wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


en:dns:public-servers

List of Public DNS Servers

During the process of dial-in, your ISP usually passes two to four DNS servers to the router or modem for looking up IP addresses. They will be used if you have not set some other DNS servers.

However, it might be possible that these DNS servers are censored, compromised or don't provide DNSSEC validation which makes DNS replies more secure. In case you don't trust your ISPs DNS servers, feel free to use alternate DNS server from the list below.

Operator Location DNSSEC Address(es)
Alternate DNS US aware 198.101.242.72
US aware 23.253.163.53
Chaos Computer Club (CCC) DE validating 194.150.168.168
DE aware 213.73.91.35
DE aware 85.214.20.141
censurfridns.dk DK validating 89.233.43.71
Anycast validating 91.239.100.100
Comodo Secure DNS US aware 8.26.56.26
US aware 8.20.247.20
DNSReactor US Strips RRSIG 45.55.155.25
US ??? 104.236.210.29
DNS.WATCH DE validating 84.200.69.80
2001:1608:10:25::1c04:b12f
DE validating 84.200.70.40
2001:1608:10:25::9249:d69b
Dyn US aware 216.146.35.35
US aware 216.146.36.36
FDN FR aware 80.67.169.12
2001:910:800::12
FR ??? 80.67.169.40
2001:910:800::40
FreeDNS AT Strips RRSIG 37.235.1.174
AT Strips RRSIG 37.235.1.177
Google Public Free DNS Anycast validating 8.8.8.8
Anycast validating 8.8.4.4
GreenTeamDNS IL Strips RRSIG 81.218.119.11
IL Strips RRSIG 209.88.198.133
Hurricane Electric Anycast Strips RRSIG 74.82.42.42
2001:470:20::2
Lightning Wire Labs DE validating 81.3.27.54
2001:470:7655::54
Dallas, TX, USA validating 74.113.60.185
2001:470:bbf2:2::1
Neustar DNS Advantage US validating 156.154.70.1
US validating 156.154.71.1
New Nations DE aware 5.45.96.220
DE aware 185.82.22.133
Norton DNS US validating 198.153.192.1
US validating 198.153.194.1
OpenDNS (Hosted Blacklists) US Strips RRSIG 208.67.222.222
US Strips RRSIG 208.67.220.220
US Strips RRSIG 208.67.220.222
OpenNIC AU Strips RRSIG 111.67.16.202
AU Strips RRSIG 45.63.25.55
CH aware 31.3.135.232
DE validating 62.113.203.55
DE validating 62.113.203.99
DE aware 5.9.49.12
DE aware 144.76.133.38
DE aware 130.255.73.90
ES aware 109.69.8.34
FR aware 87.98.175.85
FR aware 5.135.183.146
FR validating 188.165.200.156
GB validating 104.238.186.189
NL validating 185.133.72.100
RO aware 89.18.27.34
SI aware 213.161.5.12
UK validating 89.36.220.220
2a01:6e60:10:cdc::1
US aware 96.90.175.167
US validating 23.94.5.133
2001:470:8e08::
US aware 104.238.153.178
2001:19f0:8000:8ac3::feed
puntCAT ES validating 109.69.8.51
SafeDNS RU aware 195.46.39.39
RU aware 195.46.39.40
SkyDNS RU aware 193.58.251.251
SpeakEasy US Strips RRSIG 66.93.87.2
US Strips RRSIG 66.93.87.2
Sprintlink General DNS US aware 204.117.214.10
US aware 199.2.252.10
US aware 204.97.212.10
Verizon (Level 3) Anycast aware 4.2.2.1
Anycast aware 4.2.2.2
Anycast aware 4.2.2.3
Anycast aware 4.2.2.4
Anycast aware 4.2.2.5
Anycast aware 4.2.2.6
Yandex.DNS RU Strips RRSIG 77.88.8.88
RU Strips RRSIG 77.88.8.2

Legend

DNSSEC Explanation
validating The server is able to validate DNS records.
aware The server is able to provide RRSIG, DNSKEY and DS records, but does not validate any records.
not supported or Strips RRSIG The server doesn't know anything about DNSSEC and cannot be used by IPFire at all. If configured, a self-test will skip these servers and IPFire will potentially fall back into recursor mode.

About location and DNSSEC status

The location of the servers has been stated by using GeoIP Tool and the IPFire GeoIP server. However, it might be possible that the location is wrong (or has been changed meanwhile).

The servers that are marked with “Anycast” are using anycasts so that traffic will be routed to the nearest of the many instances that are there on the network. Thereof the exact location of the server(s) cannot be determined.

A name server can be checked with the following command:

/etc/init.d/unbound test-name-server ADDRESS

Security Considerations

A DNS server has a very powerful function in network topology. Please keep in mind that it might log your queries (which is a huge information leak).

Further, not all of the DNS servers below return correct answers in any case. Some of them return failures for harmful or malicious sites. Check the operators website for more information on this topic.

For security reasons, it is recommended to use DNS servers which support DNSSEC (i.e. have a green “validating” in the table below), if possible.

Translations of this page?:
en/dns/public-servers.txt · Last modified: 2016/11/18 19:25 by MichaelTremer