Instantly share code, notes, and snippets.

@roge- /dns.md
Last active Aug 19, 2018

Embed
What would you like to do?
Public DNS Servers

DNS.md

A list of reasonably reliable DNS servers that I've personally tested to ensure that they fully support DNSSEC and do not hijack NXDOMAIN responses.

IPv4

Address Organization Location Service
8.8.8.8 Google Worldwide (Anycast) Google Public DNS
8.8.4.4 Google Worldwide (Anycast) Google Public DNS
1.1.1.1 Cloudflare Worldwide (Anycast) 1.1.1.1 Public DNS
1.0.0.1 Cloudflare Worldwide (Anycast) 1.1.1.1 Public DNS
80.80.80.80 Freenom Worldwide (Anycast) Freenom World Public DNS
80.80.81.81 Freenom Worldwide (Anycast) Freenom World Public DNS
9.9.9.10 Quad9 Worldwide (Anycast) Quad9 Unsecure DNS
149.112.112.10 Quad9 Worldwide (Anycast) Quad9 Unsecure DNS
64.6.64.6 Verisign United States Verisign Public DNS
64.6.65.6 Verisign United States Verisign Public DNS
156.154.70.5 Neustar United States Neustar DNS Advantage
156.154.71.5 Neustar United States Neustar DNS Advantage
74.113.60.185 Lightning Wire Labs United States Lightning Wire Labs Public DNS
81.3.27.54 Lightning Wire Labs Germany Lightning Wire Labs Public DNS
194.150.168.168 Chaos Computer Club Germany CCC Public DNS
77.109.148.136 Xiala Switzerland Xiala Public DNS
77.109.148.137 Xiala Switzerland Xiala Public DNS
109.69.8.51 puntCAT Spain puntCAT Public DNS
91.239.100.100 censurfridns.dk Europe (Anycast) UncensoredDNS
89.233.43.71 censurfridns.dk Denmark UncensoredDNS

IPv6

Address Organization Location Service
2001:4860:4860::8888 Google Worldwide (Anycast) Google Public DNS
2001:4860:4860::8844 Google Worldwide (Anycast) Google Public DNS
2606:4700:4700::1111 Cloudflare Worldwide (Anycast) 1.1.1.1 Public DNS
2606:4700:4700::1001 Cloudflare Worldwide (Anycast) 1.1.1.1 Public DNS
2620:fe::10 Quad9 Worldwide (Anycast) Quad9 Unsecure DNS
2620:74:1b::1:1 Verisign United States Verisign Public DNS
2620:74:1c::2:2 Verisign United States Verisign Public DNS
2610:a1:1018::5 Neustar United States Neustar DNS Advantage
2610:a1:1019::5 Neustar United States Neustar DNS Advantage
2001:470:bbf2:2::1 Lightning Wire Labs United States Lightning Wire Labs Public DNS
2001:1620:2078:137:: Xiala Switzerland Xiala Public DNS
2001:67c:28a4:: censurfridns.dk Europe (Anycast) UncensoredDNS
2a01:3a0:53:53:: censurfridns.dk Denmark UncensoredDNS

DNS-over-HTTPS

URI Organization Location Service
https://dns.google.com/resolve Google Worldwide (Load Balanced) Google Public DNS
https://cloudflare-dns.com/dns-query Cloudflare Worldwide (Anycast) 1.1.1.1 Public DNS

The servers in this list were last tested April 1, 2018. I make no guarantee that they will continue to function in a reliable and compliant manner in the future.

@roge-

This comment has been minimized.

Show comment
Hide comment
@roge-

roge- Nov 13, 2017

Got any more DNS resolvers I should test? Leave them here.

Owner

roge- commented Nov 13, 2017

Got any more DNS resolvers I should test? Leave them here.

@roge-

This comment has been minimized.

Show comment
Hide comment
@roge-

roge- Nov 27, 2017

@blackstar257 Quad9's main resolvers will not be added to my list because they are censored. According to their FAQ, Quad9 do offer uncensored DNS servers which I will test and add to the list if they meet my qualifications.

Owner

roge- commented Nov 27, 2017

@blackstar257 Quad9's main resolvers will not be added to my list because they are censored. According to their FAQ, Quad9 do offer uncensored DNS servers which I will test and add to the list if they meet my qualifications.

@blackstar257

This comment has been minimized.

Show comment
Hide comment

blackstar257 commented Dec 9, 2017

@roge-

This comment has been minimized.

Show comment
Hide comment
@roge-

roge- Dec 17, 2017

@blackstar257 All DNS servers in this list have been personally inspected by me and are listed based on what I discover, not on what is advertised. As you can see here, 9.9.9.10 does support DNSSEC.

DiG Screenshot

When I added 9.9.9.10 and 2620:fe::10 to the list I was aware of the claims made on the FAQ page so I emailed Quad9 and I was told that the FAQ page was incorrect.

Owner

roge- commented Dec 17, 2017

@blackstar257 All DNS servers in this list have been personally inspected by me and are listed based on what I discover, not on what is advertised. As you can see here, 9.9.9.10 does support DNSSEC.

DiG Screenshot

When I added 9.9.9.10 and 2620:fe::10 to the list I was aware of the claims made on the FAQ page so I emailed Quad9 and I was told that the FAQ page was incorrect.

@dol

This comment has been minimized.

Show comment
Hide comment
@dol

dol Feb 4, 2018

dns.watch has currently problems. Server offline since hours.

dol commented Feb 4, 2018

dns.watch has currently problems. Server offline since hours.

@philpennock

This comment has been minimized.

Show comment
Hide comment
@philpennock

philpennock Apr 1, 2018

The Neustar DNS Advantage 156.154.70.1 service does NXDOMAIN interception to put in an error page and so is not clean DNS.
The 156.154.70.5 IP does not tamper with NXDOMAIN.
Docs are at: https://www.security.neustar/dns-services/free-recursive-dns-service

philpennock commented Apr 1, 2018

The Neustar DNS Advantage 156.154.70.1 service does NXDOMAIN interception to put in an error page and so is not clean DNS.
The 156.154.70.5 IP does not tamper with NXDOMAIN.
Docs are at: https://www.security.neustar/dns-services/free-recursive-dns-service

@roge-

This comment has been minimized.

Show comment
Hide comment
@roge-

roge- Apr 2, 2018

@philpennock I've removed those servers for now. However, can you figure out the circumstances under which that server will intercept an NXDOMAIN response? I've tried several different queries with and without DNSSEC and could not get a fake response.

I have a feeling this may be similar to the case with Quad9 where the actual documentation is incorrect.

Owner

roge- commented Apr 2, 2018

@philpennock I've removed those servers for now. However, can you figure out the circumstances under which that server will intercept an NXDOMAIN response? I've tried several different queries with and without DNSSEC and could not get a fake response.

I have a feeling this may be similar to the case with Quad9 where the actual documentation is incorrect.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment