List of DNS Servers

I added the filtering servers to the Unusable section, but was hesitant to blow away the entries above under servers that support TCP/UDP and DOT, because technically they do (as do many other entries under Unusable).

I’ll leave that for someone else to decide.

I’ll just say, I’m not really happy with the verbiage “Unusable DNS Providers”. They obviously are usable, they just either don’t support DNSSEC at all or break DNSSEC for sites that they block, which depending on the user, may or may not be a deal breaker. I’d prefer something like “Filtering DNS Providers that May Negatively Impact DNSSEC” or something similar.

I use Quad9 because of it privacy policies. And on the surface I think it is a good thing Quad9 helps with malware sites. So to me it is a “Usable DNS Provider”.

Is there such thing as a high privacy, high speed, DNS provider that doesn’t break “bad” DNSSEC? Is this a DNS unicorn?

https://wiki.ipfire.org/dns/public-servers?action=diff&a=2020-05-02T17:36:14.962408&b=2020-05-07T18:30:25.746837

I would still recommend to remove them from the top then, because the point of the table was to recommend something to people. If they are in the bottom table, they are not recommended.

That was the idea of the page.

Removed Quad9 from recommended providers and rephrased Unusable section to “not recommended”.

Thank you.

@pmueller @ms

While i reading this thread

I inform myself here

I ask me now is this something for our DNS providers that are not recommended?

Snopyta (FI) service haven’t work in ages. Maybe it should be removed from list?

censurfridns.dk gives certificate error for some reason, it’s been like that days maybe weeks.

I’ve come across Blah dns service but not sure if it’s good enough for wiki list since it does filtering. There are servers in Finland, Germany, Singapore, Japan and Switzerland

A hobby Adblock DNS project with HTTP/3, DoH, DoT, DoQ, DNSCryptv2 support.

Just looking through this a bit quick. So much info. I have read the wiki page and its recommendations but at first glance it seems one has to be picky if wanting filtration and dnssec from the same provider.

It appears this DoT server is also dead and has been that way for a long time:

> Comcast / Xfinity (beta) 96.113.151.145 dot.xfinity.com

The IPFire wiki is editable by the community users. You can login with your IPFire People credentials and make the changes yourself.

It might be a good idea to contact the censurfri people about that error in case they don’t know of the problem. There are various ways to contact the censurfri admin.
https://blog.uncensoreddns.org/contact/

I stumbled upon this public DNS, it might be useful to someone in the Far East countries

Public DNS 119.29.29.29
Public DNS service provided by Tencent Cloud (DNSPod) is free for all users. It supports DoH, DoT, BGP Anycast, and ECS.

Chinese DNS provider. Oh my.

Yes, Chinese provider
someone asked for a DNS server in that part of the world.

I’ve been using https://www.dns0.eu for some time without issues.

Added entries also to wiki page.

There are also ZERO(malware filtering etc.) and Kids friendly servers

This DNS server claims “No DNS record blocking or manipulation”
It seems to be Anycast

Unfiltered Configuration
DNS-over-TLS/DoQ
p0.freedns.controld.com
76.76.2.11

Plain DNS
76.76.2.0 and 76.76.10.0

Privacy Policy

dig www.ipfire.org  @76.76.2.11 +dnssec

; <<>> DiG 9.16.44<<>> www.ipfire.org @76.76.2.11 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14953
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;www.ipfire.org.                        IN      A

;; ANSWER SECTION:
www.ipfire.org.         6202    IN      CNAME   fw01.ipfire.org.
www.ipfire.org.         6202    IN      RRSIG   CNAME 8 3 21600 20240229000000 20240208000000 6900 ipfire.org. Jht8hS7bGe/hP0Vlm8BbE+KkRzB7nBJISypPQxIwTdXG61NWuEucR75N StElWtt53NVNjoauzdksz1jcvGpghD6iNOikd05jFPeBvH2j+0DDMqcc vPMsLvokL2E8OSbebdxsq0pJGMD1XdIc/aqiD3YpEtp1AnBavneqVtxr bZx64MzN3lwzMNM8EVKlHNBVYrJuIgyVhEwm1lJ5Og0aQox9R7YL9J3A +ftBxfTr0RV9snMATh8Lxdyr+70ql3eZNwhJmfRzACRsDaOY7hUOVgb/ 4plkIVjPDIQUXsIc9EUvsW10ZbzATRuQCvaiF1ewNl/BeLHIiGlx3IEs 0PIUPg==
fw01.ipfire.org.        3092    IN      A       81.3.27.38
fw01.ipfire.org.        3092    IN      RRSIG   A 8 3 21600 20240229000000 20240208000000 6900 ipfire.org. tlxT4DGsV5OVa+5RC1JeDCrjXhnQ80+WXk1ewCbMNzPzLXs/283yA63s NiMcmz7haq+SnLRyO9G6xnFxzsdhnV1dLjKaj1YHx1gvUIhUKXhNP5CQ y40cFKPBcyZJXy1DQAMzfeJGz0wV/gErR3rt8c8ojPZNm+zi9Gx36qBy Tj0vqDCf7dKXt0OOPw9XbqlnH8hFyGYhc7RSz6imyybolFa2YzYB8DoJ ONWYlwdZQjWs6n5yJCHiwTqeudpe2r9FvKqCU6Fx2u0QtlsJl2hQ8zZ2 lqao4uvaPHNbdKOVUFfk4Yfl/Oe5R7CB0fayku+MCo8ltedm+izrHFDu dtDBnQ==

;; Query time: 29 msec
;; SERVER: 76.76.2.11#53(76.76.2.11)
;; WHEN: Sun Feb 18 18:04:11 PST 2024
;; MSG SIZE  rcvd: 674

My usage of IPFire follows the goal “get pure IP access to the internet from some ISP, control the traffic by the device owned by me”.
This means no restrictions outside my gateway, neither by my ISP nor by any DNS server.

Filtering malware etc. by means of DNS can be done with the RPZ functionality of unbound and forcing DNS requests to IPFire’s DNS server.
This allows policies controlled by me only. Filtering DNS by external services includes some external storage of my DNS requests, logging and configuring doesn’t function without.

Just my opinion,
Bernhard

I totally agree, @bbitsch
In this thread we share unfiltered DNS servers, that claim not to store or censor any data.

Are you aware of any filtering by above DNS servers?

How do you display or lookup the response from Unbound RPZ when a query gets a NX or other negative response?

I can look at the unbound logs for the negative response:

Screen Shot 2024-02-19 at 11.39.36 AM1950×834 128 KB

Or in the message log:

Feb 19 11:39:10 ipfire unbound: [8391:0] info: rpz: applied [sblack] telemetry.malwarebytes.com. rpz-nxdomain 192.168.60.212@60312 telemetry.malwarebytes.com. HTTPS IN
Feb 19 11:39:10 ipfire unbound: [8391:0] info: rpz: applied [sblack] telemetry.malwarebytes.com. rpz-nxdomain 192.168.60.212@54385 telemetry.malwarebytes.com. A IN
Feb 19 11:39:20 ipfire unbound: [8391:0] info: rpz: applied [sblack] telemetry.malwarebytes.com. rpz-nxdomain 192.168.60.20@54243 telemetry.malwarebytes.com. A IN

I see there are a few interesting threads on a different forum discussing this DNS provider

“It’s basically NextDNS but without the control panel.”
https://www.reddit.com/r/nextdns/comments/10w10ce/dns0eu_a_new_dnsservice_by_nextdns_ehm_what/
https://www.reddit.com/r/nextdns/comments/12qnvig/does_nextdns_benefit_from_being_a_partner_with/

Perhaps the above quote is what @bbitsch was hinting to?
and perhaps that’s why NextDNS is not even mentioned on the wiki page?

I would recommend using their ‘open’ resolver

# open.dns0.eu
# The unfiltered version of dns0.eu. Use at your own risk.

[DNS-over-TLS/QUIC]
open.dns0.eu

[DNS-over-HTTPS]
https://open.dns0.eu/

[DNS53]
193.110.81.254
185.253.5.254
2a0f:fc80::ffff
2a0f:fc81::ffff

[Apple Configuration Profile]
https://dns0.eu/open.dns0.eu.mobileconfig

Quad9 filtering was discussed here a long while ago,

Anyone following the Sony vs Quad9 dispute? Basically the court ordered Quad9 to censor DNS queries because a DNS provider is just like Youtube .

This 2023 and 2024 test confirms that Quad9 is filtering DNS queries

Most of the tested DNS providers have few resolvers, mostly the “filtered” ones were tested.

    Google Public DNS - 8.8.8.8 (for reference, unfiltered)
    ControlD Malware - 76.76.2.1 (new in the test)
    Norton ConnectSafe - 199.85.126.10 (new in the test)
    UltraDNS Threat Protection - 156.154.70.2 (new in the test)
    Quad9 - 9.9.9.9
    Cloudflare for Families - 1.1.1.2
    dns0.eu - 193.110.81.0
    dns0.eu ZERO - 193.110.81.9
    CleanBrowsing Security Filter - 185.228.169.9
    Comodo Secure DNS - 8.26.56.26

If anyone want’s to test Quad9 “unfiltered” the address would be 9.9.9.10 (no DNSSEC)*

*Thanks @bonnietwin