Versions Compared

Old Version 115

changes.mady.by.user Sara Dickinson

Saved on

compared with

New Version Current

changes.mady.by.user Sara Dickinson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents

Public resolvers

Tip
Public Resolvers: Several large organisations have announce DNS Privacy

...

Servers

...

The following servers are configured to support TLS on port 853 for testing purposes.

...

- see DNS Privacy Public Resolvers
  • Quad9 (9.9.9.9) and Cloudflare (1.1.1.1) offer DNS-over-TLS on port 853
  • DOH servers are also currently listed on that page

Experimental DNS Privacy Recursive Servers

Button
TitleLive Monitoring Dashboard
URLhttps://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/
 Button
TitleLive Traffic Graphs
URLhttps://dnsprivacy.org/wiki/display/DP/Live+Traffic+Levels
 Button
TitleMap of server locations
URLhttps://dnsprivacy.org/wiki/display/DP/Map+of+test+server+locations
DoH servers
These are currently listed on the DNS Privacy Public Resolvers page and also the list maintained on the curl wiki. For any servers below with the note 'also does DoH' check these pages or the website of the service for the DoH endpoint.
DoT servers
The following servers are experimental DNS-over-TLS servers.
info
 Warning
Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified.  Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!

Oct 2020: The list below has been updated to retain only those servers that appear to still be actively maintained
Stubby
A YAML configuration file for Stubby containing a the details of these servers is provided with Stubby 
...
and can be found here. This file enables only the subset of servers operated by the stubby/getdns developers by default, users can choose to enable any of the other servers by uncommenting the relevant section (occasionally the file lags this page).
Note that the Yeti servers use a different root key for DNSSEC! See the Yeti project for more details
 Tip
Quad9
It is also known that Quad9 provide service on port 853 for DNS-over-TLS however this is not officially mentioned on their website.
Servers run by the Stubby developers
Hosted byIP addressesTLS PortsHostname for TLS
authentication		Base 64 encoded form of SPKI pin(s) for TLS 
authentication (RFC7858)		TLSA record publishedLoggingSoftwareNotes
1) The following are currently enabled in the default Stubby config file because they are run by the stubby/getdns developers and have no known issues.
Sinodun/Surfnet145.100.185.15
2001:610:1:40ba:145:100:185:15		853
443		dnsovertls.sinodun.com62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
YTraffic volume onlyHAProxy + BIND 9.12See https://www.sinodun.com/recursive-operator-privacy-statement-rps/
Sinodun1/Surfnet145.100.185.16
2001:610:1:40ba:145:100:185:16		853
443		dnsovertls1.sinodun.comcE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
YTraffic volume onlyNginx + BIND 9.12See https://www.sinodun.com/recursive-operator-privacy-statement-rps/
getdnsapi.net185.49.141.37
2a04:b900:0:100::37		853getdnsapi.netfoxZRnIh9gZpWnl+
zEiKa0EJ2rdCGroMWm02gaxSc9S
zEiKa0EJ2rdCGroMWm02gaxSc9Q=

YTraffic volume onlyUnbound
2) 

Other servers with a 'no 
...
 logging
...
' policy
Hosted byIP addressesTLS PortsHostname for TLS
authentication		Base 64 encoded form of SPKI pin(s) for TLS 
authentication (RFC7858)		TLSA record publishedLoggingSoftwareNotes
UncensoredDNS89.233.43.71 
2a01:3a0:53:53::0		853unicast.censurfridns.dkwikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=
(also see this file for a full set of pins)		YTraffic volume only
See https://blog.uncensoreddns.org/
Fondation RESTENA 
(NREN for Luxemburg)
158.64.1.29
2001:a18:1::29
853kaitain.restena.lu7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=
Traffic volume onlyUnboundConfigured with qname-minimisation, use-caps-for-id, aggressive-nsec,
prefetch, harden-below-nxdomain and the newest auth-zone for local root
zone caching.
Sinodun3/Surfnet145.100.185.18
2001:610:1:40ba:145:100:185:18		853dnsovertls3.sinodun.com5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=YTraffic volume onlyHAProxy + BIND 
Supports TLS 1.3 and TLS 1.2. We think our stability problems are solved... see here for details. NOTE: This is using OpenSSL master branch, commit 3e524bf. This is using TLS 1.3 draft-23 revision - you may experience interop problems if your client is using an earlier draft implementation. 
9.12See https://www.sinodun.com/recursive-operator-privacy-statement-rps/
Sinodun4/Surfnet145.100.185.17
2001:610:1:40ba:145:100:185:17		853dnsovertls2.sinodun.comNAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=YTraffic volume onlyKnot Resolver
Has some issues with DNSSEC responses - this is under investigation.
See https://www.sinodun.com/recursive-operator-privacy-statement-rps/
dkg199.58.81.218
2001:470:1c:76d::53		853 443
53053
dns.cmrg.net3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=
NoneKnot ResolverSee https://dns.cmrg.net/ Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here.
Has some issues with DNSSEC responses - this is under investigation.
dns.larsdebruin.net (Previously dns1.darkmoon.is)
51.15.70.167853UPDATED on 30 Jan 2018 
dns.larsdebruin.net
UPDATED on 30 Jan 2018 AAT+rHoKx5wQkWhxlfrIybFocBu3RBrPD2/ySwIwmvA=
Traffic volume onlyUnboundsecuredns.eu
146.185.167.43
2a03:b0c0:0:1010::e9a:3001
853securedns.eu
UPDATED on 2nd Nov 2017
2EfbwDyk2zSnAbBJSpCSWZKKGUD+a6p/yg2bxdC+x2A=
NoneUnbounddns-tls.bitwiseshift.net
81.187.221.24
2001:8b0:24:24::24
853dns-tls.bitwiseshift.netYmcYWZU5dd2EoblZHNf1jTUPVS+uK3280YYCdz4l4wo=NoneUnboundns1.dnsprivacy.at94.130.110.185
2a01:4f8:c0c:3c03::2853ns1.dnsprivacy.atvqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=NoneUnbound
See https://dnsprivacy.at/
ns2.dnsprivacy.at94.130.110.178
2a01:4f8:c0c:3bfc::2853ns2.dnsprivacy.ats5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=NoneUnbounddns.bitgeek.in (India)139.59.51.46853dns.bitgeek.inFndaG4ezEBQs4k0Ya3xt3z4BjFEyQHd7B75nRyP1nTs=Traffic volume onlyNginx + BINDLorraine Data Network
80.67.188.188
2001:913::8
853
443
WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
Traffic volume onlystunnel 4 + BIND
See https://ldn-fai.net/serveur-dns-recursif-ouvert/ (note, logging of IP address at stunnel no longer performed).
The host name is ns0.ldn-fai.net however a self-signed certificate with common name of the IP address is used, so SPKI pinning is recommended. 
3) Servers with some logging, self-signed certs or no support for Strict mode
Go6Lab2001:67c:27e4::35853privacydns.go6lab.sig5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=UnknownUnbound
NIC Chile
200.1.123.46
2001:1398:1:0:200:1:123:46
853
dnsotls.lab.nic.cl
sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc=
Yes, for research purposes
Unbound
Self-signed certificate, please use SPKI pinning.
Yeti
2001:4b98:dc2:43:216:3eff:fea9:41a
853
dns-resolver.yeti.eu.org
UPDATED on 26th Jun 2017
YxtXAorQNSo+333ko1ctuXcnpMcplPaOI/GCM+YeMQk=
Yes, see Yeti websiteUnboundSee https://dns-resolver.yeti.eu.org/OARC
184.105.193.78
2620:ff:c000:0:1::64:25
853
tls-dns-u.odvr.dns-oarc.net
pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=
Yes, see OARC websiteUnbound
See OARC website NOTE: As of June 2017 this server does not support Strict Mode because it does not offer the correct cipher suites to match RFC7525 recommendations.
...
Lorraine Data Network80.67.188.188
2001:913::8		853
443
WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
Traffic volume onlystunnel 4 + BINDSee https://ldn-fai.net/serveur-dns-recursif-ouvert/ (note, logging of IP address at stunnel no longer performed).
A self-signed certificate is used, so SPKI pinning is must be used. 
dns.neutopia.org89.234.186.112
2a00:5884:8209::2		853
443		dns.neutopia.orgwTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
No loggingKnot resolver
BlahDNS108.61.201.119
2001:19f0:7001:1ded:5400:01ff:fe90:945b
853
443
dot-jp.blahdns.com

No logging
https://blahdns.com/
NOTE1: Located in Japan. Also does DoH.
NOTE2: Note that port 443 REQUIRES an authentication name
UPDATED 22nd JAN 2018: note the authentication name has changed
BlahDNS159.69.198.101
2a01:4f8:1c1c:6b4b::1
853
443
dot-de.blahdns.com

No logging
https://blahdns.com/
NOTE1: Located in Frankfurt. Also does DoH.
NOTE2: Note that port 443 REQUIRES an authentication name
Go6Lab2001:67c:27e4::35853privacydns.go6lab.sig5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=
No loggingUnbound
Secure DNS Project by PumpleX51.38.83.141
2001:41d0:801:2000::d64		853dns.oszx.coP/Auj1pm8MiUpeIxGcrEuMJOQV+pgPY0MR4awpclvT4=
No logging
https://dns.oszx.co
NOTE1: Also does DoH and dnscrypt
NOTE2: Performs ad blocking
Foundation for Applied Privacy146.255.56.98
2a01:4f8:c0c:83ed::1
853
443
dot1.applied-privacy.net
YOnly aggregated logging, no PIIunbound
DETAILS UPDATED 14th Sep 2020
https://appliedprivacy.net/services/dns/
NOTE: Also does DoH and has an .onion endpoint
ibksturm.synology.me
178.82.102.190
853ibksturm.synology.me

No loggingnginx + unbound
https://github.com/ibksturm/dnscrypt-switzerland
NOTE: Also does DoH and dnscrypt
no filters, opennic root copy
dismail.de
159.69.114.157
2a01:4f8:c17:739a::2 
853fdns2.dismail.deyJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w=
No logging
https://dismail.de/info.html#dns
dismail.de80.241.218.68
2a02:c205:3001:4558::1
853fdns1.dismail.deMMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU=
No logging
https://dismail.de/info.html#dns
Servers with minimal logging/limitations
These servers use some logging, self-signed certs or no support for Strict mode.
Hosted byIP addressesTLS PortsHostname for TLS
authentication		Base 64 encoded form of SPKI pin(s) for TLS 
authentication (RFC7858)		TLSA record publishedLoggingSoftwareNotes
NIC Chile

200.1.123.46
2001:1398:1:0:200:1:123:46		853dnsotls.lab.nic.cl pUd9cZpbm9H8ws0tB55m9BXW4TrD4GZfBAB0ppCziBg=YYes, for research purposesUnboundDetails updated 18th Sept - now uses Let's encrypt cert