The following servers are configured to support TLS on port 853 for testing purposes.
Live monitoring of these servers can be found on the Test Server Monitoring page.
Note that they are experimental offerings with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified. Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!! |
A YAML configuration file for Stubby containing a the details of these servers is provided with Stubby and can be found here. This file enables only the subset of servers operated by the stubby/getdns developers by default, users can choose to enable any of the other servers by uncommenting the relevant section (occasionally the file lags this page). Note that the Yeti servers use a different root key for DNSSEC! See the Yeti project for more details |
Quad9It is also known that Quad9 provide service on port 853 for DNS-over-TLS however this is not officially mentioned on their website. |
| Hosted by | IP addresses | TLS Ports | Hostname for TLS authentication | Base 64 encoded form of SPKI pin(s) for TLS authentication (RFC7858) | Logging | Software | Notes |
|---|---|---|---|---|---|---|---|
| 1) The following are currently enabled in the default Stubby config file because they are run by the stubby/getdns developers and have no known issues. | |||||||
| Surfnet | 145.100.185.15 | 853 | dnsovertls.sinodun.com | 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= | Traffic volume only | HAProxy + BIND | |
| Surfnet | 145.100.185.16 | 853 | dnsovertls1.sinodun.com | cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= | Traffic volume only | Nginx + BIND | |
| getdnsapi.net | 185.49.141.37 | 853 | getdnsapi.net | foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= | Traffic volume only | Unbound | |
| 2) Other servers with no/minimal logging | |||||||
| Quad9 'secure' | 9.9.9.9 | 853 | dns.quad9.net | See https://quad9.net and their FAQ for details of privacy, logging and filtering policies on the main and alternative addresses(1). UDP and TCP service are also available on these addresses. | |||
| Quad9 'insecure' | 9.9.9.10 | 853 | dns.quad9.net | ||||
| UncensoredDNS | 89.233.43.71 | 853 | unicast.censurfridns.dk | wikE3jYAA6jQmXYTr/rbHeEPmC78dQwZbQp6WdrseEs= | Traffic volume only | See https://blog.uncensoreddns.org/ | |
| Surfnet | 145.100.185.18 2001:610:1:40ba:145:100:185:18 | 853 | dnsovertls3.sinodun.com | 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= | Traffic volume only | HAProxy + BIND | Supports TLS 1.3 and TLS 1.2. We think our stability problems are solved... see here for details. NOTE: This is using OpenSSL master branch, commit 3e524bf. This is using TLS 1.3 draft-23 revision - you may experience interop problems if your client is using an earlier draft implementation. |
| Surfnet | 145.100.185.17 | 853 | dnsovertls2.sinodun.com | NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg= | Traffic volume only | Knot Resolver | Has some issues with DNSSEC responses - this is under investigation. |
| dkg | 199.58.81.218 | 853 443 53053 | dns.cmrg.net | 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= | None | Knot Resolver | See https://dns.cmrg.net/ Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here. Has some issues with DNSSEC responses - this is under investigation. |
dns.larsdebruin.net (Previously dns1.darkmoon.is) | 51.15.70.167 | 853 | UPDATED on 30 Jan 2018 | UPDATED on 30 Jan 2018 AAT+rHoKx5wQkWhxlfrIybFocBu3RBrPD2/ySwIwmvA= | Traffic volume only | Unbound | |
| securedns.eu | 146.185.167.43 | 853 | securedns.eu | UPDATED on 2nd Nov 2017 | None | Unbound | |
| dns-tls.bitwiseshift.net | 81.187.221.24 | 853 | dns-tls.bitwiseshift.net | YmcYWZU5dd2EoblZHNf1jTUPVS+uK3280YYCdz4l4wo= | None | Unbound | |
| ns1.dnsprivacy.at | 94.130.110.185 2a01:4f8:c0c:3c03::2 | 853 | ns1.dnsprivacy.at | vqVQ9TcoR9RDY3TpO0MTXw1YQLjF44zdN3/4PkLwtEY= | None | Unbound | |
| ns2.dnsprivacy.at | 94.130.110.178 2a01:4f8:c0c:3bfc::2 | 853 | ns2.dnsprivacy.at | s5Em89o0kigwfBF1gcXWd8zlATSWVXsJ6ecZfmBDTKg= | None | Unbound | |
| dns.bitgeek.in (India) | 139.59.51.46 | 853 | dns.bitgeek.in | FndaG4ezEBQs4k0Ya3xt3z4BjFEyQHd7B75nRyP1nTs= | Traffic volume only | Nginx + BIND | |
| Lorraine Data Network | 80.67.188.188 | 853 | WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= | Traffic volume only | stunnel 4 + BIND | See https://ldn-fai.net/serveur-dns-recursif-ouvert/ (note, logging of IP address at stunnel no longer performed). | |
| dns.neutopia.org | 89.234.186.112 | 853 443 | dns.neutopia.org | wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= | No logging | Knot resolver | |
3) Servers with some logging, self-signed certs or no support for Strict mode | |||||||
| Go6Lab | 2001:67c:27e4::35 | 853 | privacydns.go6lab.si | g5lqtwHia/plKqWU/Fe2Woh4+7MO3d0JYqYJpj/iYAw= | Unknown | Unbound | |
NIC Chile | 200.1.123.46 | 853 | dnsotls.lab.nic.cl | sG6kj+XJToXwt1M6+9BeCz1SOj/1/mdZn56OZvCyZZc= | Yes, for research purposes | Unbound | Self-signed certificate, please use SPKI pinning. |
| Yeti | 2001:4b98:dc2:43:216:3eff:fea9:41a | 853 | dns-resolver.yeti.eu.org | UPDATED on 26th Jun 2017 | Yes, see Yeti website | Unbound | See https://dns-resolver.yeti.eu.org/ |
| OARC | 184.105.193.78 | 853 | tls-dns-u.odvr.dns-oarc.net | pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI= | Yes, see OARC website | Unbound | See OARC website NOTE: As of June 2017 this server does not support Strict Mode because it does not offer the correct cipher suites to match RFC7525 recommendations. |
(1) More details of the service are available in various blogs e.g. see Stephane Bortzmeyer's blog. Note that Quad9 have not announced a SPKI pinset.