Experimental DNS Privacy Recursive Servers



The following servers are configured to support TLS on port 853 for testing purposes.

Note that they are experimental offerings with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified.

Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!

ANYCAST SERVICES:

  • Quad9 (9.9.9.9) and Cloudflare (1.1.1.1) offer DNS-over-TLS on port 853 - details below

A YAML configuration file for Stubby containing a the details of these servers is provided with Stubby and can be found here. This file enables only the subset of servers operated by the stubby/getdns developers by default, users can choose to enable any of the other servers by uncommenting the relevant section (occasionally the file lags this page).

**Note that the Yeti servers use a different root key for DNSSEC! See the Yeti project for more details

Hosted byIP addressesTLS PortsHostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
TLSA record publishedLoggingSoftwareNotes
1) The following are currently enabled in the default Stubby config file because they are run by the stubby/getdns developers and have no known issues.
Surfnet

145.100.185.15
2001:610:1:40ba:145:100:185:15

853
443

dnsovertls.sinodun.com

62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=

YTraffic volume onlyHAProxy + BIND 9.12


Surfnet

145.100.185.16
2001:610:1:40ba:145:100:185:16

853
443

dnsovertls1.sinodun.com

cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=

YTraffic volume onlyNginx + BIND 9.12


getdnsapi.net

185.49.141.37
2a04:b900:0:100::37

853getdnsapi.net

foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=

YTraffic volume onlyUnbound
2) Anycast services (with no/minimal logging)
Quad9 'secure'

9.9.9.9
2620:fe::fe

853dns.quad9.netQuad9 do NOT publish or recommend use of SPKI pins with their servers.
See https://quad9.net and their FAQ for details of privacy, logging and filtering policies on the main and alternative addresses(1). UDP and TCP service are also available on these addresses.

Quad9 'insecure'

9.9.9.10
2620:fe::10

853dns.quad9.net
Cloudflare

1.1.1.1 or 1.0.0.1
2606:4700:4700::1111 or 2606:4700:4007::1001

853cloudflare-dns.comCloudflare do NOT publish or recommend use of SPKI pins with their servers.

https://blog.cloudflare.com/announcing-1111/
https://blog.cloudflare.com/dns-resolver-1-1-1-1/
PRIVACY POLICY: https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy/

And also see https://labs.apnic.net/?p=1127 for details of the APNIC/Cloudflare agreement as mentioned on the Register.

UDP and TCP service are also available on these addresses. DNS-over-HTTPS is also available!

NOTE: To use this service by name only (i.e resolve the IP from the name) use 1dot1dot1dot1.cloudflare-dns.com.

3) Other servers with no/minimal logging
UncensoredDNS

89.233.43.71 
2a01:3a0:53:53::0

853

unicast.censurfridns.dk

wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=YTraffic volume only
See https://blog.uncensoreddns.org/
Surfnet145.100.185.18
2001:610:1:40ba:145:100:185:18
853dnsovertls3.sinodun.com

5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=

YTraffic volume onlyHAProxy + BIND 9.12Supports TLS 1.3 and TLS 1.2. We think our stability problems are solved... see here for details. NOTE: This is using OpenSSL master branch, commit 3e524bf. This is using TLS 1.3 draft-23 revision - you may experience interop problems if your client is using an earlier draft implementation.
Surfnet

145.100.185.17
2001:610:1:40ba:145:100:185:17

853dnsovertls2.sinodun.comNAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=YTraffic volume onlyKnot ResolverHas some issues with DNSSEC responses - this is under investigation.
dkg

199.58.81.218
2001:470:1c:76d::53

853 443

53053

dns.cmrg.net

3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=


NoneKnot Resolver

See https://dns.cmrg.net/ Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here.

Has some issues with DNSSEC responses - this is under investigation.

dns.larsdebruin.net (Previously dns1.darkmoon.is)

51.15.70.167853

UPDATED on 30 Jan 2018
dns.larsdebruin.net

UPDATED on 30 Jan 2018 AAT+rHoKx5wQkWhxlfrIybFocBu3RBrPD2/ySwIwmvA=


Traffic volume onlyUnbound
securedns.eu

146.185.167.43
2a03:b0c0:0:1010::e9a:3001

853securedns.eu

UPDATED on 2nd Nov 2017
2EfbwDyk2zSnAbBJSpCSWZKKGUD+a6p/yg2bxdC+x2A=


NoneHaProxy + Bind

NOTE: SecureDNS has support for additional TLDs of OpenNIC, Emercoin, and Namecoin

dns-tls.bitwiseshift.net

81.187.221.24
2001:8b0:24:24::24

853dns-tls.bitwiseshift.netYmcYWZU5dd2EoblZHNf1jTUPVS+uK3280YYCdz4l4wo=
NoneUnbound


ns1.dnsprivacy.at94.130.110.185
2a01:4f8:c0c:3c03::2
853ns1.dnsprivacy.atvqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=
NoneUnbound

See https://dnsprivacy.at/

ns2.dnsprivacy.at94.130.110.178
2a01:4f8:c0c:3bfc::2
853ns2.dnsprivacy.ats5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=
NoneUnbound


dns.bitgeek.in (India)139.59.51.46853dns.bitgeek.inFndaG4ezEBQs4k0Ya3xt3z4BjFEyQHd7B75nRyP1nTs=
Traffic volume onlyNginx + BIND
Lorraine Data Network

80.67.188.188
2001:913::8

853
443


WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=


Traffic volume onlystunnel 4 + BIND

See https://ldn-fai.net/serveur-dns-recursif-ouvert/ (note, logging of IP address at stunnel no longer performed).
A self-signed certificate is used, so SPKI pinning is must be used.

dns.neutopia.org

89.234.186.112
2a00:5884:8209::2

853
443
dns.neutopia.orgwTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
No loggingKnot resolver

4) Servers with some logging, self-signed certs or no support for Strict mode

Go6Lab2001:67c:27e4::35853privacydns.go6lab.sig5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=
UnknownUnbound

NIC Chile
dnsotls.lab.nic.cl

200.1.123.46
2001:1398:1:0:200:1:123:46

853


sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc=

Y

Yes, for research purposes

Unbound

Self-signed certificate, use SPKI pinning.

Yeti

2001:4b98:dc2:43:216:3eff:fea9:41a

853

dns-resolver.yeti.eu.org

UPDATED on 26th Jun 2017
YxtXAorQNSo+333ko1ctuXcnpMcplPaOI/GCM+YeMQk=


Yes, see Yeti websiteUnboundSee https://dns-resolver.yeti.eu.org/
OARC

184.105.193.78
2620:ff:c000:0:1::64:25

853

tls-dns-u.odvr.dns-oarc.net

pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=


Yes, see OARC websiteUnbound

See OARC website NOTE: As of June 2017 this server does not support Strict Mode because it does not offer the correct cipher suites to match RFC7525 recommendations.

(1) More details of the service are available in various blogs e.g. see Stephane Bortzmeyer's blog. Note that Quad9 have not announced a SPKI pinset. 


  • No labels

32 Comments

  1. Anonymous

    Lorraine Data Network servers are also available on port 443, and they provide a certificate on the linked webpage from which you can derive the SPKI pin.

  2. Anonymous

    1. Not all entries have the same color, can the styles be reseted?
    2. Is it possible to update the example stubby.yml file with the new servers?
    3. Should we create an more experimental list at the end and put the OARC DNS Privacy Server in there because no strict privacy supported?
  3. Anonymous

    Lorraine Data Network server is not enabled in monitoring

  4. Anonymous

    Wow, great! The following links should be corrected or removed. The JSON-Variant of the config should be updated or removed.

    A configuration file for Stubby containing a subset of these servers which can all be validated can be found here.

    A JSON file with the details of the same subset of servers can be downloaded here.

  5. Anonymous

    Still one death link: "The following are currently in the default Stubby config file mainly because they have been around longest and are the most stable."

    All adressed: You can now remove the last 4 comment from me

    1. Thanks for all the suggestions! I plan to add a yml and JSON file with the full set of servers to this page too. 

      LDN server was just added to the monitoring too. 

  6. Anonymous

    All entrys for IPv4 servers, except the logging ones, for use in the yml config file (110317): https://pastebin.com/Wd45uhXu

  7. Thanks - we already have a PR https://github.com/getdnsapi/stubby/pull/41 to add the servers to the .yml file so users can choose which ones to enable. Should be in the next release of Stubby.

  8. Anonymous

    Wow thanks for all fixes...

    Some small cosmetic bugs:

    • the order of the list on the Wiki is not the same than the yaml file
    • the UncensoredDNS server is not enabled in the yaml
  9. Anonymous

    The recently released knot-resolver 1.5.1 fixes some stability issues, please update and check if the issue still exist

    1. It doesn't fix them all unfortunately. We are working with the developers to get this fixed.

  10. Anonymous

    Getting "Server Not Found" for some domains in Firefox when using Stubby. Same domains work fine when using Google or OpenDNS servers.

    Do any of the test servers have issue trackers?

  11. It is more likely a problem with Stubby - do you have any logs from stubby? If so please open an issue here for us to help you debug:

    https://github.com/getdnsapi/stubby/issues

    Please let us know what OS you are using too. 

  12. Anonymous

    No. I'll enable logging and create an issue when I have the problem again.

  13. Hi Sara,

    It appears quad9 has officially announced support for DNS over TLS.

    https://www.quad9.net/faq/#Does_Quad9_support_DNS_over_TLS


  14. Hello -

    It appears Cloudflare has officially announced a DNS resolver service. Interestingly enough, they support both DNS-Over-TLS and DNS-Over-HTTPS. For DNS-Over-TLS they specifically state they support TLS 1.2 and 1.3.


    From some tests I have performed, it appears to be pretty quick.


    https://1.1.1.1/

    https://developers.cloudflare.com/1.1.1.1/dns-over-https/

    https://developers.cloudflare.com/1.1.1.1/dns-over-tls/

    1. how to add on stubby.yaml i try something like this but fail ?

      here1

      here2


      edited: just delete the pinset and change transport from TLS to TCP and just work

      1. You should be able to use the transport TLS. I have something like this in my config:

        #Cloudflare
          - address_data: 1.1.1.1
            tls_auth_name: "cloudflare-dns.com"


        I think their doc might need a slight bit of clarification - they mention "dns.cloudflare.com" but if you check the example output they use "tls-host=cloudflare-dns.com"


        1. yes the problem is on their cloudflare doc I just replace dns.cloudflare.com to cloudflare-dns.com work with pinset and TLS transport

          1. DOES NOT WORK ON MY END

            #Cloudflare

              - address_data: 1.1.1.1
                tls_auth_name: "cloudflare-dns.com"
                tls_pubkey_pinset:
                  - digest: "sha256"
                    value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=

            STUBBY: Read config from file stubby.yml

            STUBBY: Starting DAEMON....

            Could not schedule query: The context has internal deficiencies

            STUBBY: 1.1.1.1 : Conn opened : TLS - Strict Profile

            STUBBY: 1.1.1.1 : Verify failed : Transport=TLS - *Failure* -  (20) "unable to get local issuer certificate"

            STUBBY: 1.1.1.1 : Conn closed : Transport=TLS - *Failure*

            STUBBY: *FAILURE* no valid transports or upstreams available!

            STUBBY: 1.1.1.1 : Conn closed : TLS - Resps=0, Timeouts=0, Curr_auth=Failed, Keepalive(ms)=0

            STUBBY: 1.1.1.1 : Upstream : TLS - Resps=0, Timeouts=0, Best_auth=Failed

            STUBBY: 1.1.1.1 : Upstream : TLS - Conns=0, Conn_fails=0, Conn_shuts=0, Backoffs=0

            1. try config david more with no pinset

              1. REMOVING PINSET MAKES NO DIFFERENCE


                #Cloudflare
                  - address_data: 1.1.1.1
                    tls_auth_name: "cloudflare-dns.com"


                STUBBY: *FAILURE* no valid transports or upstreams available!

                Could not schedule query: None of the configured upstreams could be used to send queries on the specified transports


                P.S.
                Other TLS resolvers such as unicast.censurfridns.dk work fine.
                Also, Cloudlflare’s DoH server works, so there are no issues with connectivity per se.

                1. I dont know what your problem but my config just something like

                  config

                  log

                  and just work


                  1. Tried your settings, but it does not work on my end.

                    I put stubby.exe and stubby.yml into archive for you to examine, could you try it?

                    1. look like your config is broke

                      try to reinstall stuby

                      this my config from my raspbian I dont have ipv6 network so I leave ipv6 server resolver

                      if you want use my config that only need is just edit listen address then replace default stubby config

                      reference to edit

                      https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example


                      You need to be careful around whitespaces in yaml file, it's sensitive to it


                      edited wrong upload : https://transfer.sh/N5TkP/stubby.yml

                      1. After trimming #commented parts and changing listen address, our configs appear to be identical, even whitespaces match. Alas, your config doesn’t work either. Hmm, perhaps Stubby’s for Raspberry works somehow differently than Stubby 0.0.2 for Windows 7 does…

                        Also, be aware that your config specifies port 5053 on a separate line which goes against the reference (I quote: “Use <IP_address>@<port> to specify a different port”).


                        1. that strange my stubby windows runing fine

                          stubbywindows

                          this my config stubby windows

                          https://transfer.sh/v8av8/stubby.yml

                          just paste my config to folder stubby and change dns on dhcp windows to 127.0.1.1

                          1. Thanks for your diligent efforts, but it still does not work (downloaded the very YML and changed DHCP exactly to 127.0.1.1), log contains the same errors as before, Apprarently, I am not alone, check Github!

                            1. maybe Sara Dickinson can help or correct me if I wrong

  15. I would add CleanBrowsing Anycast DNS here as well. They support DNSCrypt, DoH and DNS over TLS on port 853.

    https://cleanbrowsing.org/dnsoverhttps

    IPv4 address: 185.228.168.168 and 185.228.168.169

    IPv6 address: 2a0d:2a00:1:: and 2a0d:2a00:2::