This is a list of publicly available DNS servers suitable for use with IPFire. They are operated by many different organisations in many different countries. Please consider carefully which ones you would like to use.
DNS Servers that support UDP/TCP
| Operator | Address(es) | Hostname |
|---|---|---|
| Anycast | ||
| Cloudflare | 1.1.1.1 | one.one.one.one |
| 1.0.0.1 | ||
| 2606:4700:4700::1111 | ||
| 2606:4700:4700::1001 | ||
| Control D Free Uncensored | 76.76.2.0 | p0.freedns.controld.com |
| 76.76.10.0 | ||
| 2606:1a40:: | ||
| 2606:1a40:1:: | ||
| dns.sb | 185.222.222.222 | dot.sb |
| 45.11.45.11 | ||
| 2a09:: | ||
| 2a11:: | ||
| DNS0.EU Open | 193.110.81.254 | open.dns0.eu |
| 185.253.5.254 | ||
| 2a0f:fc80::ffff | ||
| 2a0f:fc81::ffff | ||
| Google Public Free DNS | 8.8.8.8 | dns.google |
| 8.8.4.4 | ||
| Germany (DE) | ||
| Lightning Wire Labs | 81.3.27.54 | recursor01.dns.ipfire.org |
| 2001:678:b28::54 | ||
| 81.3.27.54 | recursor01.dns.lightningwirelabs.com |
|
| 2001:678:b28::54 | ||
| DNS-GA | 88.99.98.111 | dns1.dns-ga.de |
| 2a01:4f8:221:e54::2 | ||
| 217.160.166.161 | dns2.dns-ga.de |
|
| 2001:8d8:820:3a00::b:c47 | ||
| 138.201.81.119 | dns3.dns-ga.de |
|
| 2a01:4f8:172:1d2a::2 | ||
| 159.69.46.85 | dns7.dns-ga.de |
|
| 2a01:4f8:c0c:e514::1 | ||
| France (FR) | ||
| French Data Network (FDN) | 80.67.169.12 | |
| 80.67.169.40 | ||
| 2001:910:800::12 | ||
| 2001:910:800::40 | ||
| Netherlands (NL) | ||
| Freenom World | 80.80.80.80 | |
| 80.80.81.81 | ||
| United Kingdom (UK) | ||
| DNS-GA | 213.171.203.115 | dns6.dns-ga.net |
| 2a00:da00:f20b:9700::1 | ||
| United States (US) | ||
| Comcast / Xfinity | 75.75.75.75 | |
| 75.75.76.76 | ||
| Verisign | 64.6.64.6 | |
| 64.6.65.6 | ||
| DNS-GA | 5.161.95.21 | dns4.dns-ga.com |
| 2a01:4ff:f0:d66::1 | ||
| 5.78.81.68 | dns5.dns-ga.com |
|
| 2a01:4ff:1f0:e2f6::1 | ||
DNS-over-TLS service
| Operator | Address(es) | DNS over TLS Hostname |
|---|---|---|
| Anycast | ||
| censurfridns.dk | 91.239.100.100 | anycast.uncensoreddns.org |
| 2002:d596:2a92:1:71:53:: | ||
| Cloudflare | 1.1.1.1 | one.one.one.one |
| 1.0.0.1 | ||
| 2606:4700:4700::1111 | ||
| 2606:4700:4700::1001 | ||
| Control D Free Uncensored | 76.76.2.0 | p0.freedns.controld.com |
| 76.76.10.0 | ||
| 2606:1a40:: | ||
| 2606:1a40:1:: | ||
| Freifunk München e.V. | 5.1.66.255 | anycast01.ffmuc.net |
| 2001:678:e68:f000:: | ||
| 5.1.66.255 | dot.ffmuc.net |
|
| 2001:678:e68:f000:: | ||
| dns.sb | 185.222.222.222 | dns.sb |
| 185.184.222.222 | ||
| 2a09:: | ||
| 2a09::1 | ||
| DNS0.EU Open | 193.110.81.254 | open.dns0.eu |
| 185.253.5.254 | ||
| 2a0f:fc80::ffff | ||
| 2a0f:fc81::ffff | ||
| Google Public Free DNS | 8.8.8.8 | dns.google |
| 8.8.4.4 | ||
| Austria (AT) | ||
| Foundation for Applied Privacy | 146.255.56.98 | dot1.applied-privacy.net |
| 2a01:4f8:c0c:83ed::1 | ||
| Canada (CA) | ||
| CMRG DNS | 199.58.83.33 | dns.cmrg.net |
| 2001:470:1c:76d::53 | ||
| Switzerland (CH) | ||
| Digitale Gesellschaft Schweiz | 185.95.218.42 | dns.digitale-gesellschaft.ch |
| 185.95.218.43 | ||
| 2a05:fc84::42 | ||
| 2a05:fc84::43 | ||
| Germany (DE) | ||
| Digitalcourage e.V. | 5.9.164.112 | dns3.digitalcourage.de |
| Lightning Wire Labs | 81.3.27.54 | recursor01.dns.ipfire.org |
| 2001:678:b28::54 | ||
| 81.3.27.54 | recursor01.dns.lightningwirelabs.com |
|
| 2001:678:b28::54 | ||
| DNS-GA | 88.99.98.111 | dot.dns-ga.de |
| 2a01:4f8:221:e54::2 | ||
| 217.160.166.161 | ||
| 2001:8d8:820:3a00::b:c47 | ||
| 138.201.81.119 | ||
| 2a01:4f8:172:1d2a::2 | ||
| 159.69.46.85 | ||
| 2a01:4f8:c0c:e514::1 | ||
| Denmark (DK) | ||
| censurfridns.dk | 89.233.43.71 | unicast.uncensoreddns.org |
| 2a01:3a0:53:53:: | ||
| France (FR) | ||
| Neutopia | 89.234.186.112 | dns.neutopia.org |
| 2a00:5884:8209::2 | ||
| Luxembourg (LU) | ||
| Restena Foundation | 158.64.1.29 | kaitain.restena.lu |
| 2001:a18:1::29 | ||
| Netherlands (NL) | ||
| FlokiNET | 185.246.188.51 | nl.resolv.flokinet.net |
| 2a06:1700:3:11::1 | ||
| GetDNS | 185.49.141.37 | getdnsapi.net |
| 2a04:b900:0:100::37 | ||
| United Kingdom (UK) | ||
| DNS-GA | 213.171.203.115 | dns6.dns-ga.net (dot.dns-ga.net) |
| 2a00:da00:f20b:9700::1 | ||
| Romania (RO) | ||
| FlokiNET | 185.247.225.17 | ro.resolv.flokinet.net |
| 2a06:1700:0:36::1 | ||
| United States (US) | ||
| DNS-GA | 5.161.95.21 | dot.dns-ga.com |
| 2a01:4ff:f0:d66::1 | ||
| 5.78.81.68 | ||
| 2a01:4ff:1f0:e2f6::1 |
DNS providers not recommended for IPFire
These providers are not recommended for use with IPFire because they do not support DNSSEC or tamper with DNS traffic in another way, such as filtering advertisement, malware or porn. While there is a legitimate use-case for the latter, such filtering breaks DNSSEC, being indistinguishable from an adversary from a technical point of view.
| Operator | IP Addresses | Reason |
|---|---|---|
| Adfree.world | 139.99.176.64 | Domain Blacklist1 |
| Cleanbrowsing | 2a0d:2a00:1::2 / 185.228.168.9, 2a0d:2a00:2::2 / 185.228.169.9 | Domain Blacklist2 |
| DNS for Family | 94.130.180.225 / 2a01:4f8:1c0c:40db::1, 78.47.64.161 / 2a01:4f8:1c17:4df8::1, dns-dot.dnsforfamily.com, https://dns-doh.dnsforfamily.com/dns-query | Domain Blacklist3 |
| Comodo Secure DNS | 8.26.56.26, 8.20.247.20 | Domain Blacklist4 |
| dnsforge.de | 176.9.93.198, 176.9.1.117, 2a01:4f8:151:34aa::198, 2a01:4f8:141:316d::117 | Domain Blacklist5 |
| Nuernberg Internet Exchange (N-IX) | 194.8.57.12 | Not resolving6 |
| OpenDNS (Hosted Blacklists) | 208.67.222.222, 208.67.220.220, 208.67.220.222, 208.67.222.220 | Domain Blacklist7 |
| Quad 9 | 9.9.9.9, 149.112.112.112, 9.9.9.10, 149.112.112.10 | Domain Blacklist8 |
| SWITCH | 130.59.31.248 / 2001:620:0:ff::2, 130.59.31.251 / 2001:620:0:ff::3 | Domain Blacklist9 |
| Yandex.DNS | 77.88.8.88, 77.88.8.2 | Domain Blacklist10 |
| SafeDNS | 195.46.39.39, 195.46.39.40 | Questionable regulations11 |
| Level 3 / CentryLink / Verizon | 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6 | No Website Information12 |
| SkyDNS | 193.58.251.251 | Not resolving queries13 |
| New Nations | 5.45.96.220 | Not resolving queries14 |
| DNS0.EU | 193.110.81.0, 185.253.5.0, 2a0f:fc80::, 2a0f:fc81:: / TLS Hostname dns0.eu |
Domain Blacklist15 |
| DNS0.EU ZERO | 193.110.81.9, 185.253.5.9, 2a0f:fc80::9, 2a0f:fc81::9 / TLS Hostname zero.dns0.eu |
Domain Blacklist16 |
| DNS0.EU KIDS | 193.110.81.1, 185.253.5.1, 2a0f:fc80::1, 2a0f:fc81::1 / TLS Hostname kids.dns0.eu |
Domain Blacklist17 |
About Server location
The location of the servers has been stated by using the IPFire Location database. However, it might be possible that the location is wrong (or has been changed meanwhile).
The servers that are marked with "Anycast" are using anycasts so that traffic will be routed to the nearest of the many instances that are there on the network. Thereof the exact location of the server(s) cannot be determined. Worse, different configurations of Anycast instances cannot be determined reliable.
Security and Privacy Considerations
A DNS server has a very powerful function in network topology. Please keep in mind that it might log your queries (which is a huge information leak).
Query logs might (not only) include:
- Date, Time (ms)
- IP Address
- Domain requested
- Subdomain requested
- Type of query (A, AAAA, TXT, NS, ...)
Further, not all of the DNS servers listed above return correct answers in any case. Some of them return failures for harmful or malicious sites. Check the operators website for more information on this topic.
For security reasons, it is required to use DNS servers which support DNSSEC. For privacy and availability reasons, avoid using just one providers' DNS servers.
Links
- Anycast DNS: What, Why and How
- What is Anycast DNS? | How Anycast Works With DNS
- Public DNS Server List - Long list of DNS Servers. Some are good and some are not. Due diligence is needed when picking DNS Servers.
- Public DNS Servers by country - Above list sorted by Country
-
Adore.world states "...simple public blacklist to block...". This is an indication of manipulating query responses: https://threadmarkcyber.au/home/?page_id=3 For following explanations note: This is non compliant to RFC 4033 (DNSSEC) which is due to the absence of a cryptographic prove of none existence for the blocked (missing) domains. ↩
-
cleanbrowsing states "...Our security filter...". This implies the use of domain filtering/blacklisting and response manipulation: https://cleanbrowsing.org/help/docs/dnsovertls/ ↩
-
DNS for Family states "...that filter websites for family use...", "...protection from malware and blocking ads...". This implies domain filtering and response manipulation: https://dnsforfamily.com/ ↩
-
Comodo Secure DNS states "...domain filtering feature..." and is therefore capable of modifying query responses: https://securedns.dnsbycomodo.com/ ↩
-
dnsforge.de states "... is a censorship-free, safe and redundant DNS resolver without logging but with advertisement blocking" (translated by a native speaker). This is a reason to assume they modify query responses: https://dnsforge.de/ ↩
-
N-IX fails:
dig dns-ga.de @194.8.57.12returned status REFUSED. This probably means that the server does not answer recursive queries from the internet anymore. Adelv dns-ga.de @194.8.57.12with failed resolution approved of this theory. ↩ -
Cisco states all paid plans and free plans have "built-in protection". See: https://www.opendns.com/home-internet-security/. Even though the mentioned IPs do not block adult content, domain filtering can not be ruled out. Automated data collection, collecting IPs, sharing information with business partners and more makes it a clear case: https://www.opendns.com/privacy-policy/ ↩
-
Quad9 states "Quad9 blocks lookups of malicious host names from an up-to-the-minute list...". Therefore queries are analyzed and in some cases responses are modified. Further more, they provide services with either DNSSEC disabled or malware blocking: https://www.quad9.net/service/service-addresses-and-features ↩
-
Switch states "The DNS resolver service blocks domain names listed...", "Switch DNS Firewall blocks access to infected or malicious websites and redirects users to a landing page". This is not acceptable: https://www.switch.ch/en/switch-public-dns ↩
-
Yandex DNS states "...block adult-only and dangerous websites" (aka self-explanatory) : https://dns.yandex.com/. The mentioned IPs are from the "Safe" section. ↩
-
SafeDNS is full of marketing. The Terms of Service mention an interesting point (11), by which queries must be analyzed automatically and/or modified/filtered: https://www.safedns.com/terms-of-service. "Features" also include AI and web (aka domain) filtering: https://www.safedns.com/features#id-dns-security. ↩
-
Level 3 IP-Addresses are found online, but are not linked to any website that will provide information about logging, etc. Referred to in: https://www.publicdns.xyz/public/level3.html ↩
-
SKYDNS fails:
dig www.dns-ga.de @193.58.251.251timed out anddelv dns-ga.de @193.58.251.251resolution failed: SERVFAIL. ↩ -
New Nations fails:
dig www.google.com @5.45.96.220timed out anddelv dns-ga.de NS @5.45.96.220resolution failed: SERVFAIL. ↩ -
DNS0.EU Seems to work without issues in regular web browsing but YMMV. https://www.dns0.eu states "Integrated protection against millions of malicious domains..." ↩
-
DNS0.EU ZERO states "...hardened security for highly sensitive environments..." Filters malicious content, newly created domains, Top-level domains, DDNS domains ect. ↩
-
DNS0.EU KIDS states "...filtering out content from the Internet that is not suitable for children, you can provide a safe online environment for kids..." Filters adult websites, ads and other content not suitable for children. ↩