Experimental DNS Privacy Recursive Servers
The following servers are configured to support TLS on port 853 for testing purposes.
Note that they are experimental offerings with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available).
Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!
NEW!! Live monitoring of these servers can be found on the Test Server Monitoring page
A configuration file for Stubby containing a subset of these servers which can all be validated can be found here.
A JSON file with the details of the same subset of servers can be downloaded here.
Note that the Yeti servers use a different root key for DNSSEC! See the Yeti project for more details
Hosted by | IP addresses | TLS Ports | Hostname for TLS authentication | Base 64 encoded form of SPKI pin(s) for TLS authentication (RFC7858) | Logging | Software | Notes |
---|---|---|---|---|---|---|---|
The following are currently in the default Stubby config file mainly because they have been around longest and are the most stable. | |||||||
getdnsapi.net | 185.49.141.37 | 853 | getdnsapi.net | foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= | Traffic volume only | Unbound | |
Surfnet | 145.100.185.15 | 853 | dnsovertls.sinodun.com | 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= | Traffic volume only | HAProxy + BIND | |
Surfnet | 145.100.185.16 | 853 | dnsovertls1.sinodun.com | cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= | Traffic volume only | Nginx + BIND | |
UncensoredDNS | 89.233.43.71 | 853 | unicast.censurfridns.dk | wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs= | Traffic volume only | See https://blog.uncensoreddns.org/ | |
Other servers with no/minimal logging | |||||||
Surfnet | 145.100.185.17 | 853 | dnsovertls2.sinodun.com | NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg= | Traffic volume only | Knot Resolver | |
dns1.darkmoon.is | 51.15.70.167 | 853 | dns1.darkmoon.is | 8sx8niFUiJvMM3C1qLE9cH79TuQQztzMVDtbKjpD/IQ= | Traffic volume only | Unbound | |
dkg | 199.58.81.218 | 853 443 53053 | dns.cmrg.net | 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= | None | Knot Resolver | See https://dns.cmrg.net/ Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here. |
securedns.eu | 146.185.167.43 | 853 | securedns.eu | sduWN2+EK2c5T/ATd6jqNuc/cdiHAxULzjtPu6CqJR0= | None | Unbound | |
dns-tls.bitwiseshift.net | 81.187.221.24 | 853 | dns-tls.bitwiseshift.net | YmcYWZU5dd2EoblZHNf1jTUPVS+uK3280YYCdz4l4wo= | None | Unbound | |
ns1.dnsprivacy.at | 94.130.110.185 2a01:4f8:c0c:3c03::2 | 853 | ns1.dnsprivacy.at | vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY= | None | Unbound | |
ns2.dnsprivacy.at | 94.130.110.178 2a01:4f8:c0c:3bfc::2 | 853 | ns2.dnsprivacy.at | s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg= | None | Unbound | |
Servers with some or no logging, self-signed certs or no support for Strict mode | |||||||
Go6Lab | 2001:67c:27e4::35 | 853 | privacydns.go6lab.si | g5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw= | Unknown | Unbound | |
Lorraine Data Network | 80.67.188.188 | 853 | WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= | Yes, logging at stunnel | stunnel 4 + BIND | See https://ldn-fai.net/serveur-dns-recursif-ouvert/ | |
NIC Chile | 200.1.123.46 | 853 | dnsotls.lab.nic.cl | sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc= | Yes, for research purposes | Unbound | Self-signed certificate, please use SPKI pinning. |
Yeti | 2001:4b98:dc2:43:216:3eff:fea9:41a | 853 | dns-resolver.yeti.eu.org | UPDATED on 26th Jun 2017 | Yes, see Yeti website | Unbound | See https://dns-resolver.yeti.eu.org/ |
OARC | 184.105.193.78 | 853 | tls-dns-u.odvr.dns-oarc.net | pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI= | Yes, see OARC website | Unbound | See OARC website NOTE: As of June 2017 this server does not support Strict Mode because it does not offer the correct cipher suites to match RFC7525 recommendations. |
(1) Since the nameserver is behind a proxy the client IP is not logged inside the nameserver