The following servers are configured to support TLS on port 853 and STARTTLS on port 53 for testing purposes.
Public Test resolver
Hosted by the getdns API implementation project at getdnsapi.net (Unbound 1.5.6):
- IP address: 18.104.22.168 and 2a04:b900:0:100::38 Note this server does not support UDP without DNS Cookies (RFC7873)Also note the server does not yet support EDNS0 TCP Keepalive (RFC7828) or out-of-order response processing (RFC7766)
Authoritative test server hosted by Verisign Labs:
- Verisign Labs are kindly hosting a test zone on a server (running a patched version of NSD):
The zone is named dns-over-tls.verisignlabs.com and it has A, AAAA, and TXT records for names from 'L001' to 'L100'.
The IP address of the server is currently 22.214.171.124.
Server key file is available to download here: nsd.key
The zone is signed
- This server also supports TCP fast open
- concurrent processing or TCP queries (RFC7766)
|Server type||Hosted by||IP addresses||Server key||Hostname for TLS authentication||SPKI pin for TLS authentication (RFC7858)|
|Public Test Resolver||getdnsapi.net|
starttls.verisignlabs.com [Note that this
is a self-signed certificate so does not pass
authentication by default.]
How to Decode TLS packets in Wireshark