You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 92 Next »

Experimental DNS Privacy Recursive Servers

The following servers are configured to support TLS on port 853 for testing purposes.

Note that they are experimental offerings with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here has not been verified.

Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!

NEW!! Live monitoring of these servers can be found on the Test Server Monitoring page

A configuration file for Stubby containing a subset of these servers which can all be validated can be found here.

Note that the Yeti servers use a different root key for DNSSEC! See the Yeti project for more details

Hosted byIP addressesTLS PortsHostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
LoggingSoftwareNotes
The following are currently in the default Stubby config file mainly because they have been around longest, perform no logging and are the most stable.
getdnsapi.net

185.49.141.37
2a04:b900:0:100::37

853getdnsapi.net

foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=

Traffic volume onlyUnbound
Surfnet

145.100.185.15
2001:610:1:40ba:145:100:185:15

853dnsovertls.sinodun.com

62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=

Traffic volume onlyHAProxy + BIND


Surfnet

145.100.185.16
2001:610:1:40ba:145:100:185:16

853dnsovertls1.sinodun.com

cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=

Traffic volume onlyNginx + BIND


UncensoredDNS

89.233.43.71 
2a01:3a0:53:53::0

853

unicast.censurfridns.dk

wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs=Traffic volume only
See https://blog.uncensoreddns.org/
Other servers with no/minimal logging
Surfnet

145.100.185.17
2001:610:1:40ba:145:100:185:17

853dnsovertls2.sinodun.comNAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=Traffic volume onlyKnot Resolver
dns1.darkmoon.is51.15.70.167853dns1.darkmoon.is8sx8niFUiJvMM3C1qLE9cH79TuQQztzMVDtbKjpD/IQ=Traffic volume onlyUnbound
dkg

199.58.81.218
2001:470:1c:76d::53

853 443

53053

dns.cmrg.net

3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=

NoneKnot Resolver

See https://dns.cmrg.net/ Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here.

securedns.eu

146.185.167.43
2a03:b0c0:0:1010::e9a:3001

853securedns.eusduWN2+EK2c5T/ATd6jqNuc/cdiHAxULzjtPu6CqJR0=NoneUnbound


dns-tls.bitwiseshift.net

81.187.221.24
2001:8b0:24:24::24

853dns-tls.bitwiseshift.netYmcYWZU5dd2EoblZHNf1jTUPVS+uK3280YYCdz4l4wo=NoneUnbound


ns1.dnsprivacy.at94.130.110.185
2a01:4f8:c0c:3c03::2
853ns1.dnsprivacy.atvqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY=NoneUnbound

See https://dnsprivacy.at/

ns2.dnsprivacy.at94.130.110.178
2a01:4f8:c0c:3bfc::2
853ns2.dnsprivacy.ats5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg=NoneUnbound


Servers with some logging, self-signed certs or no support for Strict mode

Go6Lab2001:67c:27e4::35853privacydns.go6lab.sig5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw=UnknownUnbound
Lorraine Data Network

80.67.188.188
2001:913::8

853
443


WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=

Yes, logging at stunnelstunnel 4 + BIND

See https://ldn-fai.net/serveur-dns-recursif-ouvert/
The host name is ns0.ldn-fai.net however a self-signed certificate with common name of the IP address is used, so SPKI pinning is recommended.

NIC Chile

200.1.123.46
2001:1398:1:0:200:1:123:46

853

dnsotls.lab.nic.cl

sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc=

Yes, for research purposes

Unbound

Self-signed certificate, please use SPKI pinning.

Yeti

2001:4b98:dc2:43:216:3eff:fea9:41a

853

dns-resolver.yeti.eu.org

UPDATED on 26th Jun 2017
YxtXAorQNSo+333ko1ctuXcnpMcplPaOI/GCM+YeMQk=

Yes, see Yeti websiteUnboundSee https://dns-resolver.yeti.eu.org/
OARC

184.105.193.78
2620:ff:c000:0:1::64:25

853

tls-dns-u.odvr.dns-oarc.net

pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=

Yes, see OARC websiteUnbound

See OARC website NOTE: As of June 2017 this server does not support Strict Mode because it does not offer the correct cipher suites to match RFC7525 recommendations.

(1) Since the nameserver is behind a proxy the client IP is not logged inside the nameserver


  • No labels