Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Hosted byIP addressesPortsHostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
LoggingSoftwareNotes
getdnsapi.net

UPDATED on 13th April 2017!

185.49.141.37

2a04:b900:0:100::37

853getdnsapi.net

foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=

Traffic volume only.Unbound
Surfnet

145.100.185.15

2001:610:1:40ba:145:100:185:15

853dnsovertls.sinodun.com

62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=

Traffic volume only.HAProxy + BIND

Only listening on TLS on port 853

(no UDP or TCP on port 53)

Surfnet

145.100.185.16

2001:610:1:40ba:145:100:185:16

853dnsovertls1.sinodun.com

cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=

Traffic volume only.Nginx + BIND

Only listening on TLS on port 853

(no UDP or TCP on port 53)

Surfnet

145.100.185.17

2001:610:1:40ba:145:100:185:17

853dnsovertls2.sinodun.comNAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=NoneKnot Resolver

Only listening on TLS on port 853

(no UDP or TCP on port 53)

dkg

199.58.81.218

2001:470:1c:76d::53

853

443

53053

dns.cmrg.net

3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=

5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=

None.Knot Resolver

https://dns.cmrg.net/

Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here. So if port 853 may be blocked then this is a good option.

UncensoredDNS

89.233.43.71 

2a01:3a0:53:53::0

853

unicast.censurfridns.dk


Traffic volume only.
See https://blog.uncensoreddns.org/
securedns.eu

146.185.167.43

2a03:b0c0:0:1010::e9a:3001

853securedns.eusduWN2+EK2c5T/ATd6jqNuc/cdiHAxULzjtPu6CqJR0=None.Unbound

Only listening on TLS on port 853

(no UDP or TCP on port 53)

dns-tls.bitwiseshift.net

81.187.221.24

2001:8b0:24:24::24

853dns-tls.bitwiseshift.netYmcYWZU5dd2EoblZHNf1jTUPVS+uK3280YYCdz4l4wo=No loggingUnbound

Only listening on TLS on port 853

(no UDP or TCP on port 53)

Yeti

2001:4b98:dc2:43:216:3eff:fea9:41a

853

dns-resolver.yeti.eu.org

UPDATED on 26th Jun 2017

YxtXAorQNSo+333ko1ctuXcnpMcplPaOI/GCM+YeMQk=

Yes - see https://dns-resolver.yeti.eu.org/UnboundSee https://dns-resolver.yeti.eu.org/
Lorraine Data Network

80.67.188.188

2001:913::8

853

Logging at stunnelstunnel 4 + BIND

https://ldn-fai.net/serveur-dns-recursif-ouvert/

Uses a self-signed certificate, no key published

OARC

184.105.193.78

2620:ff:c000:0:1::64:25

853

tls-dns-u.odvr.dns-oarc.net

pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=

Yes - See OARC websiteUnbound

NOTE: As of June 2017 this server does not support Strict Mode because it does not offer the correct cipher suites to match RFC7525 recommendations.

See OARC website

Go6Lab2001:67c:27e4::35853privacydns.go6lab.sig5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=
Unbound

Only listening on TLS on port 853

(no UDP or TCP on port 53)

NIC Chile

200.1.123.46

2001:1398:1:0:200:1:123:46

853

dnsotls.lab.nic.cl

sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc=

Yes, for research purposes

Unbound

Only TLS. Self-signed certificate, please use SPKI pinning.

dns1.darkmoon.is51.15.70.167853dns1.darkmoon.is8sx8niFUiJvMM3C1qLE9cH79TuQQztzMVDtbKjpD/IQ=Traffic volume only.Unbound

Only listening on TLS on port 853

(no UDP or TCP on port 53)

ns1.dnsprivacy.at94.130.110.178
2a01:4f8:c0c:3c03::2
853ns1.dnsprivacy.atvqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=No logging

ns2.dnsprivacy.at94.130.110.185
2a01:4f8:c0c:3bfc::2
853ns2.dnsprivacy.ats5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=No logging

(1) Since the nameserver is behind a proxy the client IP is not logged inside the nameserver

...