Skip to content

Instantly share code, notes, and snippets.

@roge

roge/dns.md

Last active August 6, 2023 07:32
Show Gist options
  • Save roge/e7d926a3b3551a0f3769 to your computer and use it in GitHub Desktop.
Save roge/e7d926a3b3551a0f3769 to your computer and use it in GitHub Desktop.
Download ZIP
Public DNS Servers
Raw
dns.md

DNS.md

A list of reasonably reliable DNS servers that I've personally tested to ensure that they fully support DNSSEC and do not hijack NXDOMAIN responses.

IPv4

Address Organization Location Service
8.8.8.8 Google Worldwide (Anycast) Google Public DNS
8.8.4.4 Google Worldwide (Anycast) Google Public DNS
1.1.1.1 Cloudflare Worldwide (Anycast) 1.1.1.1 Public DNS
1.0.0.1 Cloudflare Worldwide (Anycast) 1.1.1.1 Public DNS
80.80.80.80 Freenom Worldwide (Anycast) Freenom World Public DNS
80.80.81.81 Freenom Worldwide (Anycast) Freenom World Public DNS
9.9.9.10 Quad9 Worldwide (Anycast) Quad9 Unsecure DNS
149.112.112.10 Quad9 Worldwide (Anycast) Quad9 Unsecure DNS
64.6.64.6 Verisign United States Verisign Public DNS
64.6.65.6 Verisign United States Verisign Public DNS
156.154.70.5 Neustar United States Neustar DNS Advantage
156.154.71.5 Neustar United States Neustar DNS Advantage
74.113.60.185 Lightning Wire Labs United States Lightning Wire Labs Public DNS
81.3.27.54 Lightning Wire Labs Germany Lightning Wire Labs Public DNS
194.150.168.168 Chaos Computer Club Germany CCC Public DNS
77.109.148.136 Xiala Switzerland Xiala Public DNS
77.109.148.137 Xiala Switzerland Xiala Public DNS
109.69.8.51 puntCAT Spain puntCAT Public DNS
91.239.100.100 censurfridns.dk Europe (Anycast) UncensoredDNS
89.233.43.71 censurfridns.dk Denmark UncensoredDNS

IPv6

Address Organization Location Service
2001:4860:4860::8888 Google Worldwide (Anycast) Google Public DNS
2001:4860:4860::8844 Google Worldwide (Anycast) Google Public DNS
2606:4700:4700::1111 Cloudflare Worldwide (Anycast) 1.1.1.1 Public DNS
2606:4700:4700::1001 Cloudflare Worldwide (Anycast) 1.1.1.1 Public DNS
2620:fe::10 Quad9 Worldwide (Anycast) Quad9 Unsecure DNS
2620:74:1b::1:1 Verisign United States Verisign Public DNS
2620:74:1c::2:2 Verisign United States Verisign Public DNS
2610:a1:1018::5 Neustar United States Neustar DNS Advantage
2610:a1:1019::5 Neustar United States Neustar DNS Advantage
2001:470:bbf2:2::1 Lightning Wire Labs United States Lightning Wire Labs Public DNS
2001:1620:2078:137:: Xiala Switzerland Xiala Public DNS
2001:67c:28a4:: censurfridns.dk Europe (Anycast) UncensoredDNS
2a01:3a0:53:53:: censurfridns.dk Denmark UncensoredDNS

DNS-over-HTTPS

URI Organization Location Service
https://dns.google.com/resolve Google Worldwide (Load Balanced) Google Public DNS
https://cloudflare-dns.com/dns-query Cloudflare Worldwide (Anycast) 1.1.1.1 Public DNS

The servers in this list were last tested April 1, 2018. I make no guarantee that they will continue to function in a reliable and compliant manner in the future.

@roge
Copy link
Author

roge commented Nov 13, 2017

Got any more DNS resolvers I should test? Leave them here.

@roge
Copy link
Author

roge commented Nov 27, 2017

@blackstar257 Quad9's main resolvers will not be added to my list because they are censored. According to their FAQ, Quad9 do offer uncensored DNS servers which I will test and add to the list if they meet my qualifications.

@blackstar257
Copy link

9.9.9.10 doesn't support DNSSEC
Neither does their IPv6 https://quad9.net/#/faq#is-there-ipv6-support-for-quad9
https://quad9.net/#/faq#does-quad9-implement-dnssec

@roge
Copy link
Author

roge commented Dec 17, 2017
edited

@blackstar257 All DNS servers in this list have been personally inspected by me and are listed based on what I discover, not on what is advertised. As you can see here, 9.9.9.10 does support DNSSEC.

DiG Screenshot

When I added 9.9.9.10 and 2620:fe::10 to the list I was aware of the claims made on the FAQ page so I emailed Quad9 and I was told that the FAQ page was incorrect.

@dol
Copy link

dol commented Feb 4, 2018

dns.watch has currently problems. Server offline since hours.

@philpennock
Copy link

The Neustar DNS Advantage 156.154.70.1 service does NXDOMAIN interception to put in an error page and so is not clean DNS.
The 156.154.70.5 IP does not tamper with NXDOMAIN.
Docs are at: https://www.security.neustar/dns-services/free-recursive-dns-service

@roge
Copy link
Author

roge commented Apr 2, 2018

@philpennock I've removed those servers for now. However, can you figure out the circumstances under which that server will intercept an NXDOMAIN response? I've tried several different queries with and without DNSSEC and could not get a fake response.

I have a feeling this may be similar to the case with Quad9 where the actual documentation is incorrect.

@mishamosher
Copy link

There is also a secondary IPv6 server from Quad9, 2620:fe::fe:10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment