Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!

Looking for something?

Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.

IPFire Community

Differences in Revisions: List of Public DNS Servers

Older Revision
August 27 at 9:15 pm
»
Make it clearer that DNSSEC is required
# List of Public DNS Servers
 
During the process of dial-in, your ISP usually passes two to four DNS servers to the router or modem
for looking up IP addresses. They will be used if you have not set some other DNS servers.
 
However, it might be possible that these DNS servers are censored, compromised or don't provide DNSSEC validation which makes DNS replies more secure. In case you don't trust your ISPs DNS servers, feel free to use alternate DNS server from the list below.
 
| Operator | Location | DNSSEC | DNS over TLS | Address(es) |
| --- | --- | --- | --- | --- |
| **[Alternate DNS](https://alternate-dns.com/setup.html)** | US | aware | | 198.101.242.72 |
| | US | aware | | 23.253.163.53 |
| **[AS250 / Chaos Computer Club (CCC)](https://www.ccc.de/en/censorship/dns-howto)** | DE | validating | | 194.150.168.168 |
| **[censurfridns.dk](http://censurfridns.dk/)** | DK | validating | yes | 89.233.43.71 |
| | | | yes | 2001:67c:28a4:: |
| | Anycast | validating | | 91.239.100.100 |
| | | | | 2002:d596:2a92:1:71:53:: |
| **[Cleanbrowsing](https://cleanbrowsing.org/guides/dnsovertls)** | Anycast | validating | yes | 185.228.168.9 |
| | | validating | yes | 2a0d:2a00:1::2 |
| | | validating | yes | 185.228.169.9 |
| | | validating | yes | 2a0d:2a00:2::2 |
| **[Cloudflare](https://1.1.1.1/)** | Anycast | validating | yes | 1.1.1.1 |
| | | | yes | 2606:4700:4700::1111 |
| | Anycast | validating | yes | 1.0.0.1 |
| | | | yes | 2606:4700:4700::1001 |
| **[Comodo Secure DNS](https://securedns.dnsbycomodo.com/)** | US | Strips RRSIG | | 8.26.56.26 |
| | US | Strips RRSIG | | 8.20.247.20 |
| **[CyberGhost](https://support.cyberghostvpn.com/hc/en-us/articles/214480265-CyberGhost-name-server-addresses-DNS-)** | US | aware | | 38.132.106.139 |
| | UK | aware | | 194.187.251.67 |
| **[Digitalcourage](https://digitalcourage.de/support/zensurfreier-dns-server)** | DE | validating | yes | 46.182.19.48 |
| **[DNSlytics #1](https://dnslytics.com/ip/216.146.35.35)** | US | validating | | 216.146.35.35 |
| **[DNSlytics #2](https://dnslytics.com/ip/216.146.35.35)** | US | validating | | 216.146.36.36 |
| **[DNSReactor](http://dnsreactor.net/)** | US | Strips RRSIG | | 45.55.155.25 |
| | US | Strips RRSIG | | 104.236.210.29 |
| **[French Data Network (FDN)](https://www.fdn.fr/actions/dns/)** | FR | aware | | 80.67.169.12 |
| | | | | 2001:910:800::12 |
| | FR | validating | | 80.67.169.40 |
| | | | | 2001:910:800::40 |
| **[FreeDNS](https://freedns.zone/en/)** | AT | Strips RRSIG | | 37.235.1.174 |
| | AT | Strips RRSIG | | 37.235.1.177 |
| **[Freenom World](https://www.freenom.world/en/index.html)** | NL | validating | | 80.80.80.80 |
| | NL | validating | | 80.80.81.81 |
| **[Google Public Free DNS](https://developers.google.com/speed/public-dns/)** | Anycast | validating | | 8.8.8.8 |
| | Anycast | validating | | 8.8.4.4 |
| **[GreenTeamDNS](http://www.greenteamdns.com/)** | IL | Strips RRSIG | | 81.218.119.11 |
| | IL | Strips RRSIG | | 209.88.198.133 |
| **Hurricane Electric** | Anycast | validating | | 74.82.42.42 |
| | | | | 2001:470:20::2 |
| **[Lightning Wire Labs](https://dns.lightningwirelabs.com/knowledge-base/specs/name-servers)** | DE | validating | yes | 81.3.27.54 |
| | | | yes | 2001:470:7655::54 |
| **[Neustar DNS Advantage](https://www.neustar.biz/security/dns-services/recursive-dns)** | US | validating | | 156.154.70.1 |
| | US | validating | | 156.154.71.1 |
| **[New Nations](http://www.new-nations.net/en/join/showpage/id/16)** | DE | aware | | 5.45.96.220 |
| | DE | aware | | 185.82.22.133 |
| **[Nuernberg Internet Exchange (N-IX)](http://www.n-ix.net/mehrwertdienste/dns-server/)** | DE | Strips RRSIG | no | 194.8.57.12 |
| **[OpenDNS](https://www.opendns.com/setupguide/)** ([](/dns/dnssec/hosted-blacklists)) | Anycast | Strips RRSIG | | 208.67.222.222 |
| | Anycast | Strips RRSIG | | 208.67.220.220 |
| | Anycast | Strips RRSIG | | 208.67.220.222 |
| | Anycast | Strips RRSIG | | 208.67.222.220 |
| **[OpenNIC](https://servers.opennicproject.org/)** | AT | aware | | 5.132.191.104 |
| | AU | Strips RRSIG | | 111.67.20.8 |
| | AU | aware | | 163.53.248.170 |
| | AU | aware | | 103.236.162.119 |
| | CA | aware | | 104.37.195.178 |
| | CA | aware | | 192.99.85.244 |
| | CH | aware | | 31.171.251.118 |
| | CZ | aware | | 51.254.25.115 |
| | DE | validating | | 82.141.39.32 |
| | DE | validating | | 50.3.82.215 |
| | DE | Strips RRSIG | | 46.101.70.183 |
| | DE | aware | | 94.16.114.254 |
| | DE | validating | | 173.212.234.232 |
| | DE | validating | | 173.249.7.187 |
| | DE | validating | | 130.255.78.223 |
| | DE | aware | | 144.76.133.38 |
| | DE | validating | | 172.104.136.243 |
| | DE | validating | | 94.247.43.254 |
| | EC | aware | | 45.71.112.70 |
| | FR | validating | | 163.172.185.51 |
| | FR | aware | | 87.98.175.85 |
| | FR | aware | | 51.255.48.78 |
| | FR | validating | | 188.165.200.156 |
| | FR | aware | | 92.222.97.145 |
| | FR | aware | | 37.59.40.15 |
| | GB | validating | | 159.89.249.249 |
| | IN | validating | | 139.59.18.213 |
| | IT | validating | | 193.183.98.66 |
| | JP | validating | | 108.61.201.119 |
| | LT | validating | | 212.24.98.54 |
| | MD | aware | | 178.17.170.179 |
| | NL | aware | | 185.208.208.141 |
| | NL | aware | | 82.196.9.45 |
| | NL | aware | | 146.185.176.36 |
| | NL | aware | | 163.172.215.64 |
| | RO | validating | | 188.213.49.35 |
| | RO | aware | | 89.35.39.64 |
| | RO | validating | | 89.18.27.167 |
| | RU | aware | | 91.217.137.37 |
| | RU | validating | | 185.117.154.144 |
| | RU | validating | | 95.181.211.6 |
| | SE | validating | | 176.126.70.119 |
| | SG | aware | | 139.99.96.146 |
| | UA | validating | | 217.12.210.54 |
| | UK | validating | | 185.164.136.225 |
| | US | validating | | 66.70.211.246 |
| | US | aware | | 96.47.228.108 |
| | US | validating | | 128.52.130.209 |
| | US | aware | | 172.98.193.42 |
| | US | aware | | 162.248.241.94 |
| | US | validating | | 107.172.42.186 |
| | US | validating | | 66.165.251.19 |
| | US | validating | | 103.114.191.33 |
| | US | validating | | 103.114.191.44 |
| | US | Strips RRSIG | | 73.11.11.6 |
| | US | validating | | 198.206.14.241 |
| | US | validating | | 18.211.225.60 |
| **[puntCAT](http://servidordenoms.cat/vull-aquest-dns/configuracio-a-windows/windows-7/)** | ES | validating | | 109.69.8.51 |
| **[Quad9](https://www.quad9.net/)** | Anycast | validating | yes | 9.9.9.9 |
| | Anycast | validating | yes | 9.9.9.10 |
| **[SafeDNS](https://www.safedns.com/)** | Anycast | aware | | 195.46.39.39 |
| | Anycast | aware | | 195.46.39.40 |
| **SkyDNS** | RU | aware | | 193.58.251.251 |
| **[Sprintlink General DNS](https://sprint.net/index.php?p=faq_dns)** | US | aware | | 204.117.214.10 |
| | US | aware | | 199.2.252.10 |
| | US | aware | | 204.97.212.10 |
| **[Verisign](https://www.verisign.com/en_US/security-services/public-dns/index.xhtml)** | US | validating | | 64.6.64.6 |
| | US | validating | | 64.6.65.6 |
| **Verizon (Level 3)** | Anycast | aware | | 4.2.2.1 |
| | Anycast | aware | | 4.2.2.2 |
| | Anycast | aware | | 4.2.2.3 |
| | Anycast | aware | | 4.2.2.4 |
| | Anycast | aware | | 4.2.2.5 |
| | Anycast | aware | | 4.2.2.6 |
| **[Yandex.DNS](https://dns.yandex.com/)** | RU | Strips RRSIG | | 77.88.8.88 |
| | RU | Strips RRSIG | | 77.88.8.2 |
 
 
## Legend
| DNSSEC | Explanation |
| --- | --- |
| validating | The server is able to validate DNS records. |
| aware | The server is able to provide RRSIG, DNSKEY and DS records, but does not validate any records. |
| not supported or Strips RRSIG | The server doesn't know anything about DNSSEC and cannot be used by IPFire at all. If configured, a self-test will skip these servers and IPFire will potentially fall back into recursor mode. |
 
 
## About location and DNSSEC status
The location of the servers has been stated by using [GeoIP Tool](https://geoiptool.com/) and the IPFire GeoIP server. [However, it might be possible that the location is wrong (or has been changed meanwhile).](/configuration/firewall/geoip-block)
 
The servers that are marked with "Anycast" are using anycasts so that traffic will be routed to the nearest of the many instances that are there on the network. Thereof the exact location of the server(s) cannot be determined. Worse, different configurations of Anycast instances cannot be determined reliable.
 
A name server can be checked with the following command:
 
`/etc/init.d/unbound test-name-server ADDRESS`
 
 
## Security Considerations
A DNS server has a very powerful function in network topology. Please keep in mind that it might log your queries (which is a huge information leak).
 
Further, not all of the DNS servers below return correct answers in any case. Some of them return failures for harmful or malicious sites. Check the operators website for more information on this topic.
 
For security reasons, it is required to use DNS servers which support DNSSEC. For privacy and availability reasons, avoid using just one providers' DNS servers.
For security reasons, it is recommended to use DNS servers which support DNSSEC (i.e. have a **validating** in the table above), if possible **aware** servers will also work, leaving the task of validating DNS responses up to your IPFire machine. As mentioned above, **not supported** or **Strips RRSIG** servers will **not** be used by IPFire.
 
For privacy and availability reasons, avoid using just one providers' DNS servers.