It has many visitors even from outside the project. Since we are getting closer to release Core Update 141, I updated the list and made a couple of changes:
I moved all providers which are unusable to the bottom. We do not need to care about them. They do not understand DNS and do not care about security. So that is that.
Then I removed OpenNIC which was very outdated. There seems to be high fluctuation in their DNS servers and I am not sure if we should recommend using them. They are mainly another list of those servers and they are all configured differently without guaranteeing a certain service level. I consider that unusable.
I then added the DNS-over-TLS hostnames, because those are needed for using TLS with IPFire. We want to have them at hand. Weirdly there are not many of them.
I would like you to review my changes. We should consider to link any other lists as well and we should add more independent organisations that run DNS servers (ideally with TLS).
I would also like to ask everyone to remove any screenshots with the “usual suspects” configured. Google and Cloudflare. I really do not think that we should encourage people to give their data away to those companies. The decision is theirs to make, but too many people use screenshots as an example.
Hi Michael,
according to DNS-over-TLS, i use the list from DNS privacy this is a Test-Server list but i use some of them since more then a year now without problems. The DNS Privacy Public Resolvers points to the old suspects and i do not use them even they are stable. I can link the list or/and i can adapt the IPFire DNS list with that one´s which works for me since several months ?
I guess if they think they are only for testing we should accept that and not list them as production.
I also do not think that we should copy a full list from somewhere else, because then we would have to keep it updated once a day. We can simply link the list. Other people might prefer other servers and that is fine.
But add what you think makes sense… Just make sure you can keep it up to date as well.
There was OpenNIC listed and I tested some random IP addresses from the list and they wouldn’t respond. Therefore our list needs to be good first of all instead of long.
Hi all,
have added now some of my stable ones (GetDNS, Kaitan, DNS Switch, Neutopia, Secure DNS). Have seen that Sinodun (under the Surfnet categorie 145.100.185.15 and 145.100.185.16) is also listed which works only from time to time, currently it works not (connection time out).
@ms
should we also include providers which filters Ad-, Tracker- and Malware domains ? There are some of them out there which supports also DoT, some of them deliver their filter lists e.g. --> https://dismail.de/info.html#dns some of them not so may also not the best candidates to add to the list ? In case of including them, i think we would need then another category.
No, we simply cannot. They will not properly do DNSSEC.
If they refuse to send a reply, or send a fake reply for a signed zone, then unbound will send SERVFAIL to the client. The filtering will work, sort of, but because of DNSSEC breaking.
So, even 9.9.9.10 will not be an option, although 9.9.9.9 and probably 9.9.9.10 perform DNSSEC validation on the upstream side.
I am not really saying that we should remove it. I am just saying that it was not obvious to me who was behind it.
I have a blog article which I am planning to release next week which tries to give people some guideline on which provider to choose. In summary it says that people should find an organisation that they trust and use their servers. For example, if you trust Google, use their DNS servers. Most people probably won’t so there is a list of others without a marketing department…
To be honest, this is the case for me for all (cue Cloudflair “terminates services”), except Lightningwirelabs :-).
Great idea, since the new IPFire features brings a new perspective on the whole DNS topic to the users with the Core 141 release in my opinion this might be really helpful.
These providers are not suitable for use with IPFire because they do not support DNSSEC.
wouldn’t it be better to remove this part then?
A couple of months ago I’ve tested some DNS providers and kicked censurfridns.dk due bad entropy in port distribution and anti-spoofing safety (Screenshot )
May I ask why you did not add dismail to the list? (Screenshot)?
Is there any Tracking on the ipfire.org DNS Server? And maybe sort the List: A list for servers that do not track and a second list for servers like Cloudfare and Google (with tracking)
