Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

Table of Contents

...

Experimental DNS Privacy Recursive Servers

The following servers are configured are configured to support TLS on port 1021 and STARTTLS on port 53 853 for testing purposes.

Open resolver

Hosted by the getdns API implementation project at getdnsapi.net (Unbound 1.5.6):

...

Warning

Note that they are experimental offerings with no guarantees on the lifetime of the service or service level provided. 

Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!!


Hosted byIP addressesPortsHostname for TLS
authentication
Base 64 encoded form of SPKI pin(s) for TLS
authentication (RFC7858)
Notes

Supports

RFC7766 fully

SoftwareNotes
getdnsapi.net

UPDATED on 13th April 2017!

185.49.141.

...

37

2a04:b900:0:100::

...

Authoritative test server hosted by Verisign Labs:

  • Verisign Labs are kindly hosting a test zone on a server (running a patched version of NSD):
    • The zone is named starttls.verisignlabs.com and it has A, AAAA, and TXT records for names from 'L001' to 'L100'. 

    • The IP address of the server is currently 173.255.254.151

    • Server key file is available to download here: nsd.key

    • The zone is signed

    • This server also supports TCP fast open

Authoritative getdnsapi.net servers [currently offline]

  • The authoritative servers for getdnsapi.net are running a patched version of NSD:
  • IP address: 185.49.141.37 and 2a04:b900:0:100::37
  • The server key file is available for download here: 185.49.141.37-nsd.key
Server typeHosted byIP addressesServer keyHostname for TLS authentication
Open Resolvergetdnsapi.net

185.49.141.38

2a04:b900:0:100::38

 getdnsapi.net
Authoritativegetdnsapi.net

185.49.141.37

2a04:b900:0:100::37

185.49.141.37-nsd.key 
AuthoritativeVerisign Labs173.255.254.151nsd.keystarttls.verisignlabs.com

 

How to Decode TLS packets in Wireshark

If you want to decode the DNS packets in Wireshark (use 1.12.1 or later) to get support TLSv1.2

  • Obtain the server key file

  • Configure the key in wireshark in Edit->Preferences

    • open the protocol list in the right hand menu and select SSL from the list
    • Click on the RSA keys list 'Edit' box and then click on 'New' in the dialog that appears
      • Enter remote servers IP address e.g.173.255.254.151 and the port for TLS (1021), and 'http' or 'spdy' for the protocal (DNS is not yet available here).
      • Use the Key File selector to choose the key file you downloaded
    • Save this by hitting OK, OK and Apply.
    • Back in the main window use the Analyze->Decode as... option to choose to decode as SSL
    • Click on one of the packets labelled 'Application data' and you should see an additional tab appear in the Packet bytes view window of wireshark labelled "Decrypted SSL data".

...

37

853getdnsapi.net

foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=


NoUnbound
Surfnet

145.100.185.15

2001:610:1:40ba:145:100:185:15

853dnsovertls.sinodun.com

62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=


No, but does do concurrent
processing of queries.

Supports TFO

HAProxy + BIND

Only listening on TLS on port 853

(no UDP or TCP on port 53)

Surfnet

145.100.185.16

2001:610:1:40ba:145:100:185:16

853dnsovertls1.sinodun.com

cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=


No, but does do concurrent
processing of queries
Nginx + BIND

Only listening on TLS on port 853

(no UDP or TCP on port 53)

dkg

199.58.81.218

2001:470:1c:76d::53

853

443

53053

dns.cmrg.net

3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=

5zFN3smRPuHIlM/8L+hANt99LW26T97RFHqHv90awjo=


No, but does do concurrent
processing of queries.

Knot Resolver

https://dns.cmrg.net/

Note that on port 443 this server can serve both HTTP 1.1 traffic (to securely access the nameserver credentials) on TLS connections and DNS-over-TLS on separate TLS connections due to some nifty, experimental demultiplexing of traffic, described here. So if port 853 may be blocked then this is a good option.

OARC

184.105.193.78

2620:ff:c000:0:1::64:25

853

tls-dns-u.odvr.dns-oarc.net

pOXrpUt9kgPgbWxBFFcBTbRH2heo2wHwXp1fd4AEVXI=


NoUnboundSee OARC website
Yeti

2001:4b98:dc2:43:216:3eff:fea9:41a

853

dns-resolver.yeti.eu.org

8jkVGv5GP34E70/tDu+j2vnZ1bikayym2QvF4mkX11g=


NoUnboundSee https://dns-resolver.yeti.eu.org/
Yeti2a00:e50:f15c:1000::2:53853yeti-rr.datev.net


stunnel + Unbound
UncensoredDNS

89.233.43.71 

2a01:3a0:53:53::

853

unicast.censurfridns.dk





See https://blog.uncensoreddns.org/
Lorraine Data Network

80.67.188.188

853




https://ldn-fai.net/serveur-dns-recursif-ouvert/

Uses a self-signed certificate, no key published