Test servers

Public resolvers

Public Resolvers: Several large organisations opereate DNS Privacy Servers - see DNS Privacy Public Resolvers

DOH servers are also currently listed on that page

Experimental DNS Privacy Recursive Servers

Live Monitoring Dashboard
Live Traffic Graphs
Map of server locations

DoH servers

These are currently listed on the DNS Privacy Public Resolvers page and also the list maintained on the curl wiki. For any servers below with the note ‘also does DoH’ check these pages or the website of the service for the DoH endpoint.

DoT servers

The following servers are experimental DNS-over-TLS servers.

Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified. Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!

Stubby configuration

A YAML configuration file for Stubby containing a the details of these servers is provided with Stubby and can be found here. This file enables only the subset of servers operated by the stubby/getdns developers by default, users can choose to enable any of the other servers by uncommenting the relevant section (occasionally the file lags this page).

Servers run by the Stubby developers

Hosted by IP addresses TLS Ports Hostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
TLSA record published Logging Software Notes
1) The following are currently enabled in the default Stubby config file because they are run by the stubby/getdns developers and have no known issues.
Sinodun/Surfnet 145.100.185.152001:610:1:40ba:145:100:185:15 853443 dnsovertls.sinodun.com 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= Y Traffic volume only HAProxy + BIND 9.12 See https://www.sinodun.com/recursive-operator-privacy-statement-rps/
Sinodun1/Surfnet 145.100.185.162001:610:1:40ba:145:100:185:16 853443 dnsovertls1.sinodun.com cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= Y Traffic volume only Nginx + BIND 9.12 See https://www.sinodun.com/recursive-operator-privacy-statement-rps/
getdnsapi.net 185.49.141.37
2a04:b900:0:100::37
853 getdnsapi.net foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=

Y Traffic volume only Unbound

Other servers with a ‘no logging’ policy

Hosted by IP addresses TLS Ports Hostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
TLSA record published Logging Software Notes
UncensoredDNS 89.233.43.71 
2a01:3a0:53:53::0
853 unicast.censurfridns.dk wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=(also see this file for a full set of pins) Y Traffic volume only
See https://blog.uncensoreddns.org/

Fondation RESTENA
(NREN for Luxemburg)

158.64.1.29
2001:a18:1::29

853 kaitain.restena.lu 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=
Traffic volume only Unbound Configured with qname-minimisation, use-caps-for-id, aggressive-nsec,

prefetch, harden-below-nxdomain and the newest auth-zone for local root
zone caching.

Sinodun3/Surfnet 145.100.185.182001:610:1:40ba:145:100:185:18 853 dnsovertls3.sinodun.com 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= Y Traffic volume only HAProxy + BIND 9.12 See https://www.sinodun.com/recursive-operator-privacy-statement-rps/
Sinodun4/Surfnet 145.100.185.172001:610:1:40ba:145:100:185:17 853 dnsovertls2.sinodun.com NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg= Y Traffic volume only Knot Resolver See https://www.sinodun.com/recursive-operator-privacy-statement-rps/
dkg 199.58.81.218
2001:470:1c:76d::53
853 443 dns.cmrg.net 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=

None Knot Resolver See https://dns.cmrg.net/ Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here.Has some issues with DNSSEC responses - this is under investigation.
Lorraine Data Network 80.67.188.1882001:913::8 853
443

WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
Traffic volume only stunnel 4 + BIND UPDATED OCT 2021: These servers are being decommissioned and will be removed from the stubby config in the next release. . See https://ldn-fai.net/serveur-dns-recursif-ouvert/ (note, logging of IP address at stunnel no longer performed).
A self-signed certificate is used, so SPKI pinning is must be used.
dns.neutopia.org 89.234.186.1122a00:5884:8209::2 853
443
dns.neutopia.org wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
No logging Knot resolver
BlahDNS 108.61.201.119
2001:19f0:7001:1ded:5400:01ff:fe90:945b

853
443

dot-jp.blahdns.com

No logging

https://blahdns.com/

NOTE1: Located in Japan. Also does DoH.
NOTE2: Note that port 443 REQUIRES an authentication name

UPDATED 22nd JAN 2018: note the authentication name has changed

BlahDNS 159.69.198.101
2a01:4f8:1c1c:6b4b::1

853
443

dot-de.blahdns.com

No logging

https://blahdns.com/

NOTE1: Located in Frankfurt. Also does DoH.NOTE2: Note that port 443 REQUIRES an authentication name

Go6Lab 2001:67c:27e4::35 853 privacydns.go6lab.si g5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=
No logging Unbound
Secure DNS Project by PumpleX 51.38.83.1412001:41d0:801:2000::d64 853 dns.oszx.co P/Auj1pm8MiUpeIxGcrEuMJOQV+pgPY0MR4awpclvT4=
No logging
https://dns.oszx.co
NOTE1: Also does DoH and dnscrypt
NOTE2: Performs ad blocking
Foundation for Applied Privacy 146.255.56.98
2a01:4f8:c0c:83ed::1

853
443

dot1.applied-privacy.net
Y Only aggregated logging, no PII unbound

DETAILS UPDATED 14th Sep 2020

https://appliedprivacy.net/services/dns/

NOTE: Also does DoH and has an .onion endpoint

ibksturm.synology.me

178.82.102.190

853 ibksturm.synology.me

No logging nginx + unbound

https://github.com/ibksturm/dnscrypt-switzerland

NOTE: Also does DoH and dnscrypt
no filters, opennic root copy

dismail.de

159.69.114.1572a01:4f8:c17:739a::2 

853 fdns2.dismail.de yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w=
No logging
https://dismail.de/info.html#dns
dismail.de 80.241.218.682a02:c205:3001:4558::1 853 fdns1.dismail.de MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU=
No logging
https://dismail.de/info.html#dns

Servers with minimal logging/limitations

These servers use some logging, self-signed certs or no support for Strict mode.

Hosted by IP addresses TLS Ports Hostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
TLSA record published Logging Software Notes
NIC Chile

200.1.123.46
2001:1398:1:0:200:1:123:46
853 dnsotls.lab.nic.cl  pUd9cZpbm9H8ws0tB55m9BXW4TrD4GZfBAB0ppCziBg= Y Yes, for research purposes Unbound Details updated 18th Sept - now uses Let's encrypt cert