Few more DNS resolvers w/TLS DNSSEC

I stumbled upon some interesting Public DNS services/resolvers:
Not sure what is their affiliation but they seem to run a similar setup.
unbound (resolver) + [haproxy (dns-over-tls)

I figured I should post it here and see if it’s worth to include in the Wiki

  1. Nixnet DNS

-no logs, DNSSEC, DoT, Uncensored or Adblock is optional, QNAME minimisation
-Anycast or choose 3 servers


Another one is

  1. Lelux

Privacy policy

  1. Snopyta

Privacy policy

1 Like

Thank you for this! I can’t elaborate enough just how wonderful it is to utilize DoT cause it’s just so much better than DoH when it comes to security and reliability.

Here’s mine:

  1. Seby [Australian]

Nixnet is also my personal favorite. I have more to list here but I forgot to update my to-go notes about it - will add more later.

Not that sensitive when it comes to Privacy Policies cause my stance is Security > Privacy. While Privacy is important, it’s not something that you can realistically protect up to 100%.

A note for the uninitiated to DoT:
DoT utilizes port 853 and needs to have inputs on BOTH domain name and ip address fields for it to work so if it isn’t working then it’s either of these two things that you should be looking into.


Are any of the Nixnet servers working for you on port 853?
I keep getting error for few weeks, all Nixnet servers cannot be reached on port 853, but working fine on 53.

; WARNING: connection timeout for
;; ERROR: failed to query server

This DNS provider seems independent.
I will try it out.
Dismail DNS

Edit: Works pretty good and under 170ms
Flags: qr rd ra ad;
however I just noticed that Dismail uses Ad Filtering :frowning_face: which is not recommended.
but here is a dig anyways:

kdig @ +dnssec +bufsize=1232 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-hostname=fdns2.dismail.de -d
;; DEBUG: Querying for owner(.), class(1), type(2), server(, port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 certificates from ‘/etc/ssl/certs/ca-bundle.crt’
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, CN=fdns2.dismail.de
;; DEBUG: SHA-256 PIN: ;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(CHACHA20-POLY1305)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11106
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 14; AUTHORITY: 0; ADDITIONAL: 1

;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR

;; From in 155.6 ms

1 Like

I think I figured out why the Nixnet is not responding to my DoT requests. My IPS is blocking it; Emerging Threats 2500010

Name: ET COMPROMISED Known Compromised or Hostile Host Traffic group 6
Priority: 2
Type: Misc Attack
IP Info: 
SID: 2500010
1 Like