DNS Privacy Project

Skip to end of metadata
Go to start of metadata

Experimental DNS Privacy Recursive Servers

The following servers are configured to support TLS on port 853 for testing purposes.

Note that they are experimental offerings with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available).

Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!

NEW!! Live monitoring of these servers can be found on the Test Server Monitoring page

A configuration file for stubby containing a subset of these servers which can all be validated can be found here.

A JSON file with the details of the same subset of servers can be downloaded here.

Note that the Yeti servers use a different root key for DNSSEC! See the Yeti project for more details

IDHosted byIP addressesPortsHostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
LoggingSoftwareNotes
1getdnsapi.net

UPDATED on 13th April 2017!

185.49.141.37

2a04:b900:0:100::37

853getdnsapi.net

foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=

Traffic volume only.Unbound
2Surfnet

145.100.185.15

2001:610:1:40ba:145:100:185:15

853dnsovertls.sinodun.com

62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=

Traffic volume only.HAProxy + BIND

Only listening on TLS on port 853

(no UDP or TCP on port 53)

3Surfnet

145.100.185.16

2001:610:1:40ba:145:100:185:16

853dnsovertls1.sinodun.com

cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=

Traffic volume only.Nginx + BIND

Only listening on TLS on port 853

(no UDP or TCP on port 53)

4dkg

199.58.81.218

2001:470:1c:76d::53

853

443

53053

dns.cmrg.net

3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=

5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=

None.Knot Resolver

https://dns.cmrg.net/

Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here. So if port 853 may be blocked then this is a good option.

5UncensoredDNS

89.233.43.71 

2a01:3a0:53:53::

853

unicast.censurfridns.dk


Traffic volume only.
See https://blog.uncensoreddns.org/
6securedns.eu

146.185.167.43

2a03:b0c0:0:1010::e9a:3001

853securedns.eusduWN2+EK2c5T/ATd6jqNuc/cdiHAxULzjtPu6CqJR0=None.Unbound

Only listening on TLS on port 853

(no UDP or TCP on port 53)

7Allnetwork
(at KINX, South Korea)
2402:9e80:19::853 (preferred)
103.214.68.144
853dns-tls.allnetwork.krMCMNJ5B/uWd3TOyhQbGOe+PnqYINML29X2bNiTZC9VY=Traffic volume onlyUnbound

UPDATED: As of 1st Oct 2017 this server will no longer be available!

Only listening on TLS on port 853

(no UDP or TCP on port 53)

8dns-tls.bitwiseshift.net

81.187.221.24

2001:8b0:24:24::24

853dns-tls.bitwiseshift.netYmcYWZU5dd2EoblZHNf1jTUPVS+uK3280YYCdz4l4wo=No loggingUnbound

Only listening on TLS on port 853

(no UDP or TCP on port 53)

9Yeti

2001:4b98:dc2:43:216:3eff:fea9:41a

853

dns-resolver.yeti.eu.org

UPDATED on 26th Jun 2017

YxtXAorQNSo+333ko1ctuXcnpMcplPaOI/GCM+YeMQk=

Yes - see https://dns-resolver.yeti.eu.org/UnboundSee https://dns-resolver.yeti.eu.org/
10Lorraine Data Network

80.67.188.188

2001:913::8

853

Logging at stunnelstunnel 4 + BIND

https://ldn-fai.net/serveur-dns-recursif-ouvert/

Uses a self-signed certificate, no key published

11OARC

184.105.193.78

2620:ff:c000:0:1::64:25

853

tls-dns-u.odvr.dns-oarc.net

pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=

Yes - See OARC websiteUnbound

NOTE: As of June 2017 this server does not support Strict Mode because it does not offer the correct cipher suites to match RFC7525 recommendations.

See OARC website

12Go6Lab2001:67c:27e4::35853privacydns.go6lab.sig5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=
Unbound

Only listening on TLS on port 853

(no UDP or TCP on port 53)

(1) Since the nameserver is behind a proxy the client IP is not logged inside the nameserver


  • No labels
Write a comment…