Public Resolvers: Several large organizations operate DNS Privacy Servers - see DNS Privacy Public Resolvers
DOH servers are also currently listed on that page
See our Live Monitoring Dashboard for real time service status.
These are currently listed on the DNS Privacy Public Resolvers page and also the list maintained on the curl wiki. For any servers below with the note ‘also does DoH’ check these pages or the website of the service for the DoH endpoint.
The following servers are experimental DNS-over-TLS servers.
Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified. Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!
A YAML configuration file for Stubby containing the main public DNS privacy resolvers and also details of a subset of these test servers is provided with Stubby and can be found here. This file enables only the server operated by the stubby/getdns developers by default, users SHOULD actively choose additional or alternate servers for robustness. Enable any of the other servers by uncommenting the relevant section in the config file.
The dnsovertls*.sinodun.com servers are no longer present in the Stubby config
file as of release 0.4.1 and were decommissioned on 9th Sept 2022.
| Hosted by | IP addresses | TLS Ports | Hostname for TLS authentication |
Base 64 encoded form of SPKI pin(s) for TLS authentication (RFC7858) |
TLSA record published | Logging | Software | Notes |
|---|---|---|---|---|---|---|---|---|
| getdnsapi.net | 185.49.141.38 2a04:b900:0:100::37 |
853 | getdnsapi.net | foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= |
Y | Traffic volume only | Unbound | NOTE: This service listens on port 853 and the authentication name `getdnsapi.net` resolves to these addresses |
| getdnsapi.net | 185.49.141.37 2a04:b900:0:100::38 |
443 | getdnsapi.net | foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= |
Y | Traffic volume only | Unbound | NOTE: This service listens on port 443 and uses DIFFERENT IP addresses to the service listening on port 443 |
| Hosted by | IP addresses | TLS Ports | Hostname for TLS authentication |
Base 64 encoded form of SPKI pin(s) for TLS authentication (RFC7858) |
TLSA record published | Logging | Software | Notes | |||
| UncensoredDNS | 89.233.43.71 2a01:3a0:53:53::0 |
853 | unicast.censurfridns.dk | wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=(also see this file for a full set of pins) | Y | Traffic volume only | See https://blog.uncensoreddns.org/ | ||||
Fondation RESTENA |
158.64.1.29 |
853 | dnspub.restena.lu | aC/vKm0neSr3uDucVsYO62RPZ4ETWjoI0Gw8uWjGdLg= | Traffic volume only | dnsdist/Unbound | DETAILS UPDATED March 2024. Configured with qname-minimisation, use-caps-for-id, aggressive-nsec,
prefetch, harden-below-nxdomain and the newest auth-zone for local root zone caching. - |
||||
| dns.neutopia.org | 89.234.186.112 2a00:5884:8209::2 |
853 443 |
dns.neutopia.org | wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= | No logging | Knot resolver | |||||
| Foundation for Applied Privacy | 146.255.56.98 2a01:4f8:c0c:83ed::1 |
853 |
dot1.applied-privacy.net | Y | Only aggregated logging, no PII | unbound | DETAILS UPDATED 14th Sep 2020 https://appliedprivacy.net/services/dns/ NOTE: Also does DoH and has an .onion endpoint | ||||
| French Data Network | 80.67.169.12 and 80.67.169.40 2001:910:800::12 and 2001:910:800::40 |
853< |
dot1.ns0.fdn.fr and ns1.fdn.fr | French ISP - https://www.fdn.fr/actions/dns/ | |||||||
| keweonDNS | 84.16.252.137 or 84.16.252.147 |
853 | dns.keweon.center | No logging | Aviontex website See keweonDNS - info, facts and what is keweon actually for details of privacy, logging and filtering policies. NOTE: Also does DoH. |
||||||
| BlahDNS | 108.61.201.119 2001:19f0:7001:1ded:5400:01ff:fe90:945b |
853 |
dot-jp.blahdns.com | No logging | https://blahdns.com/
NOTE1: Located in Japan. Also does DoH. NOTE2: Note that port 443 REQUIRES an authentication name |
||||||
| BlahDNS | 159.69.198.101 2a01:4f8:1c1c:6b4b::1 |
853 |
dot-de.blahdns.com | No logging | https://blahdns.com/NOTE1: Located in Frankfurt. Also does DoH.NOTE2: Note that port 443 REQUIRES an authentication name/td> | ||||||
| ibksturm.synology.me | 213.196.191.96 |
853 | ibksturm.synology.me | No logging | nginx + Knot Resolver | https://ibksturm.synology.me NOTE: Also does DoH, DoQ and dnscrypt no filters, opennic root copy | |||||
| dismail.de | 159.69.114.157 |
853 | fdns2.dismail.de | yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w= | No logging | https://dismail.de/info.html#dns | |||||
| dismail.de | 80.241.218.68 2a02:c205:3001:4558::1 |
853 | fdns1.dismail.de | MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU= | No logging | https://dismail.de/info.html#dns | |||||
| NIC Chile |
200.1.123.46 2001:1398:1:0:200:1:123:46 |
853 | dnsotls.lab.nic.cl | pUd9cZpbm9H8ws0tB55m9BXW4TrD4GZfBAB0ppCziBg= | Y | Yes, for research purposes | Unbound | ||||
This is a list of other servers we have been made aware that users may want to investigate. Most are monitored here: Live Monitoring Dashboard - Other