Difference between revisions of "Alternative DNS services"

From ArchWiki
Jump to navigation Jump to search
(OpenNIC: l)
(See also: " open root" is this serious ??)
Line 139: Line 139:
 
* [[Wikipedia:Public recursive name server#List of public DNS service operators]]
 
* [[Wikipedia:Public recursive name server#List of public DNS service operators]]
 
* [https://www.new-nations.net/en/discussion/show/id/357 new nations nameserver guestbook]
 
* [https://www.new-nations.net/en/discussion/show/id/357 new nations nameserver guestbook]
 +
* [http://www.open-root.eu/about-us/ open root DNS]  €1500 per TLD

Revision as of 09:27, 20 November 2018

Gnome-colors-add-files-to-archive.pngThis article is being considered for archiving.Gnome-colors-add-files-to-archive.png

Reason: Recently Wikipedia:Public recursive name server#List of public DNS service operators has been significantly improved, we cannot compete with it anymore. (Discuss in Talk:Alternative DNS services#Future of the page)

This article lists domain name system (DNS) services that may replace an internet service provider's DNS service. To use one of these servers, see Domain name resolution.

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Specify if the nameservers support DNSSEC, DNS over TLS, DNS over HTTPS etc. (Discuss in Talk:Alternative DNS services#)

Cisco Umbrella (formerly OpenDNS)

OpenDNS provided free alternative nameservers, was bought by Cisco in Nov. 2016 and continues to offer OpenDNS as end-user product of its "Umbrella" product suite with focus on Security Enforcement, Security Intelligence and Web Filtering. The old nameservers still work but are pre-configured to block adult content:

208.67.222.222
208.67.220.220
2620:0:ccc::2
2620:0:ccd::2

Cloudflare

Cloudflare provides a service committed to never writing the querying IP addresses to disk and wiping all logs within 24 hours, with the exception of providing data to APNIC labs for research purposes. APNIC and Cloudfare committed to treat all data with high privacy standards in their research agreement statement.

1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001

Comodo

Comodo provides another IPv4 set, with optional (non-free) web-filtering. Implied in this feature is that the service hijacks the queries.

8.26.56.26 
8.20.247.20

DNS.WATCH

DNS.WATCH focuses on neutrality and security and provides two servers located in Germany with no logging and with DNSSEC enabled. Note they welcome commercial sponsorship.

84.200.69.80                # resolver1.dns.watch 
84.200.70.40                # resolver2.dns.watch
2001:1608:10:25::1c04:b12f  # resolver1.dns.watch
2001:1608:10:25::9249:d69b  # resolver2.dns.watch

Google

Google's nameservers can be used as an alternative:

8.8.8.8
8.8.4.4
2001:4860:4860::8888
2001:4860:4860::8844

OpenNIC

Tip: The tool opennic-up — automates the renewal of the DNS servers with the most responsive OpenNIC servers
https://github.com/kewlfft/opennic-up || opennic-upAUR

OpenNIC provides free, essentially uncensored nameservers, a complementing DynDNS service and free domain-registrations such as has-cost-me-nothing.libre located in multiple countries. It is non-commercial and invites more participants to list their newly created nameservers into the network.

All that is needed to reach OpenNIC domains and some more is the firefox-plugin b-dns at blockchain-dns.info.

Though uncensored, some servers do occasionally resort to blocking bona-fide attacking IPs which intentionally cause technical disruption of service.

Guides to add own nameservers are provided in a wiki with procedures how to serve new Topleveldomains besides the ca. 15 available in 2018: .dyn .geek .libre .pirate .chan and more. .chan offers the largest number of DNS record-types to utilize via a web-GUI, while naturally all records are available when serving from e.g. a local BIND by the domain-owner himself.

Note: The use of OpenNIC DNS servers will allow host name resolution both in the traditional Top-Level Domain (TLD) registries as well as in OpenNIC or afiliated operated namespaces: .o, .libre, .dyn , .ti , .ku and more.

Affiliated with OpenNIC are some nameservers, such as the one by new nations with domains for Tibet, Kurdistan and others.

The full list of public servers is available at servers.opennic.org and a shortlist of nearest nameservers for optimal performance is generated on their home page.

To retrieve a list of nearest nameservers, an API is also available and returns, based on the URL parameters provided, a list of nameservers in the desired format. For example to get the 200 nearest IPv4 servers, one can use https://api.opennicproject.org/geoip/?list&ipv=4&res=200&adm=0&bl&wl.

Alternatively, the anycast servers below can be used; while reliable their latency fluctuates a lot.

Worldwide Anycast:

185.121.177.177
169.239.202.202
2a05:dfc7:5::53
2a05:dfc7:5::5353

To avoid responsiveness problems, follow RFC-7706: root zone transfer made simple - serve root@home edit an appropriate /etc/named.conf with .libre domains etc. being transferred (see OpenNIC wiki for details) , restart BIND and no longer suffer unresponsive OpenNIC servers during Domain name resolution. Do a zone transfer just like the full tier 2 servers do as described in the OpenNIC wiki.

Quad9

Quad9 is a free DNS service founded by IBM, Packet Clearing House and Global Cyber Alliance; its primary unique feature is a blocklist which avoids resolving known malicious domains. The addresses below are worldwide anycast.

"Secure", with blocklist and DNSSEC:

9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::9

No blocklist, no DNSSEC:

9.9.9.10
149.112.112.10
2620:fe::10

UncensoredDNS

UncensoredDNS is a free uncensored DNS service. It is run by a private individual and consists in one anycast served by multiple servers and one unicast node hosted in Denmark.

91.239.100.100   # anycast.censurfridns.dk
89.233.43.71     # unicast.censurfridns.dk
2001:67c:28a4::  # anycast.censurfridns.dk
2a01:3a0:53:53:: # unicast.censurfridns.dk
Note: Its servers listen to port 5353 as well as the standard port 53. This can be used in case your ISP hijacks port 53.

Yandex

Yandex.DNS has servers in Russia, Eastern and Western Europe and has three options, Basic, Safe and Family.

Basic - no traffic filtering:

77.88.8.8
77.88.8.1
2a02:6b8::feed:0ff
2a02:6b8:0:1::feed:0ff

Safe - protection from infected and fraudulent sites:

77.88.8.88
77.88.8.2
2a02:6b8::feed:bad
2a02:6b8:0:1::feed:bad

Family - protection from dangerous sites and sites with adult content:

77.88.8.7
77.88.8.3
2a02:6b8::feed:a11
2a02:6b8:0:1::feed:a11

See also