Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

A configuration file for stubby Stubby containing a subset of these servers which can all be validated can be found here.

A JSON file with the details of the same subset of servers can be downloaded here.

Note that the Yeti servers use a different root key for DNSSEC! See the Yeti project for more details

Hosted byIP addressesTLS PortsHostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
LoggingSoftwareNotes
The following are currently in the default Stubby config file mainly because they have been around longest and are the most stable.
getdnsapi.net

UPDATED on 13th April 2017!

185.49.141.37
2a04:b900:0:100::37

853getdnsapi.net

foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=

Traffic volume only
.
Unbound
Surfnet

145.100.185.15
2001:610:1:40ba:145:100:185:15

853dnsovertls.sinodun.com

62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=

Traffic volume only
.
HAProxy + BIND
Only listening on TLS on port 853
(no UDP or TCP on port 53)


Surfnet

145.100.185.16
2001:610:1:40ba:145:100:185:16

853dnsovertls1.sinodun.com

cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=

Traffic volume only
.
Nginx + BIND
Only listening on TLS on port 853
(no UDP or TCP on port 53)


UncensoredDNS

89.233.43.71 
2a01:3a0:53:53::0

853

unicast.censurfridns.dk

wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=Traffic volume only
See https://blog.uncensoreddns.org/
Other servers with no/minimal logging
Surfnet

145.100.185.17
2001:610:1:40ba:145:100:185:17

853dnsovertls2.sinodun.comNAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=
None
Traffic volume onlyKnot Resolver
Only listening on TLS on port 853
(no UDP or TCP on port 53)

dns1.darkmoon.is51.15.70.167853dns1.darkmoon.is8sx8niFUiJvMM3C1qLE9cH79TuQQztzMVDtbKjpD/IQ=Traffic volume onlyUnbound
dkg

199.58.81.218
2001:470:1c:76d::53

853

443

53053

dns.cmrg.net

3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=

None
.
Knot Resolver

See https://dns.cmrg.net/

Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here

. So if port 853 may be blocked then this is a good option.UncensoredDNS

89.233.43.71 
2a01:3a0:53:53::0

853

unicast.censurfridns.dk

Traffic volume only.See https://blog.uncensoreddns

.

org/

securedns.eu

146.185.167.43
2a03:b0c0:0:1010::e9a:3001

853securedns.eusduWN2+EK2c5T/ATd6jqNuc/cdiHAxULzjtPu6CqJR0=None
.
Unbound
Only listening on TLS on port 853
(no UDP or TCP on port 53)


dns-tls.bitwiseshift.net

81.187.221.24
2001:8b0:24:24::24

853dns-tls.bitwiseshift.netYmcYWZU5dd2EoblZHNf1jTUPVS+uK3280YYCdz4l4wo=
No loggingSee https://dns-resolver.yeti.eu.org/
NoneUnbound

Only listening on TLS on port 853
(no UDP or TCP on port 53)

Yeti

2001:4b98:dc2:43:216:3eff:fea9:41a

853

dns-resolver.yeti.eu.org

UPDATED on 26th Jun 2017

YxtXAorQNSo+333ko1ctuXcnpMcplPaOI/GCM+YeMQk=

Yes - see https://dns-resolver.yeti.eu.org/Unbound


ns1.dnsprivacy.at94.130.110.185
2a01:4f8:c0c:3c03::2
853ns1.dnsprivacy.atvqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=NoneUnbound


ns2.dnsprivacy.at94.130.110.178
2a01:4f8:c0c:3bfc::2
853ns2.dnsprivacy.ats5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=NoneUnbound


Servers with some or no logging, self-signed certs or no support for Strict mode
Go6Lab2001:67c:27e4::35853privacydns.go6lab.sig5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=UnknownUnbound
Lorraine Data Network

80.67.188.188
2001:913::8

853
443

853


WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=

Logging
Yes, logging at stunnelstunnel 4 + BIND

See https://ldn-fai.net/serveur-dns-recursif-ouvert/
Self-signed certificate, please use SPKI pinning

.OARC

184.105.193.78
2620:ff:c000:0:1::64:25

853

tls-dns-u.odvr.dns-oarc.net

pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=

Yes - See OARC websiteUnbound

NOTE: As of June 2017 this server does not support Strict Mode because it does not offer the correct cipher suites to match RFC7525 recommendations.

See OARC website

Go6Lab2001:67c:27e4::35853privacydns

.

go6lab.sig5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=

Unbound

Only listening on TLS on port 853
(no UDP or TCP on port 53)

NIC Chile

200.1.123.46
2001:1398:1:0:200:1:123:46

853

dnsotls.lab.nic.cl

sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc=

Yes, for research purposes

Unbound

Only TLS.

Self-signed certificate, please use SPKI pinning.

dns1.darkmoon.is51.15.70.167853dns1.darkmoon.is8sx8niFUiJvMM3C1qLE9cH79TuQQztzMVDtbKjpD/IQ=Traffic volume only.Unbound

Only listening on TLS on port 853

(no UDP or TCP on port 53)

ns1.dnsprivacy.at94.130.110.185
2a01:4f8:c0c:3c03::2
853ns1.dnsprivacy.atvqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=No logging

Only listening on TLS on port 853
(no UDP or TCP on port 53)

ns2.dnsprivacy.at94.130.110.178
2a01:4f8:c0c:3bfc::2853ns2.dnsprivacy.ats5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=No loggingOnly listening on TLS on port 853
(no UDP or TCP on port 53)
Yeti

2001:4b98:dc2:43:216:3eff:fea9:41a

853

dns-resolver.yeti.eu.org

UPDATED on 26th Jun 2017
YxtXAorQNSo+333ko1ctuXcnpMcplPaOI/GCM+YeMQk=

Yes, see Yeti websiteUnboundSee https://dns-resolver.yeti.eu.org/
OARC

184.105.193.78
2620:ff:c000:0:1::64:25

853

tls-dns-u.odvr.dns-oarc.net

pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=

Yes, see OARC websiteUnbound

See OARC website NOTE: As of June 2017 this server does not support Strict Mode because it does not offer the correct cipher suites to match RFC7525 recommendations.

(1) Since the nameserver is behind a proxy the client IP is not logged inside the nameserver

...