This is an old revision of the document!
Table of Contents
DNS
Public DoH Servers
Free & Public DNS Servers
(Valid September 2017)
| Provider | IPv4 A | IPV4 B | IPv6 A | IPv6 B | Notes | DoH | DoT | DoQ |
|---|---|---|---|---|---|---|---|---|
| 8.8.8.8 | 8.8.4.4 | 2001:4860:4860::8888 | 2001:4860:4860::8844 | Unfiltered | https://dns.google/dns-query | |||
| CloudFlare | 1.1.1.1 | 1.0.0.1 | 2606:4700:4700::1111 | 2606:4700:4007::1001 | Unfiltered | https://one.one.one.one/dns-query 1dot1dot1dot1.cloudflare-dns.com | ||
| CloudFlare | 1.1.1.2 | 1.0.0.2 | 2606:4700:4700::1112 | 2606:4700:4007::1002 | malware | https://security.cloudflare-dns.com/dns-query | security.cloudflare-dns.com | |
| CloudFlare | 1.1.1.3 | 1.0.0.3 | 2606:4700:4700::1113 | 2606:4700:4007::1003 | malware, adult | family.cloudflare-dns.com | family.cloudflare-dns.com | |
| Quad9 | 9.9.9.9 | 149.112.112.112 | 2620:fe::9 | 2620:fe::fe | malware | https://dns.quad9.net/dns-query | tls://dns.quad9.netdns.quad9.net | |
| Quad9 | 9.9.9.10 | 149.112.112.10 | 2620:fe::10 | 2620:fe::fe:10 | no filter | https://dns10.quad9.net/dns-query | tls://dns10.quad9.net | |
| Quad9 | 9.9.9.11 | 149.112.112.11 | 2620:fe::11 | 2620:fe::fe:11 | malware + ECS enabled | https://dns11.quad9.net/dns-query | tls://dns11.quad9.net | |
| Quad9 | 9.9.9.11 | 149.112.112.11 | 2620:fe::11 | 2620:fe::fe:11 | malware + ECS enabled | https://dns11.quad9.net/dns-query | tls://dns11.quad9.net | |
| Apple Private Relay | mask.icloud.com 172.224.100.7 72.224.100.9 172.224.60.6 172.224.65.12 172.224.65.14 172.224.65.6 172.224.99.5 172.224.99.7 | mask-h2.icloud.com 17.250.80.194 17.250.80.198 17.250.80.203 17.250.80.214 17.250.80.217 17.250.80.231 17.250.83.199 17.250.83.200 | doh.dns.apple.com | |||||
| NextDNS | 45.90.28.20 | 45.90.30.20 | 2a07:a8c0::47:3b3f | 2a07:a8c1::47:3b3f | https://dns.nextdns.io/xxxxxx | tls://xxxxxx.dns.nextdns.io | xxxxxx.dns.nextdns.io |
|
| AdGuard | 94.140.14.14 | 94.140.15.15 | 2a10:50c0::ad1:ff | 2a10:50c0::ad2:ff | Block Ads | https://dns.adguard.com/dns-query | dns.adguard.com | quic://dns.adguard.com |
| AdGuard | 94.140.14.15 | 94.140.15.16 | 2a10:50c0::bad1:ff | 2a10:50c0::bad2:ff | Family Protection | https://dns-family.adguard.com/dns-query | dns-family.adguard.com | quic://dns-family.adguard.com |
| AdGuard | 94.140.14.140 | 94.140.14.141 | 2a10:50c0::1:ff | 2a10:50c0::2:ff | No Filtering | https://dns-unfiltered.adguard.com/dns-query | dns-unfiltered.adguard.com | quic://dns-unfiltered.adguard.com |
| DNS.watch | 84.200.69.80 | 84.200.70.40 | 2001:1608:10:25::1c04:b12f | 2001:1608:10:25::9249:d69b | No Logging, DNSSEC enabled | |||
| Level 3 | 4.2.2.2 | 4.2.2.6 | ||||||
| Level 3 | 4.2.2.1 / 4.2.2.3 | 4.2.2.4 / 4.2.2.5 | ||||||
| Level 3 | 209.244.0.3 (resolver1.level3.net) | 209.244.0.4 (resolver2.level3.net) | ||||||
| Centurylink | 205.171.3.65 | 205.171.2.65 | ||||||
| OpenDNS | 208.67.222.222 | 208.67.220.220 | 2620:119:35::35 | 2620:119:53::53 | unfiltered | https://doh.opendns.com/dns-query | ||
| OpenDNS Family Shield | 208.67.222.123 | 208.67.220.123 | adult | https://doh.familyshield.opendns.com/dns-query | ||||
| Comodo Secure DNS Public | 8.26.56.26 | 8.20.247.20 | ||||||
| Comodo Secure Internet Gateway | 8.26.56.26 | 8.20.247.20 | ||||||
| Norton ConnectSafe (retired) | 199.85.126.10 | 199.85.127.10 | malware | |||||
| Norton ConnectSafe (retired) | 199.85.126.20 | 199.85.127.20 | malware and adult | |||||
| Norton ConnectSafe (retired) | 199.85.126.30 | 199.85.127.30 | malware, adult, and other* | |||||
| UncensoredDNS | 91.239.100.100 | 89.233.43.71 | 2001:67c:28a4:: | 2a01:3a0:53:53:: | https://anycast.uncensoreddns.org/dns-query / https://unicast.uncensoreddns.org/dns-query | |||
| Hurricane Electric | 74.82.42.42 | |||||||
| DNSSense | 45.129.19.19 | 45.129.19.20 | ||||||
| UK PDNS | 25.25.25.25 | 25.26.27.28 | ||||||
| Fortinet | 208.91.112.53 | 208.91.112.52 | ||||||
| GreatFirewall China | 113.113.113.113 | |||||||
| OpenNIC | 13.239.157.177 | |||||||
| AdGuard | 176.103.130.130 | |||||||
| CleanBrowsing | 185.228.168.168 | |||||||
| CIRA Canadian Shield | 149.112.121.10 | 149.112.122.10 | ||||||
| SafeDNS | 195.46.39.39 | 195.46.39.40 | ||||||
| FreeNom | 80.80.80.80 | 80.80.81.81 | ||||||
| AlternateDNS | 76.76.19.19 | 76.223.122.150 | 2602:fcbc::ad | 2602:fcbc:2::ad | ||||
| AlternateDNS | 23.253.163.53 | |||||||
| DNSFilter | 103.247.36.36 | 103.247.37.37 | ||||||
| G-Core | 95.85.95.85 | 2.56.220.2 | 2a03:90c0:999d::1 | 2a03:90c0:9992::1 | ||||
| Oracle DNS | 216.146.35.35 | 216.146.36.36 | ||||||
| NordVPN | 103.86.96.100 | 103.86.99.100 | ||||||
| NordVPN SmartDNS | 103.86.96.103 | 103.86.99.103 | ||||||
| Namecheap SafeServe | 198.54.117.10 | 198.54.117.11 | ||||||
| Vecara UltraDNS | 64.6.64.6 | 64.6.65.6 | 2620:74:1b::1:1 | 2620:74:1c::2:2 | Unfiltered | |||
| Vecara UltraDNS | 156.154.70.1 | 156.154.70.2 | 2610:a1:1018::1 | 2610:a1:1019::1 | Unfiltered | |||
| Vecara UltraDNS | 156.154.70.2 | 156.154.71.2 | 2610:a1:1018::2 | 2610:a1:1019::2 | Malware | |||
| Vecara UltraDNS | 156.154.70.3 | 156.154.71.3 | 2610:a1:1018::3 | 2610:a1:1019::3 | Adult, Gambling, Violence | |||
| Yandex | 77.88.8.1 | 77.88.8.8 | 2a02:6b8::feed:0ff | 2a02:6b8:0:1::feed:0ff | Unfiltered | common.dot.dns.yandex.net | common.dot.dns.yandex.net | |
| Yandex | 77.88.8.2 | 77.88.8.88 | 2a02:6b8::feed:bad | 2a02:6b8:0:1::feed:bad | Malware | safe.dot.dns.yandex.net | safe.dot.dns.yandex.net | |
| Yandex | 77.88.8.3 | 77.88.8.7 | 2a02:6b8::feed:a11 | 2a02:6b8:0:1::feed:a11 | Malware, Adult, Safe Search | family.dot.dns.yandex.net | family.dot.dns.yandex.net |
- Neustar aquired Verisign's recursive Public DNS Service in 2020.
- Neustar Security Services was renamed to Vercara in April 2023.
- Level 3 Communications merged with CenturyLink in Nov 2017.
- Norton ConnectSafe retired in Nov 2018.
- Both mask.icloud.com and mask-h2.icloud.com are CNAME to mask.apple-dns.net
- More information on Apple here
Google Public DNS provides two distinct DoH APIs at these endpoints:
https://dns.google/dns-query– RFC 8484 (GET and POST)https://dns.google/resolve?– JSON API (GET)
Note that the Great Firewall of China DNS server only responds to the domains it censors and it will give you changing answers.
Be careful before using Layer 3 DNS servers. They are not officially open to the public (though Layer 3 don't currently block public access). However, Layer 3 could remove this service at any time.
Cloudflare will return 0.0.0.0 if the FQDN or IP in a DNS query is classified as malicious.
*Norton ConnectSafe Policy 3 is malware, phishing schemes, scams, adult , mature content, abortion, alcohol, crime, cults, drugs, gambling, hate, sexual orientation, suicide, tobacco or violence.
UncensoredDNS (formerly censurfridns.dk) DNS servers are uncensored and operated by a privately funded individual. The 91.239.100.100 address is anycast from multiple locations while the 89.233.43.71 one is physically located in Copenhagen, Denmark. You can read more about them here.
Azure DNS
Azure private DNS is 168.63.129.16. However, this IP will only respond to requests from IP addresses in an Azure VNET.
DNS over HTTPS Canary
use-application-dns.net
Automatic DNS over HTTPS on Firefox will disable itself if the response to use-application-dns.net returns
- A response code other than NOERROR is returned, such as NXDOMAIN (non-existent domain) or SERVFAIL
- A NOERROR response code is returned, but contains neither A nor AAAA records
Joining Windows Domain
When you want to join a Windows machine to a domain, it asks what domain you want to join and then makes a DNS SRV lookup to
_ldap._tcp.dc._msdcs.EXAMPLE.CORP