wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


dns:public-servers

List of Public DNS Servers

During the process of dial-in, your ISP usually passes two to four DNS servers to the router or modem for looking up IP addresses. They will be used if you have not set some other DNS servers.

However, it might be possible that these DNS servers are censored, compromised or don't provide DNSSEC validation which makes DNS replies more secure. In case you don't trust your ISPs DNS servers, feel free to use alternate DNS server from the list below.

Operator Location DNSSEC DNS over TLS Address(es)
Alternate DNS US aware 198.101.242.72
US aware 23.253.163.53
AS250 / Chaos Computer Club (CCC) DE validating 194.150.168.168
censurfridns.dk DK validating yes 89.233.43.71
yes 2001:67c:28a4::
Anycast validating 91.239.100.100
2002:d596:2a92:1:71:53::
Comodo Secure DNS US Strips RRSIG 8.26.56.26
US Strips RRSIG 8.20.247.20
Cloudflare Anycast validating yes 1.1.1.1
yes 2606:4700:4700::1111
Anycast validating yes 1.0.0.1
yes 2606:4700:4700::1001
CyberGhost US aware 38.132.106.139
UK aware 194.187.251.67
Digitalcourage DE validating yes 46.182.19.48
yes 2a02:2970:1002:0:5054:8aff:fe12:db49
DNSReactor US Strips RRSIG 45.55.155.25
US Strips RRSIG 104.236.210.29
Dyn US validating 216.146.35.35
US validating 216.146.36.36
French Data Network (FDN) FR aware 80.67.169.12
2001:910:800::12
FR validating 80.67.169.40
2001:910:800::40
FreeDNS AT Strips RRSIG 37.235.1.174
AT Strips RRSIG 37.235.1.177
Freenom World NL validating 80.80.80.80
NL validating 80.80.81.81
Google Public Free DNS Anycast validating 8.8.8.8
Anycast validating 8.8.4.4
GreenTeamDNS IL Strips RRSIG 81.218.119.11
IL Strips RRSIG 209.88.198.133
Hurricane Electric Anycast validating 74.82.42.42
2001:470:20::2
Lightning Wire Labs DE validating yes 81.3.27.54
yes 2001:470:7655::54
Neustar DNS Advantage US validating 156.154.70.1
US validating 156.154.71.1
New Nations DE aware 5.45.96.220
DE aware 185.82.22.133
Nuernberg Internet Exchange (N-IX) DE Strips RRSIG no 194.8.57.12
OpenDNS (Hosted Blacklists) Anycast Strips RRSIG 208.67.222.222
Anycast Strips RRSIG 208.67.220.220
Anycast Strips RRSIG 208.67.220.222
Anycast Strips RRSIG 208.67.222.220
OpenNIC AT aware 5.132.191.104
AU Strips RRSIG 111.67.20.8
AU aware 163.53.248.170
AU aware 103.236.162.119
CA aware 104.37.195.178
CA aware 192.99.85.244
CH aware 31.171.251.118
CZ aware 51.254.25.115
DE validating 82.141.39.32
DE validating 50.3.82.215
DE Strips RRSIG 46.101.70.183
DE aware 94.16.114.254
DE validating 173.212.234.232
DE validating 173.249.7.187
DE validating 130.255.78.223
DE aware 144.76.133.38
DE validating 172.104.136.243
DE validating 94.247.43.254
EC aware 45.71.112.70
FR validating 163.172.185.51
FR aware 87.98.175.85
FR aware 51.255.48.78
FR validating 188.165.200.156
FR aware 92.222.97.145
FR aware 37.59.40.15
GB validating 159.89.249.249
IN validating 139.59.18.213
IT validating 193.183.98.66
JP validating 108.61.201.119
LT validating 212.24.98.54
MD aware 178.17.170.179
NL aware 185.208.208.141
NL aware 82.196.9.45
NL aware 146.185.176.36
NL aware 163.172.215.64
RO validating 188.213.49.35
RO aware 89.35.39.64
RO validating 89.18.27.167
RU aware 91.217.137.37
RU validating 185.117.154.144
RU validating 95.181.211.6
SE validating 176.126.70.119
SG aware 139.99.96.146
UA validating 217.12.210.54
UK validating 185.164.136.225
US validating 66.70.211.246
US aware 96.47.228.108
US validating 128.52.130.209
US aware 172.98.193.42
US aware 162.248.241.94
US validating 107.172.42.186
US validating 66.165.251.19
US validating 103.114.191.33
US validating 103.114.191.44
US Strips RRSIG 73.11.11.6
US validating 198.206.14.241
US validating 18.211.225.60
puntCAT ES validating 109.69.8.51
Quad9 Anycast validating yes 9.9.9.9
Anycast validating yes 9.9.9.10
SafeDNS Anycast aware 195.46.39.39
Anycast aware 195.46.39.40
SkyDNS RU aware 193.58.251.251
Sprintlink General DNS US aware 204.117.214.10
US aware 199.2.252.10
US aware 204.97.212.10
Verisign US validating 64.6.64.6
US validating 64.6.65.6
Verizon (Level 3) Anycast aware 4.2.2.1
Anycast aware 4.2.2.2
Anycast aware 4.2.2.3
Anycast aware 4.2.2.4
Anycast aware 4.2.2.5
Anycast aware 4.2.2.6
Yandex.DNS RU Strips RRSIG 77.88.8.88
RU Strips RRSIG 77.88.8.2

Legend

DNSSEC Explanation
validating The server is able to validate DNS records.
aware The server is able to provide RRSIG, DNSKEY and DS records, but does not validate any records.
not supported or Strips RRSIG The server doesn't know anything about DNSSEC and cannot be used by IPFire at all. If configured, a self-test will skip these servers and IPFire will potentially fall back into recursor mode.

About location and DNSSEC status

The location of the servers has been stated by using GeoIP Tool and the IPFire GeoIP server. However, it might be possible that the location is wrong (or has been changed meanwhile).

The servers that are marked with “Anycast” are using anycasts so that traffic will be routed to the nearest of the many instances that are there on the network. Thereof the exact location of the server(s) cannot be determined. Worse, different configurations of Anycast instances cannot be determined reliable.

A name server can be checked with the following command:

/etc/init.d/unbound test-name-server ADDRESS

Security Considerations

A DNS server has a very powerful function in network topology. Please keep in mind that it might log your queries (which is a huge information leak).

Further, not all of the DNS servers below return correct answers in any case. Some of them return failures for harmful or malicious sites. Check the operators website for more information on this topic.

For security reasons, it is recommended to use DNS servers which support DNSSEC (i.e. have a green “validating” in the table above), if possible. Yellow “aware” servers will also work, leaving the task of validating DNS responses up to your IPFire machine. As mentioned above, “red” servers will not be used by IPFire.

For privacy and availability reasons, avoid using just one providers' DNS servers.

dns/public-servers.txt · Last modified: 2018/12/01 17:51 by Peter Müller