Test servers

Public resolvers

Public Resolvers: Several large organizations operate DNS Privacy Servers - see DNS Privacy Public Resolvers

DOH servers are also currently listed on that page

Experimental DNS Privacy Recursive Servers

Live Monitoring Dashboard

DoH servers

These are currently listed on the DNS Privacy Public Resolvers page and also the list maintained on the curl wiki. For any servers below with the note ‘also does DoH’ check these pages or the website of the service for the DoH endpoint.

DoT servers

The following servers are experimental DNS-over-TLS servers.

Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified. Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!

Stubby configuration

A YAML configuration file for Stubby containing the main public DNS privacy resolvers and also details of a subset of these test servers is provided with Stubby and can be found here. This file enables only the server operated by the stubby/getdns developers by default, users SHOULD actively choose additional or alternate servers for robustness. Enable any of the other servers by uncommenting the relevant section in the config file.

Servers run by the Stubby developers

The dnsovertls*.sinodun.com servers are no longer present in the Stubby config file as of release 0.4.1 and were decommissioned on 9th Sept 2022.

Hosted by IP addresses TLS Ports Hostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
TLSA record published Logging Software Notes
getdnsapi.net 185.49.141.38
2a04:b900:0:100::37
853 getdnsapi.net foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=

Y Traffic volume only Unbound NOTE: This service listens on port 853 and the authentication name `getdnsapi.net` resolves to these addresses
getdnsapi.net 185.49.141.37
2a04:b900:0:100::38
443 getdnsapi.net foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=

Y Traffic volume only Unbound NOTE: This service listens on port 443 and uses DIFFERENT IP addresses to the service listening on port 443

Other servers

Hosted by IP addresses TLS Ports Hostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
TLSA record published Logging Software Notes
UncensoredDNS 89.233.43.71 
2a01:3a0:53:53::0
853 unicast.censurfridns.dk wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=(also see this file for a full set of pins) Y Traffic volume only
See https://blog.uncensoreddns.org/

Fondation RESTENA
(NREN for Luxemburg)

158.64.1.29
2001:a18:1::29

853 kaitain.restena.lu 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=
Traffic volume only Unbound Configured with qname-minimisation, use-caps-for-id, aggressive-nsec, prefetch, harden-below-nxdomain and the newest auth-zone for local root
zone caching.
dns.neutopia.org 89.234.186.112
2a00:5884:8209::2
853
443
dns.neutopia.org wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
No logging Knot resolver
Foundation for Applied Privacy 146.255.56.98
2a01:4f8:c0c:83ed::1

853
443

dot1.applied-privacy.net
Y Only aggregated logging, no PII unbound DETAILS UPDATED 14th Sep 2020
https://appliedprivacy.net/services/dns/
NOTE: Also does DoH and has an .onion endpoint
BlahDNS 108.61.201.119
2001:19f0:7001:1ded:5400:01ff:fe90:945b

853
443

dot-jp.blahdns.com

No logging
https://blahdns.com/
NOTE1: Located in Japan. Also does DoH.
NOTE2: Note that port 443 REQUIRES an authentication name
BlahDNS 159.69.198.101
2a01:4f8:1c1c:6b4b::1

853
443

dot-de.blahdns.com

No logging
https://blahdns.com/
NOTE1: Located in Frankfurt. Also does DoH.
NOTE2: Note that port 443 REQUIRES an authentication name/td>
ibksturm.synology.me

178.82.102.190

853 ibksturm.synology.me

No logging nginx + unbound https://github.com/ibksturm/dnscrypt-switzerland NOTE: Also does DoH and dnscrypt no filters, opennic root copy
dismail.de

159.69.114.157
2a01:4f8:c17:739a::2 

853 fdns2.dismail.de yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w=
No logging
https://dismail.de/info.html#dns
dismail.de 80.241.218.68
2a02:c205:3001:4558::1
853 fdns1.dismail.de MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU=
No logging
https://dismail.de/info.html#dns
NIC Chile

200.1.123.46
2001:1398:1:0:200:1:123:46
853 dnsotls.lab.nic.cl  pUd9cZpbm9H8ws0tB55m9BXW4TrD4GZfBAB0ppCziBg= Y Yes, for research purposes Unbound

Other servers

This is a list of other servers we have been made aware that users may want to investigate. Most are monitored here: Live Monitoring Dashboard - Other

  • dns.digitale-gesellschaft.ch
  • dns.switch.ch
  • dot.ffmuc.net
  • https://dns.sb/dot/
  • OpenNIC DNS non-profit and volunteer network, with additionally alternative no-ICANN domains. At the moment the network is made up of just over twenty independent servers, three of which provide DoT. https://servers.opennicproject.org/
    • ns29.de.dns.opennic.glue
    • ns4.fi.dns.opennic.glue
    • ns4.ru.dns.opennic.glue
  • Tenta. A service of the antivirus company Avast. It supports ICANN and also OpenNIC. https://tenta.com/dns-setup-guides