Versions Compared

Old Version 111

changes.mady.by.user Sara Dickinson

Saved on

compared with

New Version 112

changes.mady.by.user Sara Dickinson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Hosted byIP addressesTLS PortsHostname for TLS
authentication		Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)		LoggingSoftwareNotes
1) The following are currently enabled in the default Stubby config file because they are run by the stubby/getdns developers and have no known issues.
Surfnet

145.100.185.15
2001:610:1:40ba:145:100:185:15

853
443

dnsovertls.sinodun.com

62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=

Traffic volume onlyHAProxy + BIND


Surfnet

145.100.185.16
2001:610:1:40ba:145:100:185:16

853
443

dnsovertls1.sinodun.com

cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=

Traffic volume onlyNginx + BIND


getdnsapi.net

185.49.141.37
2a04:b900:0:100::37

853getdnsapi.net

foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=

Traffic volume onlyUnbound
2) Other servers with no/minimal logging
Quad99.9.9.9853dns.quad9.net


See https://quad9.net for details of privacy and filtering policies and alternative addresses(1). UDP and TCP service are also available on this address.
UncensoredDNS

89.233.43.71 
2a01:3a0:53:53::0

853

unicast.censurfridns.dk

wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=Traffic volume only
See https://blog.uncensoreddns.org/
Surfnet145.100.185.18
2001:610:1:40ba:145:100:185:18		853dnsovertls3.sinodun.com

5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=

Traffic volume onlyHAProxy + BINDSupports TLS 1.3 and TLS 1.2. We think our stability problems are solved... see here for details. NOTE: This is using OpenSSL master branch, commit 3e524bf. Currently this This is using TLS 1.3 draft-23 revision - you may experience interop problems if your client is using an earlier draft implementation.
Surfnet

145.100.185.17
2001:610:1:40ba:145:100:185:17

853dnsovertls2.sinodun.comNAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=Traffic volume onlyKnot ResolverHas some issues with DNSSEC responses - this is under investigation. Temporarily turned on verbose logs to debug. (Also - stability issues noted with Knot)
dkg

199.58.81.218
2001:470:1c:76d::53

853 443

53053

dns.cmrg.net

3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=

NoneKnot Resolver

See https://dns.cmrg.net/ Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here.

Has some issues with DNSSEC responses - this is under investigation. (Also - stability issues noted with Knot)

dns1.darkmoon.is51.15.70.167853dns1.darkmoon.is8sx8niFUiJvMM3C1qLE9cH79TuQQztzMVDtbKjpD/IQ=Traffic volume onlyUnbound
securedns.eu

146.185.167.43
2a03:b0c0:0:1010::e9a:3001

853securedns.eu

UPDATED on 2nd Nov 2017

2EfbwDyk2zSnAbBJSpCSWZKKGUD+a6p/yg2bxdC+x2A=

NoneUnbound


dns-tls.bitwiseshift.net

81.187.221.24
2001:8b0:24:24::24

853dns-tls.bitwiseshift.netYmcYWZU5dd2EoblZHNf1jTUPVS+uK3280YYCdz4l4wo=NoneUnbound


ns1.dnsprivacy.at94.130.110.185
2a01:4f8:c0c:3c03::2		853ns1.dnsprivacy.atvqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=NoneUnbound

See https://dnsprivacy.at/

ns2.dnsprivacy.at94.130.110.178
2a01:4f8:c0c:3bfc::2		853ns2.dnsprivacy.ats5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=NoneUnbound


dns.bitgeek.in (India)139.59.51.46853dns.bitgeek.inFndaG4ezEBQs4k0Ya3xt3z4BjFEyQHd7B75nRyP1nTs=Traffic volume onlyNginx + BIND
Lorraine Data Network

80.67.188.188
2001:913::8

853
443


WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=

Traffic volume onlystunnel 4 + BIND

See https://ldn-fai.net/serveur-dns-recursif-ouvert/ (note, logging of IP address at stunnel no longer performed).
The host name is ns0.ldn-fai.net however a self-signed certificate with common name of the IP address is used, so SPKI pinning is recommended.

3) Servers with some logging, self-signed certs or no support for Strict mode

Go6Lab2001:67c:27e4::35853privacydns.go6lab.sig5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=UnknownUnbound

NIC Chile

200.1.123.46
2001:1398:1:0:200:1:123:46

853

dnsotls.lab.nic.cl

sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc=

Yes, for research purposes

Unbound

Self-signed certificate, please use SPKI pinning.

Yeti

2001:4b98:dc2:43:216:3eff:fea9:41a

853

dns-resolver.yeti.eu.org

UPDATED on 26th Jun 2017
YxtXAorQNSo+333ko1ctuXcnpMcplPaOI/GCM+YeMQk=

Yes, see Yeti websiteUnboundSee https://dns-resolver.yeti.eu.org/
OARC

184.105.193.78
2620:ff:c000:0:1::64:25

853

tls-dns-u.odvr.dns-oarc.net

pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=

Yes, see OARC websiteUnbound

See OARC website NOTE: As of June 2017 this server does not support Strict Mode because it does not offer the correct cipher suites to match RFC7525 recommendations.

...