Saucepan

User Tools

Site Tools

Trace: satd best_practice ipv4 sizing bind_configure_guide dns_exfiltration dnssec high_availability deploy_nios_vm dns_servers
dns:dns_servers

This is an old revision of the document!

Table of Contents

DNS

Public DoH Servers

Free & Public DNS Servers

(Valid September 2017)

Provider IPv4 A IPV4 B IPv6 A IPv6 B Notes DoH DoT DoQ
Google 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 Unfiltered 
https://dns.google/dns-query
CloudFlare 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4007::1001 Unfiltered 
https://one.one.one.one/dns-query
1dot1dot1dot1.cloudflare-dns.com
CloudFlare 1.1.1.2 1.0.0.2 2606:4700:4700::1112 2606:4700:4007::1002 malware 
https://security.cloudflare-dns.com/dns-query
security.cloudflare-dns.com
CloudFlare 1.1.1.3 1.0.0.3 2606:4700:4700::1113 2606:4700:4007::1003 malware, adult 
family.cloudflare-dns.com
 
family.cloudflare-dns.com
Quad9 9.9.9.9 149.112.112.112 2620:fe::9 2620:fe::fe malware 
https://dns.quad9.net/dns-query
 
tls://dns.quad9.netdns.quad9.net
Quad9 9.9.9.10 149.112.112.10 2620:fe::10 2620:fe::fe:10 no filter 
https://dns10.quad9.net/dns-query
 
tls://dns10.quad9.net
Quad9 9.9.9.11 149.112.112.11 2620:fe::11 2620:fe::fe:11 malware + ECS enabled 
https://dns11.quad9.net/dns-query
 
tls://dns11.quad9.net
Quad9 9.9.9.11 149.112.112.11 2620:fe::11 2620:fe::fe:11 malware + ECS enabled 
https://dns11.quad9.net/dns-query
 
tls://dns11.quad9.net
DNS4EU 86.54.11.1 86.54.11.201 2a13:1001::86:54:11:1 2a13:1001::86:54:11:201 Block malware and fraud. 
protective.joindns4.eu/dns-query
 
protective.joindns4.eu
DNS4EU 86.54.11.11 86.54.11.211 2a13:1001::86:54:11:11 2a13:1001::86:54:11:211 Block malware and fraud. +Child safe +Block Ads 
child-noads.joindns4.eu/dns-query
 
child-noads.joindns4.eu
DNS4EU 86.54.11.12 86.54.11.212 2a13:1001::86:54:11:12 2a13:1001::86:54:11:212 Block malware and fraud. +Child safe 
child.joindns4.eu/dns-query
 
child.joindns4.eu
DNS4EU 86.54.11.13 86.54.11.213 2a13:1001::86:54:11:13 2a13:1001::86:54:11:213 Block malware and fraud. +Block Ads. 
noads.joindns4.eu/dns-query
 
noads.joindns4.eu
DNS4EU 86.54.11.100 86.54.11.200 2a13:1001::86:54:11:100 2a13:1001::86:54:11:200 Unfiltered. 
unfiltered.joindns4.eu/dns-query
 
unfiltered.joindns4.eu
Apple Private Relay mask.icloud.com 172.224.100.7 72.224.100.9 172.224.60.6 172.224.65.12 172.224.65.14 172.224.65.6 172.224.99.5 172.224.99.7 mask-h2.icloud.com 17.250.80.194 17.250.80.198 17.250.80.203 17.250.80.214 17.250.80.217 17.250.80.231 17.250.83.199 17.250.83.200 2a01:b740:984:1::5 2a01:b740:984:1::a 2a01:b740:984:3::4 2a01:b740:984::e 2a01:b740:984:f::6 2a01:b740:984:f::9 2a01:b740:984:f::b 2a01:b740:984:f::d 
doh.dns.apple.com
NextDNS 45.90.28.20 45.90.30.20 2a07:a8c0::47:3b3f 2a07:a8c1::47:3b3f 
https://dns.nextdns.io/xxxxxx
 
tls://xxxxxx.dns.nextdns.io
 
xxxxxx.dns.nextdns.io
AdGuard 94.140.14.14 94.140.15.15 2a10:50c0::ad1:ff 2a10:50c0::ad2:ff Block Ads 
https://dns.adguard.com/dns-query
dns.adguard.com
 
quic://dns.adguard.com
AdGuard 94.140.14.15 94.140.15.16 2a10:50c0::bad1:ff 2a10:50c0::bad2:ff Family Protection 
https://dns-family.adguard.com/dns-query
dns-family.adguard.com
 
quic://dns-family.adguard.com
AdGuard 94.140.14.140 94.140.14.141 2a10:50c0::1:ff 2a10:50c0::2:ff No Filtering 
https://dns-unfiltered.adguard.com/dns-query
dns-unfiltered.adguard.com
 
quic://dns-unfiltered.adguard.com
DNS.watch 84.200.69.80 84.200.70.40 2001:1608:10:25::1c04:b12f 2001:1608:10:25::9249:d69b No Logging, DNSSEC enabled
Level 3 4.2.2.2 4.2.2.6
Level 3 4.2.2.1 / 4.2.2.3 4.2.2.4 / 4.2.2.5
Level 3 209.244.0.3 (resolver1.level3.net) 209.244.0.4 (resolver2.level3.net)
Centurylink 205.171.3.65 205.171.2.65
OpenDNS 208.67.222.222 208.67.220.220 2620:119:35::35 2620:119:53::53 unfiltered 
https://doh.opendns.com/dns-query
OpenDNS Family Shield 208.67.222.123 208.67.220.123 adult 
https://doh.familyshield.opendns.com/dns-query
Comodo Secure DNS Public 8.26.56.26 8.20.247.20
Comodo Secure Internet Gateway 8.26.56.26 8.20.247.20
Norton ConnectSafe (retired) 199.85.126.10 199.85.127.10 malware
Norton ConnectSafe (retired) 199.85.126.20 199.85.127.20 malware and adult
Norton ConnectSafe (retired) 199.85.126.30 199.85.127.30 malware, adult, and other*
UncensoredDNS 91.239.100.100 89.233.43.71 2001:67c:28a4:: 2a01:3a0:53:53:: 
https://anycast.uncensoreddns.org/dns-query

/ 

https://unicast.uncensoreddns.org/dns-query
BraveDNS 
https://bravedns.com/dns-query
Hurricane Electric 74.82.42.42
DNSSense 45.129.19.19 45.129.19.20
UK PDNS 25.25.25.25 25.26.27.28 2a06:98c1:54::16:f838
Fortinet 208.91.112.53 208.91.112.52
GreatFirewall China 113.113.113.113
OpenNIC 13.239.157.177
AdGuard 176.103.130.130
CleanBrowsing 185.228.168.168
CIRA Canadian Shield 149.112.121.10 149.112.122.10
SafeDNS 195.46.39.39 195.46.39.40
FreeNom 80.80.80.80 80.80.81.81
AlternateDNS 76.76.19.19 76.223.122.150 2602:fcbc::ad 2602:fcbc:2::ad
AlternateDNS 23.253.163.53
DNSFilter 103.247.36.36 103.247.37.37
G-Core 95.85.95.85 2.56.220.2 2a03:90c0:999d::1 2a03:90c0:9992::1
Oracle DNS 216.146.35.35 216.146.36.36
NordVPN 103.86.96.100 103.86.99.100
NordVPN SmartDNS 103.86.96.103 103.86.99.103
Namecheap SafeServe 198.54.117.10 198.54.117.11
Vecara UltraDNS 64.6.64.6 64.6.65.6 2620:74:1b::1:1 2620:74:1c::2:2 Unfiltered
Vecara UltraDNS 156.154.70.1 156.154.70.2 2610:a1:1018::1 2610:a1:1019::1 Unfiltered
Vecara UltraDNS 156.154.70.2 156.154.71.2 2610:a1:1018::2 2610:a1:1019::2 Malware
Vecara UltraDNS 156.154.70.3 156.154.71.3 2610:a1:1018::3 2610:a1:1019::3 Adult, Gambling, Violence
Yandex 77.88.8.1 77.88.8.8 2a02:6b8::feed:0ff 2a02:6b8:0:1::feed:0ff Unfiltered 
common.dot.dns.yandex.net
 
common.dot.dns.yandex.net
Yandex 77.88.8.2 77.88.8.88 2a02:6b8::feed:bad 2a02:6b8:0:1::feed:bad Malware 
safe.dot.dns.yandex.net
safe.dot.dns.yandex.net
Yandex 77.88.8.3 77.88.8.7 2a02:6b8::feed:a11 2a02:6b8:0:1::feed:a11 Malware, Adult, Safe Search 
family.dot.dns.yandex.net
 
family.dot.dns.yandex.net
  • Neustar aquired Verisign's recursive Public DNS Service in 2020.
  • Neustar Security Services was renamed to Vercara in April 2023.
  • Level 3 Communications merged with CenturyLink in Nov 2017.
  • Norton ConnectSafe retired in Nov 2018.
  • Both mask.icloud.com and mask-h2.icloud.com are CNAME to mask.apple-dns.net
  • More information on Apple here

Google Public DNS provides two distinct DoH APIs at these endpoints:

Note that the Great Firewall of China DNS server only responds to the domains it censors and it will give you changing answers.

Be careful before using Layer 3 DNS servers. They are not officially open to the public (though Layer 3 don't currently block public access). However, Layer 3 could remove this service at any time.

Cloudflare will return 0.0.0.0 if the FQDN or IP in a DNS query is classified as malicious.

*Norton ConnectSafe Policy 3 is malware, phishing schemes, scams, adult , mature content, abortion, alcohol, crime, cults, drugs, gambling, hate, sexual orientation, suicide, tobacco or violence.

UncensoredDNS (formerly censurfridns.dk) DNS servers are uncensored and operated by a privately funded individual. The 91.239.100.100 address is anycast from multiple locations while the 89.233.43.71 one is physically located in Copenhagen, Denmark. You can read more about them here.

Azure DNS

Azure private DNS is 168.63.129.16. However, this IP will only respond to requests from IP addresses in an Azure VNET.

DNS over HTTPS Canary

use-application-dns.net

Automatic DNS over HTTPS on Firefox will disable itself if the response to use-application-dns.net returns

  • A response code other than NOERROR is returned, such as NXDOMAIN (non-existent domain) or SERVFAIL
  • A NOERROR response code is returned, but contains neither A nor AAAA records

Joining Windows Domain

When you want to join a Windows machine to a domain, it asks what domain you want to join and then makes a DNS SRV lookup to 

_ldap._tcp.dc._msdcs.EXAMPLE.CORP
dns/dns_servers.1750667640.txt.gz · Last modified: by bstafford