Page History
Table of Contents |
---|
Public resolvers
Tip |
---|
Public Resolvers: Several large organisations have announce DNS Privacy Servers - see DNS Privacy Public Resolvers
|
Experimental DNS Privacy Recursive Servers
Button | ||||
---|---|---|---|---|
| ||||
Button | ||||
---|---|---|---|---|
| ||||
Button |
---|
...
| ||||
DoH servers
These are currently listed on the DNS Privacy Public Resolvers page and also the list maintained on the curl wiki. For any servers below with the note 'also does DoH' check these pages or the website of the service for the DoH endpoint.
DoT servers
The following servers are experimental DNS-over-TLS servers.
Warning |
---|
Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) .- the information here about logging has not been verified. Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!! |
Tip |
---|
NEW!! Live monitoring of these servers can be found on the Test Server Monitoring page |
Info |
---|
A configuration file for stubby containing a subset of these servers which can all be validated Oct 2020: The list below has been updated to retain only those servers that appear to still be actively maintained |
Stubby
A YAML configuration file for Stubby containing a the details of these servers is provided with Stubby and can be found here.
...
A JSON file with the details of the same subset of servers can be downloaded here.
...
This file enables only the subset of servers operated by the stubby/getdns developers by default, users can choose to enable any of the other servers by uncommenting the relevant section (occasionally the file lags this page).
Servers run by the Stubby developers
Hosted by | IP addresses | TLS Ports | Hostname for TLS authentication | Base 64 encoded form of SPKI pin(s) for TLS authentication (RFC7858) | TLSA record published | Logging | Software | Notes |
---|
UPDATED on 13th April 2017!
185.49.141.37
2a04:b900:0:100::37
1) The following are currently enabled in the default Stubby config file because they are run by the stubby/getdns developers and have no known issues. | ||||||||
Sinodun/Surfnet | 145.100.185.15 2001:610:1:40ba:145:100:185:15 | 853 443 | dnsovertls.sinodun.com | 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= | Y | Traffic volume only | HAProxy + BIND 9.12 | See https://www.sinodun.com/recursive-operator-privacy-statement-rps/ |
Sinodun1/Surfnet | 145.100.185. |
16 2001:610:1:40ba:145:100:185: |
16 | 853 |
443 | dnsovertls1.sinodun.com |
cE2ecALeE5B+ |
urJhDrJlVFmf38cJLAvqekONvjvpqUA= | Y | Traffic volume only | Nginx + BIND 9. |
Only listening on TLS on port 853
(no UDP or TCP on port 53)
12 | See https://www.sinodun.com/recursive-operator-privacy-statement-rps/ | |||||||
getdnsapi.net | 185.49.141.37 2a04:b900:0:100::37 | 853 | getdnsapi.net | foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= | Y | Traffic volume only | Unbound |
Other servers with a 'no logging' policy
Hosted by | IP addresses | TLS Ports | Hostname for TLS authentication | Base 64 encoded form of SPKI pin(s) for TLS authentication (RFC7858) | TLSA record published | Logging | Software | Notes |
UncensoredDNS | 89.233.43.71 2a01:3a0:53:53::0 | 853 | unicast.censurfridns.dk | wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs= (also see this file for a full set of pins) | Y | Traffic volume only | See https://blog.uncensoreddns.org/ | |
Fondation RESTENA | 158.64.1.29 | 853 | kaitain.restena.lu | 7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4= | Traffic volume only | Unbound | Configured with qname-minimisation, use-caps-for-id, aggressive-nsec, prefetch, harden-below-nxdomain and the newest auth-zone for local root | |
Sinodun3/Surfnet | 145.100.185. |
18 2001:610:1:40ba:145:100:185: |
18 | 853 |
dnsovertls3.sinodun.com |
5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= | Y | Traffic volume only |
HAProxy + BIND |
Only listening on TLS on port 853
(no UDP or TCP on port 53)
9.12 | See https://www.sinodun.com/recursive-operator-privacy-statement-rps/ | ||||
Sinodun4/Surfnet | 145.100.185.17 2001:610:1:40ba:145:100:185:17 | 853 | dnsovertls2.sinodun.com | NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg= | Y |
Traffic volume only | Knot Resolver |
Only listening on TLS on port 853
(no UDP or TCP on port 53)See https://www.sinodun.com/recursive-operator-privacy-statement-rps/ | ||
dkg | 199.58.81.218 2001:470:1c:76d::53 | 853 |
443 |
dns.cmrg.net | 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= 5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo= | None |
Knot Resolver | See https://dns.cmrg.net/ |
Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here. |
89.233.43.71
2a01:3a0:53:53::0
unicast.censurfridns.dk
146.185.167.43
2a03:b0c0:0:1010::e9a:3001
Only listening on TLS on port 853
(no UDP or TCP on port 53)
81.187.221.24
2001:8b0:24:24::24
Only listening on TLS on port 853
(no UDP or TCP on port 53)
2001:4b98:dc2:43:216:3eff:fea9:41a
dns-resolver.yeti.eu.org
UPDATED on 26th Jun 2017
YxtXAorQNSo+333ko1ctuXcnpMcplPaOI/GCM+YeMQk=
80.67.188.188
2001:913::8
https://ldn-fai.net/serveur-dns-recursif-ouvert/
Uses a self-signed certificate, no key published
184.105.193.78
2620:ff:c000:0:1::64:25
tls-dns-u.odvr.dns-oarc.net
pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=
NOTE: As of June 2017 this server does not support Strict Mode because it does not offer the correct cipher suites to match RFC7525 recommendations.
Only listening on TLS on port 853
(no UDP or TCP on port 53)
Has some issues with DNSSEC responses - this is under investigation. | ||||||||
Lorraine Data Network | 80.67.188.188 2001:913::8 | 853 443 | WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= | Traffic volume only | stunnel 4 + BIND | See https://ldn-fai.net/serveur-dns-recursif-ouvert/ (note, logging of IP address at stunnel no longer performed). A self-signed certificate is used, so SPKI pinning is must be used. | ||
dns.neutopia.org | 89.234.186.112 2a00:5884:8209::2 | 853 443 | dns.neutopia.org | wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= | No logging | Knot resolver | ||
BlahDNS | 108.61.201.119 2001:19f0:7001:1ded:5400:01ff:fe90:945b | 853 | dot-jp.blahdns.com | No logging | NOTE1: Located in Japan. Also does DoH. UPDATED 22nd JAN 2018: note the authentication name has changed | |||
BlahDNS | 159.69.198.101 2a01:4f8:1c1c:6b4b::1 | 853 | dot-de.blahdns.com | No logging | NOTE1: Located in Frankfurt. Also does DoH. | |||
Go6Lab | 2001:67c:27e4::35 | 853 | privacydns.go6lab.si | g5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw= | No logging | Unbound | ||
Secure DNS Project by PumpleX | 51.38.83.141 2001:41d0:801:2000::d64 | 853 | dns.oszx.co | P/Auj1pm8MiUpeIxGcrEuMJOQV+pgPY0MR4awpclvT4= | No logging | https://dns.oszx.co NOTE1: Also does DoH and dnscrypt NOTE2: Performs ad blocking | ||
Foundation for Applied Privacy | 146.255.56.98 2a01:4f8:c0c:83ed::1 | 853 | dot1.applied-privacy.net | Y | Only aggregated logging, no PII | unbound | DETAILS UPDATED 14th Sep 2020 https://appliedprivacy.net/services/dns/ NOTE: Also does DoH and has an .onion endpoint | |
ibksturm.synology.me | 178.82.102.190 | 853 | ibksturm.synology.me | No logging | nginx + unbound | https://github.com/ibksturm/dnscrypt-switzerland NOTE: Also does DoH and dnscrypt | ||
dismail.de | 159.69.114.157 | 853 | fdns2.dismail.de | yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w= | No logging | https://dismail.de/info.html#dns | ||
dismail.de | 80.241.218.68 2a02:c205:3001:4558::1 | 853 | fdns1.dismail.de | MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU= | No logging | https://dismail.de/info.html#dns |
Servers with minimal logging/limitations
These servers use some logging, self-signed certs or no support for Strict mode.
Hosted by | IP addresses | TLS Ports | Hostname for TLS authentication | Base 64 encoded form of SPKI pin(s) for TLS authentication (RFC7858) | TLSA record published | Logging | Software | Notes |
NIC Chile | 200.1.123.46 2001:1398:1:0:200:1:123:46 | 853 | dnsotls.lab.nic.cl |
pUd9cZpbm9H8ws0tB55m9BXW4TrD4GZfBAB0ppCziBg= | Y | Yes, for research purposes | Unbound |
Only TLS. Self-signed certificate, please use SPKI pinning.
Only listening on TLS on port 853
(no UDP or TCP on port 53)
...
Details updated 18th Sept - now uses Let's encrypt cert |