====== DNS ======
===== Public DoH Servers =====
* [[https://github.com/crypt0rr/public-doh-servers/tree/main|Crypt0rr]]
* https://raw.githubusercontent.com/crypt0rr/public-doh-servers/main/dns.list
* https://raw.githubusercontent.com/crypt0rr/public-doh-servers/main/ipv4.list
* https://raw.githubusercontent.com/crypt0rr/public-doh-servers/main/ipv6.list
* [[https://github.com/curl/curl/wiki/DNS-over-HTTPS?ref=dtm.uk|Curl Project List]]
* [[https://github.com/Sekhan/TheGreatWall|The Great Wall]]
* https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall.txt
* https://forum.nxfilter.org/tips-tricks/2723-list-of-dns-over-https-doh-server-ips-to-be-blocked-by-your-firewall
===== Free & Public DNS Servers =====
List of OpenDNS's 49 POPs globally are listed [[https://www.opendns.com/data-center-locations/|here]].
Google's DNS servers [[https://developers.google.com/speed/public-dns/docs/isp|apply a limit]] of 1,500QPS per source IP address.
Remember, Cloudflare doesn't support ECS.
^Provider ^ IPv4 A ^ IPV4 B ^ IPv6 A ^ IPv6 B ^ Notes ^ DoH ^ DoT ^ DoQ ^
| [[https://developers.google.com/speed/public-dns|Google]] | 8.8.8.8| 8.8.4.4| 2001:4860:4860::8888| 2001:4860:4860::8844| Unfiltered | https://dns.google/dns-query | | |
| [[https://developers.cloudflare.com/1.1.1.1/setup|CloudFlare]]| 1.1.1.1| 1.0.0.1| 2606:4700:4700::1111| 2606:4700:4007::1001| Unfiltered | https://one.one.one.one/dns-query 1dot1dot1dot1.cloudflare-dns.com | | |
| [[https://developers.cloudflare.com/1.1.1.1/setup|CloudFlare]]| 1.1.1.2| 1.0.0.2| 2606:4700:4700::1112| 2606:4700:4007::1002| malware | https://security.cloudflare-dns.com/dns-query |security.cloudflare-dns.com | |
| [[https://developers.cloudflare.com/1.1.1.1/setup|CloudFlare]]| 1.1.1.3| 1.0.0.3| 2606:4700:4700::1113| 2606:4700:4007::1003| malware, adult | family.cloudflare-dns.com | family.cloudflare-dns.com | |
| [[https://www.quad9.net/service/service-addresses-and-features|Quad9]] | 9.9.9.9 | 149.112.112.112 | 2620:fe::9 | 2620:fe::fe | malware | https://dns.quad9.net/dns-query | tls://dns.quad9.netdns.quad9.net | |
| [[https://www.quad9.net/service/service-addresses-and-features|Quad9]] | 9.9.9.10| 149.112.112.10 | 2620:fe::10| 2620:fe::fe:10 | no filter| https://dns10.quad9.net/dns-query | tls://dns10.quad9.net | |
| [[https://www.quad9.net/service/service-addresses-and-features|Quad9]] | 9.9.9.11 | 149.112.112.11 | 2620:fe::11| 2620:fe::fe:11 | malware + ECS enabled | https://dns11.quad9.net/dns-query | tls://dns11.quad9.net | |
| [[https://www.quad9.net/service/service-addresses-and-features|Quad9]] | 9.9.9.11 | 149.112.112.11 | 2620:fe::11| 2620:fe::fe:11 | malware + ECS enabled | https://dns11.quad9.net/dns-query | tls://dns11.quad9.net | |
| [[https://www.joindns4.eu/for-public|DNS4EU]] | 86.54.11.1| 86.54.11.201| 2a13:1001::86:54:11:1| 2a13:1001::86:54:11:201 | Block malware and fraud. | protective.joindns4.eu/dns-query | protective.joindns4.eu | |
| [[https://www.joindns4.eu/for-public|DNS4EU]] | 86.54.11.11| 86.54.11.211| 2a13:1001::86:54:11:11| 2a13:1001::86:54:11:211| Block malware and fraud. +Child safe +Block Ads | child-noads.joindns4.eu/dns-query | child-noads.joindns4.eu | |
| [[https://www.joindns4.eu/for-public|DNS4EU]] | 86.54.11.12| 86.54.11.212| 2a13:1001::86:54:11:12| 2a13:1001::86:54:11:212| Block malware and fraud. +Child safe | child.joindns4.eu/dns-query | child.joindns4.eu | |
| [[https://www.joindns4.eu/for-public|DNS4EU]] | 86.54.11.13| 86.54.11.213| 2a13:1001::86:54:11:13| 2a13:1001::86:54:11:213| Block malware and fraud. +Block Ads. | noads.joindns4.eu/dns-query | noads.joindns4.eu | |
| [[https://www.joindns4.eu/for-public|DNS4EU]] | 86.54.11.100| 86.54.11.200| 2a13:1001::86:54:11:100| 2a13:1001::86:54:11:200| Unfiltered. | unfiltered.joindns4.eu/dns-query | unfiltered.joindns4.eu | |
| [[https://support.apple.com/en-gb/101555|Apple Private Relay]] | mask.icloud.com 172.224.100.7 72.224.100.9 172.224.60.6 172.224.65.12 172.224.65.14 172.224.65.6 172.224.99.5 172.224.99.7 | mask-h2.icloud.com 17.250.80.194 17.250.80.198 17.250.80.203 17.250.80.214 17.250.80.217 17.250.80.231 17.250.83.199 17.250.83.200| 2a01:b740:984:1::5 2a01:b740:984:1::a 2a01:b740:984:3::4 2a01:b740:984::e 2a01:b740:984:f::6 2a01:b740:984:f::9 2a01:b740:984:f::b 2a01:b740:984:f::d | | | doh.dns.apple.com | | |
| [[https://my.nextdns.io|NextDNS]] | 45.90.28.20 | 45.90.30.20 | 2a07:a8c0::47:3b3f | 2a07:a8c1::47:3b3f | | https://dns.nextdns.io/xxxxxx | tls://xxxxxx.dns.nextdns.io | xxxxxx.dns.nextdns.io |
| [[https://adguard-dns.io/en/blog/adguard-dns-new-addresses.html|AdGuard]] | 94.140.14.14| 94.140.15.15| 2a10:50c0::ad1:ff| 2a10:50c0::ad2:ff| Block Ads | https://dns.adguard.com/dns-query|dns.adguard.com | quic://dns.adguard.com|
| [[https://adguard-dns.io/en/blog/adguard-dns-new-addresses.html|AdGuard]] | 94.140.14.15| 94.140.15.16| 2a10:50c0::bad1:ff| 2a10:50c0::bad2:ff| Family Protection |https://dns-family.adguard.com/dns-query |dns-family.adguard.com | quic://dns-family.adguard.com|
| [[https://adguard-dns.io/en/blog/adguard-dns-new-addresses.html|AdGuard]] | 94.140.14.140| 94.140.14.141| 2a10:50c0::1:ff| 2a10:50c0::2:ff| No Filtering |https://dns-unfiltered.adguard.com/dns-query |dns-unfiltered.adguard.com | quic://dns-unfiltered.adguard.com|
| [[https://dns.watch/|DNS.watch]] | 84.200.69.80| 84.200.70.40| 2001:1608:10:25::1c04:b12f| 2001:1608:10:25::9249:d69b| No Logging, DNSSEC enabled | | | |
| [[https://controld.com/free-dns?|ControlD]] | 76.76.2.0 | 76.76.10.0 | 2606:1a40::| 2606:1a40:1:: | Unfiltered | https://freedns.controld.com/p0 | | p0.freedns.controld.com |
| [[https://controld.com/free-dns?|ControlD]] | 76.76.2.1 | 76.76.10.1 | 2606:1a40::1| 2606:1a40:1::1 | Malware | https://freedns.controld.com/p1 | | p1.freedns.controld.com |
| [[https://controld.com/free-dns?|ControlD]] | 76.76.2.2 | 76.76.10.2 | 2606:1a40::2| 2606:1a40:1::2 | Malware + Ads&Tracking | https://freedns.controld.com/p2 | | p2.freedns.controld.com |
| [[https://controld.com/free-dns?|ControlD]] | 76.76.2.3 | 76.76.10.3 | 2606:1a40::3| 2606:1a40:1::3 | Malware + Ads&Tracking+Social Networks | https://freedns.controld.com/family | | family.freedns.controld.com |
| [[https://controld.com/free-dns?|ControlD]] | 76.76.2.5 | 76.76.10.5 | 2606:1a40::5| 2606:1a40:1::5 | Uncensored domains from various countries | https://freedns.controld.com/uncensored | | uncensored.freedns.controld.com |
| Level 3| 4.2.2.2| 4.2.2.6| | | | | | |
| Level 3| 4.2.2.1 / 4.2.2.3| 4.2.2.4 / 4.2.2.5| | | | | | |
| Level 3| 209.244.0.3 (resolver1.level3.net) | 209.244.0.4 (resolver2.level3.net)| | | | | | |
| [[https://www.centurylink.com/home/help/internet/dns.html|Centurylink]]| 205.171.3.65 | 205.171.2.65 | | | | |
| [[https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS|OpenDNS]]| 208.67.222.222| 208.67.220.220| 2620:119:35::35 | 2620:119:53::53 | unfiltered | https://doh.opendns.com/dns-query | | |
| [[https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS|OpenDNS Family Shield]]| 208.67.222.123| 208.67.220.123| | | adult | https://doh.familyshield.opendns.com/dns-query | | |
| [[https://www.comodo.com/secure-dns/|Comodo Secure DNS Public]]| 8.26.56.26| 8.20.247.20| | | | | | |
| [[https://www.comodo.com/secure-dns/|Comodo Secure Internet Gateway]]| 8.26.56.26| 8.20.247.20| | | | | | |
| Norton ConnectSafe (retired) | 199.85.126.10| 199.85.127.10| | | malware | | | |
| Norton ConnectSafe (retired) | 199.85.126.20| 199.85.127.20| | | malware and adult | | | |
| Norton ConnectSafe (retired) | 199.85.126.30| 199.85.127.30| | | malware, adult, and other* | | | |
| [[https://blog.uncensoreddns.org/dns-servers/|UncensoredDNS]]| 91.239.100.100| 89.233.43.71| 2001:67c:28a4::| 2a01:3a0:53:53::| | https://anycast.uncensoreddns.org/dns-query / https://unicast.uncensoreddns.org/dns-query| | |
| [[https://www.bravedns.com/|BraveDNS]]| | | | | | https://bravedns.com/dns-query | | |
| [[https://dns.he.net|Hurricane Electric]] | 74.82.42.42 | | | | | | | |
| [[https://www.dnssense.com/|DNSSense]] | 45.129.19.19 | 45.129.19.20| | | | | | |
| [[https://www.ncsc.gov.uk/information/pdns|UK PDNS]] | 25.25.25.25 | 25.26.27.28| 2a06:98c1:54::16:f838 | | | | | |
| Fortinet| 208.91.112.53 | 208.91.112.52 | | | | | | |
| GreatFirewall China| 113.113.113.113 | | | | | | | |
| [[https://www.opennic.org/|OpenNIC]] | 13.239.157.177 | | | | | | | |
| AdGuard | 176.103.130.130 | | | | | | | |
| CleanBrowsing | 185.228.168.168 | | | | | | | |
| Vodafone UK | 141.1.1.1 | | | | | | | |
| [[https://www.cira.ca/en/canadian-shield/|CIRA Canadian Shield]] | 149.112.121.10 | 149.112.122.10 | | | | | | |
| [[https://www.safedns.com/setup-on-dsl-wi-fi-routers|SafeDNS]] | 195.46.39.39 | 195.46.39.40 | | | | | |
| [[http://www.freenom.world/en/index.html?lang=en|FreeNom]] | 80.80.80.80 | 80.80.81.81 | | | | | | |
| [[https://alternate-dns.com/|AlternateDNS]] | 76.76.19.19 | 76.223.122.150 | 2602:fcbc::ad | 2602:fcbc:2::ad | | | | |
| [[https://usavps.com/blog/17946/|AlternateDNS]] | 23.253.163.53 | | | | | | | |
| [[https://www.dnsfilter.com/|DNSFilter]] | 103.247.36.36 | 103.247.37.37 | | | | | | |
| [[https://gcore.com/public-dns|G-Core]] | 95.85.95.85 | 2.56.220.2 | 2a03:90c0:999d::1 | 2a03:90c0:9992::1 | | | | |
| [[https://help.dyn.com/internet-guide-setup/|Oracle DNS]] | 216.146.35.35 | 216.146.36.36 | | | | | | |
| [[https://nordvpn.com/blog/how-to-change-dns/|NordVPN]] | 103.86.96.100 | 103.86.99.100 | | | | | | |
| [[https://nordvpn.com/blog/how-to-change-dns/|NordVPN SmartDNS]] | 103.86.96.103 | 103.86.99.103 | | | | | | |
| [[https://www.namecheap.com/dns/free-public-dns/|Namecheap SafeServe]] | 198.54.117.10 | 198.54.117.11 | | | | | | |
| [[https://vercara.com/ultra-dns-public| Vecara UltraDNS]] | 64.6.64.6 | 64.6.65.6 | 2620:74:1b::1:1 | 2620:74:1c::2:2 | Unfiltered | | | |
| [[https://vercara.com/ultra-dns-public| Vecara UltraDNS]] | 156.154.70.1 | 156.154.70.2 | 2610:a1:1018::1 | 2610:a1:1019::1 | Unfiltered | | | |
| [[https://vercara.com/ultra-dns-public| Vecara UltraDNS]] | 156.154.70.2 | 156.154.71.2 | 2610:a1:1018::2 | 2610:a1:1019::2 | Malware | | | |
| [[https://vercara.com/ultra-dns-public| Vecara UltraDNS]] | 156.154.70.3 | 156.154.71.3 | 2610:a1:1018::3 | 2610:a1:1019::3 | Adult, Gambling, Violence | | | |
| [[https://dns.yandex.com/|Yandex]] | 77.88.8.1 | 77.88.8.8 | 2a02:6b8::feed:0ff | 2a02:6b8:0:1::feed:0ff | Unfiltered | common.dot.dns.yandex.net | common.dot.dns.yandex.net | |
| [[https://dns.yandex.com/|Yandex]] | 77.88.8.2 | 77.88.8.88 | 2a02:6b8::feed:bad | 2a02:6b8:0:1::feed:bad | Malware | safe.dot.dns.yandex.net |safe.dot.dns.yandex.net | |
| [[https://dns.yandex.com/|Yandex]] | 77.88.8.3 | 77.88.8.7 | 2a02:6b8::feed:a11 | 2a02:6b8:0:1::feed:a11 | Malware, Adult, Safe Search | family.dot.dns.yandex.net | family.dot.dns.yandex.net | |
| [[https://|Mullvad (DoH only)]] | 194.242.2.2 | | 2a07:e340::2 | | Unfiltered |https://dns.mullvad.net/dns-query | tls://dns.mullvad.net | |
| [[https://|Mullvad (DoH only)]] | 194.242.2.3 | | 2a07:e340::3 | | Ads & Trackers |https://adblock.dns.mullvad.net/dns-query | tls://adblock.dns.mullvad.net | |
| [[https://|Mullvad (DoH only)]] | 194.242.2.4 | | 2a07:e340::4 | | Ads & Trackers & Malware |https://base.dns.mullvad.net/dns-query | tls://base.dns.mullvad.net | |
| [[https://|Mullvad (DoH only)]] | 194.242.2.5 | | 2a07:e340::5 | | Ads & Trackers & Malware & Social Media |https://extended.dns.mullvad.net/dns-query | tls://extended.dns.mullvad.net | |
| [[https://|Mullvad (DoH only)]] | 194.242.2.6 | | 2a07:e340::6 | | Ads & Trackers & Malware & Adult & Gambling |https://family.dns.mullvad.net/dns-query | tls://family.dns.mullvad.net | |
| [[https://|Mullvad (DoH only)]] | 194.242.2.9 | | 2a07:e340::7 | | Ads & Trackers & Malware & Social Media & Adult & Gambling |https://all.dns.mullvad.net/dns-query | tls://all.dns.mullvad.net/code> | |
* Neustar acquired Verisign's recursive Public DNS Service in 2020.
* Neustar Security Services was renamed to Vercara in April 2023.
* Level 3 Communications merged with CenturyLink in Nov 2017.
* Norton ConnectSafe retired in Nov 2018.
* Both mask.icloud.com and mask-h2.icloud.com are CNAME to mask.apple-dns.net
* More information on Apple [[https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/|here]]
Google Public DNS provides two distinct DoH APIs at these endpoints:
* ''https://dns.google/dns-query'' – RFC 8484 (GET and POST)
* ''https://dns.google/resolve?'' – JSON API (GET)
Note that the Great Firewall of China DNS server only responds to the domains it censors and it will give you changing answers.
Be careful before using Layer 3 DNS servers. They are not officially open to the public (though Layer 3 don't currently block public access). However, Layer 3 could remove this service at any time.
Cloudflare will return 0.0.0.0 if the FQDN or IP in a DNS query is classified as malicious.
*Norton ConnectSafe Policy 3 is malware, phishing schemes, scams, adult , mature content, abortion, alcohol, crime, cults, drugs, gambling, hate, sexual orientation, suicide, tobacco or violence.
UncensoredDNS (formerly censurfridns.dk) DNS servers are uncensored and operated by a privately funded individual. The ''91.239.100.100'' address is anycast from multiple locations while the 89.233.43.71 one is physically located in Copenhagen, Denmark. You can read more about them [[https://blog.uncensoreddns.org/faq/|here]].
===== Azure DNS =====
Azure private DNS is 168.63.129.16. However, this IP will only respond to requests from IP addresses in an Azure VNET.
===== DNS over HTTPS Canary =====
use-application-dns.net
Automatic DNS over HTTPS on Firefox will disable itself if the response to use-application-dns.net returns
* A response code other than NOERROR is returned, such as NXDOMAIN (non-existent domain) or SERVFAIL
* A NOERROR response code is returned, but contains neither A nor AAAA records
===== Joining Windows Domain =====
When you want to join a Windows machine to a domain, it asks what domain you want to join and then makes a DNS SRV lookup to
_ldap._tcp.dc._msdcs.EXAMPLE.CORP