Servers supporting DNS-over-TLS
The following servers are configured to support TLS on port 1021 and STARTTLS on port 53 for testing purposes.
Open resolver hosted by NLNetLabs:
- NLNetLabs is kindly hosting an open resolver (running Unbound):
- IP address: 22.214.171.124 and 2a04:b900:0:100::38
- The server key file can be obtained by contacting firstname.lastname@example.org
- The authoritative servers for getdnsapi.net are running a patched version of NSD:
- IP address: 126.96.36.199 and 2a04:b900:0:100::37
Authoritative test server hosted by Verisign Labs:
- Verisign Labs are kindly hosting a test zone on a server (running a patched version of NSD):
The zone is named starttls.verisignlabs.com and it has A, AAAA, and TXT records for names from 'A' to 'Z'.
The IP address of the server is currently 188.8.131.52.
Server key file is available to download here: nsd.key
The zone is signed
- This server also supports TCP fast open
How to Decode TLS packets in Wireshark
If you want to decode the DNS packets in Wireshark (use 1.12.1 or later) to get support TLSv1.2