Skip to content

Instantly share code, notes, and snippets.

@InAnimaTe

InAnimaTe/dns.md Secret

Last active May 29, 2023 16:19
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Best DNS Servers
Raw
dns.md

Public DNS Resolvers

Breakdown of the top Public DNS Resolvers and their features, especially as it relates to security.

Cloudflare - "Malware Blocking"

Malware blocking, EDNS, DNSoTLS, DNSSEC

  • 1.1.1.2
  • 1.0.0.2

Quad9 - "EDNS Enabled"

Malicious blocking, EDNS, DNSoTLS+DNSCrypt, DNSSEC

  • 9.9.9.11
  • 149.112.112.11

OpenDNS - Main Resolvers

EDNS, DNSCrypt, DNSSEC, SmartCache (last known good)

  • 208.67.222.222 (resolver1.opendns.com)
  • 208.67.220.220 (resolver2.opendns.com)

Google

EDNS, DNSoTLS, DNSSEC

  • 8.8.8.8
  • 8.8.4.4

Family DNS - Blocking Malware + Adult Content

Cloudflare 1.1.1.1 for Families

  • 1.1.1.3
  • 1.0.0.3

DoH - https://family.cloudflare-dns.com/dns-query

OpenDNS FamilyShield

  • 208.67.222.123
  • 208.67.220.123

DoH - https://doh.familyshield.opendns.com/dns-query

Adguard Family Protection

  • 94.140.14.15
  • 94.140.15.16

DoH - https://family.adguard-dns.com/dns-query

Two Encryption Technologies

DNS over TLS

DNSCrypt

For Android

I've recently started using AdGuard on my Android device. It supports DNS over TLS/HTTPS servers with parallelization.

Here's the servers I use via their Custom Server option:

sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ
tls://1.1.1.2
tls://dns11.quad9.net
tls://dns.google

In order, these are:

  1. OpenDNS w/DNSCrypt (see Adguard Known Servers List)
  2. Cloudflare "Block Malicious" DNS-over-TLS
  3. Quad9 Block Malicious, DNSSEC, EDNS DNS-over-TLS
  4. Google DNS-over-TLS
@InAnimaTe
Copy link
Author

See also, https://techsmix.net/dnscrypt-on-the-edgerouter-lite/

@InAnimaTe
Copy link
Author

See these for information on setting up more secure resolving on Mac:

@InAnimaTe
Copy link
Author

For performance information, see https://www.dnsperf.com/

@StevenACoffman
Copy link

Nice! I always get tangled up trying to pick between dnsmasq, knot-resolver, etc. Any thoughts?

@InAnimaTe
Copy link
Author

I've got pretty deep experience with dnsmasq which has always been incredibly simple and reliable. I've only just recently heard of knot-resolver and hear its the goto when doing DNSoTLS on Mac. I'll share more when I actually get that working but for now I'm just more focused on ensuring I'm using multiple strong resolvers on my gateways (and possibly finding a way to append/tail on Mac just like resolveconf offers on linux).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment