /*%
- * Private addrinfo flags.  These must not conflict with DNS_FETCHOPT_NOEDNS0
- * (0x008) which we also use as an addrinfo flag.
+ * Private addrinfo flags.
  */
-#define FCTX_ADDRINFO_MARK	0x00001
-#define FCTX_ADDRINFO_FORWARDER 0x01000
-#define FCTX_ADDRINFO_EDNSOK	0x04000
-#define FCTX_ADDRINFO_NOCOOKIE	0x08000
-#define FCTX_ADDRINFO_BADCOOKIE 0x10000
-#define FCTX_ADDRINFO_DUALSTACK 0x20000
+enum {
+	FCTX_ADDRINFO_MARK = 1 << 0,
+	FCTX_ADDRINFO_FORWARDER = 1 << 1,
+	FCTX_ADDRINFO_EDNSOK = 1 << 2,
+	FCTX_ADDRINFO_NOCOOKIE = 1 << 3,
+	FCTX_ADDRINFO_BADCOOKIE = 1 << 4,
+	FCTX_ADDRINFO_DUALSTACK = 1 << 5,
+	FCTX_ADDRINFO_NOEDNS0 = 1 << 6,
+};
 
 #define UNMARKED(a)    (((a)->flags & FCTX_ADDRINFO_MARK) == 0)
 #define ISFORWARDER(a) (((a)->flags & FCTX_ADDRINFO_FORWARDER) != 0)
@@ -2573,18 +2575,19 @@ resquery_send(resquery_t *query) {
 	 * The ADB does not know about servers with "edns no".  Check
 	 * this, and then inform the ADB for future use.
 	 */
-	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0 &&
+	if ((query->addrinfo->flags & FCTX_ADDRINFO_NOEDNS0) == 0 &&
 	    peer != NULL &&
 	    dns_peer_getsupportedns(peer, &useedns) == ISC_R_SUCCESS &&
 	    !useedns)
 	{
 		query->options |= DNS_FETCHOPT_NOEDNS0;
 		dns_adb_changeflags(fctx->adb, query->addrinfo,
-				    DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0);
+				    FCTX_ADDRINFO_NOEDNS0,
+				    FCTX_ADDRINFO_NOEDNS0);
 	}
 
 	/* Sync NOEDNS0 flag in addrinfo->flags and options now. */
-	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0) {
+	if ((query->addrinfo->flags & FCTX_ADDRINFO_NOEDNS0) != 0) {
 		query->options |= DNS_FETCHOPT_NOEDNS0;
 	}
 
@@ -2626,7 +2629,7 @@ resquery_send(resquery_t *query) {
 	 * the remote server doesn't like it.
 	 */
 	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-		if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
+		if ((query->addrinfo->flags & FCTX_ADDRINFO_NOEDNS0) == 0) {
 			uint16_t peerudpsize = 0;
 			unsigned int version = DNS_EDNS_VERSION;
 			unsigned int flags = query->addrinfo->flags;
@@ -8427,7 +8430,8 @@ rctx_edns(respctx_t *rctx) {
 			DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
 			fctx->res->mctx);
 		dns_adb_changeflags(fctx->adb, query->addrinfo,
-				    DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0);
+				    FCTX_ADDRINFO_NOEDNS0,
+				    FCTX_ADDRINFO_NOEDNS0);
 	} else if (rctx->opt == NULL &&
 		   (query->rmessage->flags & DNS_MESSAGEFLAG_TC) == 0 &&
 		   !EDNSOK(query->addrinfo) &&
@@ -8453,7 +8457,8 @@ rctx_edns(respctx_t *rctx) {
 			DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
 			fctx->res->mctx);
 		dns_adb_changeflags(fctx->adb, query->addrinfo,
-				    DNS_FETCHOPT_NOEDNS0, DNS_FETCHOPT_NOEDNS0);
+				    FCTX_ADDRINFO_NOEDNS0,
+				    FCTX_ADDRINFO_NOEDNS0);
 	}
 
 	/*