Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

Note that they are experimental offerings with no guarantees on the lifetime of the service or service level provided. 

Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!


See OARC website
Hosted byIP addressesPortsHostname for TLS
authentication
Base 64 encoded (and hex) form of SPKI pin(s) for TLS
authentication (RFC7858)
Notes

Supports

RFC7766 fully

SoftwareNotes
getdnsapi.net

UPDATED on 13th April 2017!

185.49.141.3837

2a04:b900:0:100::3837

853getdnsapi.net

foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=

(7e8c59467221f606695a797ecc488a6b4109dab7421aba0c5a6d3681ac5273d4)



NoUnbound
Surfnet

145.100.185.15

2001:610:1:40ba:145:100:185:15

853dnsovertls.sinodun.com

oTLTTTTBgXZTN8cLg62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+Npe5Uk3dsFpxGLQ8AoQDPVoMwcBL4=

(A132D34D34C181765337C70B83E3697B9524DDDB05A7118B43C0284033D5A0CC)


No, but does do concurrent
processing of queries.

Supports TFO

HAProxy + BIND

Only listening on TLS on port 853

(no UDP or TCP on port 53)

Surfnet

145.100.185.16

2001:610:1:40ba:145:100:185:16

853dnsovertls1.sinodun.com

ZZtB6wjcxw7p1iTmIZx27jGVTaFUiwyFGerlIoyyQVAcE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=

(659B41EB08DCC70EE9D624E6219C76EE31954DA1548B0C8519EAE5228CB24150)


No, but does do concurrent
processing of queries
Nginx + BIND

Only listening on TLS on port 853

(no UDP or TCP on port 53)

dkg

199.58.81.218

2001:470:1c:76d::53

853

443

53053

dns.cmrg.net

3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=

(DC8387492E3C28E73FCE590A1AD238E9AF5363D3CF283546844DD6D994B8259A)

5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=


No, but does do concurrent
processing of queries.

Knot ResolverOARC

The certificate is self-signed therefore
hostname validation is not supported

pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=
(A4E5EBA54B7D9203E06D6C411457014DB447DA17A8DB01F05E9D5F7780045572)https://dns.cmrg.net/

Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here. So if port 853 may be blocked then this is a good option.

OARC

184.105.193.78

2620:ff:c000:0:1::64:25

853

tls-dns-u.odvr.dns-oarc.net

pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=


NoUnboundSee OARC website
Yeti

2001:4b98:dc2:43:216:3eff:fea9:41a

853

dns-resolver.yeti.eu.org

 pin-sha256="VftYcSCtgKdaHJI/P2mtcBjOt9rRc8KSjNh+cejCEwU="
(55FB587120AD80A75A1C923F3F69AD7018CEB7DAD173C2928CD87E71E8C21305) 

8jkVGv5GP34E70/tDu+j2vnZ1bikayym2QvF4mkX11g=


NoUnboundSee https://dns-resolver.yeti.eu.org/
Yeti2a00:e50:f15c:1000::2:53853yeti-rr.datev.net


stunnel + Unbound
UncensoredDNS

89.233.43.71 

2a01:3a0:53:53::

853

unicast.censurfridns.dk





See https://blog.uncensoreddns.org/
Lorraine Data Network

80.67.188.188

853




https://ldn-fai.net/serveur-dns-recursif-ouvert/

Uses a self-signed certificate, no key published