List of DNS Servers

You guys are aware of our list of publicly available DNS servers: https://wiki.ipfire.org/dns/public-servers

It has many visitors even from outside the project. Since we are getting closer to release Core Update 141, I updated the list and made a couple of changes:

  • I moved all providers which are unusable to the bottom. We do not need to care about them. They do not understand DNS and do not care about security. So that is that.
  • Then I removed OpenNIC which was very outdated. There seems to be high fluctuation in their DNS servers and I am not sure if we should recommend using them. They are mainly another list of those servers and they are all configured differently without guaranteeing a certain service level. I consider that unusable.
  • I then added the DNS-over-TLS hostnames, because those are needed for using TLS with IPFire. We want to have them at hand. Weirdly there are not many of them.

I would like you to review my changes. We should consider to link any other lists as well and we should add more independent organisations that run DNS servers (ideally with TLS).

I would also like to ask everyone to remove any screenshots with the “usual suspects” configured. Google and Cloudflare. I really do not think that we should encourage people to give their data away to those companies. The decision is theirs to make, but too many people use screenshots as an example.

4 Likes

Hi Michael,
according to DNS-over-TLS, i use the list from DNS privacy this is a Test-Server list but i use some of them since more then a year now without problems. The DNS Privacy Public Resolvers points to the old suspects and i do not use them even they are stable. I can link the list or/and i can adapt the IPFire DNS list with that one´s which works for me since several months ?

Best,

Erik

1 Like

Hi,

I just did that: I added some of my working DoT-servers…

Hope it helps.

Best,
Matthias

1 Like

I guess if they think they are only for testing we should accept that and not list them as production.

I also do not think that we should copy a full list from somewhere else, because then we would have to keep it updated once a day. We can simply link the list. Other people might prefer other servers and that is fine.

But add what you think makes sense… Just make sure you can keep it up to date as well.

There was OpenNIC listed and I tested some random IP addresses from the list and they wouldn’t respond. Therefore our list needs to be good first of all instead of long.

Hi all,
have added now some of my stable ones (GetDNS, Kaitan, DNS Switch, Neutopia, Secure DNS). Have seen that Sinodun (under the Surfnet categorie 145.100.185.15 and 145.100.185.16) is also listed which works only from time to time, currently it works not (connection time out).

Possibly not a good candidate for the list ?

Best,

Erik

1 Like

Hi,

there is the DNS list from Mike Kuketz to be found here:

Maybe something for the Wiki.

Cheers

Hi,

thanks for updating the wiki.

Thanks @ms too.

Hi all,
have deleted now

NL 	2001:610:1:40ba:145:100:185:15 / 145.100.185.15 	dnsovertls.sinodun.com
NL 	2001:610:1:40ba:145:100:185:16 / 145.100.185.16     dnsovertls1.sinodun.com

since there are permanently down. Someone said that this are causing QNAME-minimaisation --> https://www.heise.de/forum/c-t/Kommentare-zu-c-t-Artikeln/Domain-Name-Service-Datenschutz-selbstgebaut/dns-over-TLS-Surfnet-ist-down/posting-31640290/show/ but also without they do not work.

@ms
should we also include providers which filters Ad-, Tracker- and Malware domains ? There are some of them out there which supports also DoT, some of them deliver their filter lists e.g. --> https://dismail.de/info.html#dns some of them not so may also not the best candidates to add to the list ? In case of including them, i think we would need then another category.

Best,

Erik

No, we simply cannot. They will not properly do DNSSEC.

If they refuse to send a reply, or send a fake reply for a signed zone, then unbound will send SERVFAIL to the client. The filtering will work, sort of, but because of DNSSEC breaking.

So, even 9.9.9.10 will not be an option, although 9.9.9.9 and probably 9.9.9.10 perform DNSSEC validation on the upstream side.

Important point.

EDIT:

In that case i think we have all in the list except dismail.de

Somebody added https://dns.cmrg.net.

Why should I trust this organisation? Who is it even?

This was me --> https://wiki.ipfire.org/dns/public-servers?action=diff&a=2020-02-07T22:49:21.942973&b=2020-02-11T17:10:27.966737 cause it works, i think since i started with DoT over a year ago, but indeed, difficult to say who it is. Even it is widely findable (can find it even on rfc8467 https://ietf.org/rfc/rfc8467.html#section-7.1 ) also in a paper for "Empirical DNS padding policy --> https://dns.cmrg.net/ndss2017-dprive-empirical-DNS-traffic-size.pdf (aclu.org leads to no reference at the first glance) or --> https://nlnetlabs.nl/downloads/presentations/trustworthy-privacy-enabling-resolver.pdf#page=9 it is not really clear who it is.

Should we clean such out ? Or in other words, how can we trust such organisations ?

Best,

Erik

I am not really saying that we should remove it. I am just saying that it was not obvious to me who was behind it.

I have a blog article which I am planning to release next week which tries to give people some guideline on which provider to choose. In summary it says that people should find an organisation that they trust and use their servers. For example, if you trust Google, use their DNS servers. Most people probably won’t so there is a list of others without a marketing department…

To be honest, this is the case for me for all (cue Cloudflair “terminates services”), except Lightningwirelabs :-).

Great idea, since the new IPFire features brings a new perspective on the whole DNS topic to the users with the Core 141 release in my opinion this might be really helpful.

Best,

Erik

nice list, kudos!

These providers are not suitable for use with IPFire because they do not support DNSSEC.

wouldn’t it be better to remove this part then?

A couple of months ago I’ve tested some DNS providers and kicked censurfridns.dk due bad entropy in port distribution and anti-spoofing safety (Screenshot )

May I ask why you did not add dismail to the list? (Screenshot)?

Hi all,

cause dismail filters Ad-, Tracker- and Malwaredomains which leads to problems, like above stated, with DNSSEC.

Best,

Erik

Did you report this to them?

Is there any Tracking on the ipfire.org DNS Server? And maybe sort the List: A list for servers that do not track and a second list for servers like Cloudfare and Google (with tracking)

The link to Please consider carefully is 404.

/edit: typos fixed

No, our server does not perform any kind of tracking and we do not log anything either.

This post isn’t released yet. Probably will happen this Wednesday.