Public recursive name server

Last updated

A public recursive name server (also called public DNS resolver) is a name server service that networked computers may use to query the Domain Name System (DNS), the decentralized Internet naming system, in place of (or in addition to) name servers operated by the local Internet service provider (ISP) to which the devices are connected. Reasons for using these services include:

Contents

Public DNS resolver operators often cite increased privacy as an advantage of their services; critics of public DNS services have cited the possibility of mass data collection targeted at the public resolvers as a potential risk of using these services. Most services now support secure DNS lookup transport services such as DNS over TLS (DoT), DNS over HTTPS (DoH) and DNS over QUIC (DoQ).

Public DNS resolvers are operated either by commercial companies, offering their service for free use to the public, or by private enthusiasts to help spread new technologies and support non-profit communities.

Notable public DNS service operators

Provider Privacy policy DNS over UDP/TCP (Do53) DNSSEC DNS over TLS (DoT) DNS over HTTPS (DoH) DNS over QUIC (DoQ) EDNS Padding DNSCrypt Hostname IPv4 addresses IPv6 addressesFiltersRemarks
AdGuard Yes [6] YesYes [7] YesYes [8] Yes [9] NoYes [10] dns.adguard-dns.com [11] 94.140.14.14
94.140.15.15		2a10:50c0::ad1:ff
2a10:50c0::ad2:ff		Default: ads and trackers [11]
family.adguard-dns.com94.140.14.15
94.140.15.16		2a10:50c0::bad1:ff
2a10:50c0::bad2:ff		Family: ads, trackers, and adult content [11]
unfiltered.adguard-dns.com94.140.14.140
94.140.14.141		2a10:50c0::1:ff
2a10:50c0::2:ff		None [11]
CleanBrowsing Yes [12] YesYesYes [13] Yes [14] NoYesYes [15] family-filter-dns.cleanbrowsing.org185.228.168.168
185.228.169.168		2a0d:2a00:1::
2a0d:2a00:2::		FamilyDesigned to be used on devices of kids under 13.
adult-filter-dns.cleanbrowsing.org185.228.168.10
185.228.169.11		2a0d:2a00:1::1
2a0d:2a00:2::1		Adult
security-filter-dns.cleanbrowsing.org185.228.168.9
185.228.169.9		2a0d:2a00:1::2
2a0d:2a00:2::2		Security
Cloudflare Yes [16] YesYes [17] Yes [18] Yes [19] No [20] YesNoone.one.one.one [21]
1dot1dot1dot1.cloudflare-dns.com		1.1.1.1
1.0.0.1		2606:4700:4700::1111
2606:4700:4700::1001		None
security.cloudflare-dns.com1.1.1.2
1.0.0.2		2606:4700:4700::1112
2606:4700:4700::1002		Malware, Phishing
family.cloudflare-dns.com1.1.1.3
1.0.0.3		2606:4700:4700::1113
2606:4700:4700::1003		Malware, Phishing,
Adult content
dns64.cloudflare-dns.com2606:4700:4700::64
2606:4700:4700::6400		NoneIntended to be IPv6-only. [22] See NAT64 and DNS64.
Google Yes [23] YesYesYesYes [24] NoYesNodns.google [25] 8.8.8.8
8.8.4.4		2001:4860:4860::8888
2001:4860:4860::8844		None
dns64.dns.google2001:4860:4860::6464
2001:4860:4860::64		NoneIntended for networks with NAT64 gateway. [26]
Gcore Yes [27] YesYesNoNoNoNoNo95.85.95.85
2.56.220.2		2a03:90c0:999d::1
2a03:90c0:9992::1		None
Mullvad Only for VPN service available [28] No [29] YesYes [29] Yes [29] NoNoNodns.mullvad.net [29] 194.242.2.22a07:e340::2NoneCan be used without its VPN service
adblock.dns.mullvad.net194.242.2.32a07:e340::3Ads, and trackers
base.dns.mullvad.net194.242.2.42a07:e340::4Ads, trackers, and malware
extended.dns.mullvad.net194.242.2.52a07:e340::5Ads, trackers, malware, and social media
all.dns.mullvad.net194.242.2.92a07:e340::9Ads, trackers, malware, social media, gambling and adult content
OpenDNS Yes [30] YesYes [31] YesYes [32] NoYesYes [33] dns.opendns.com208.67.222.222
208.67.220.220		2620:119:35::35
2620:119:53::53		Basic Security filtering + user defined policies
familyshield.opendns.com208.67.222.123
208.67.220.123		2620:119:35::123
2620:119:53::123		FamilyShield: adult content
sandbox.opendns.com208.67.222.2
208.67.220.2		2620:0:ccc::2
2620:0:ccd::2		NoneSandbox addresses that provide no filtering.
Quad9 Yes [34] [35] YesYes [36] Yes [37] Yes [38] NoNoYes [39] dns.quad9.net9.9.9.9
149.112.112.112		2620:fe::9
2620:fe::fe		Phishing, malware, and exploit kit domains
Yes [36] dns11.quad9.net9.9.9.11
149.112.112.11		2620:fe::11
2620:fe::fe:11		Phishing, malware, and exploit kit domainsPasses EDNS Client Subnet.
No [40] dns10.quad9.net9.9.9.10
149.112.112.10		2620:fe::10
2620:fe::fe:10		None
Yandex No [41] YesNoYesYesNoYesYesdns.yandex.ru
secondary.dns.yandex.ru		77.88.8.8
77.88.8.1		2a02:6b8::feed:0ff
2a02:6b8:0:1::feed:0ff		None
safe.dns.yandex.ru
secondary.safe.dns.yandex.ru		77.88.8.88
77.88.8.2		2a02:6b8::feed:bad
2a02:6b8:0:1::feed:bad		Safe: fraudulent / infected / bot sites
family.dns.yandex.ru
secondary.family.dns.yandex.ru		77.88.8.7
77.88.8.3		2a02:6b8::feed:a11
2a02:6b8:0:1::feed:a11		Family: fraudulent / infected / bot / adult sites

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software.

<span class="mw-page-title-main">OpenDNS</span> Domain name system provided by Cisco using closed-source software

OpenDNS is an American company providing Domain Name System (DNS) resolution services—with features such as phishing protection, optional content filtering, and DNS lookup in its DNS servers—and a cloud computing security product suite, Umbrella, designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks. The OpenDNS Global Network processes an estimated 100 billion DNS queries daily from 85 million users through 25 data centers worldwide.

Opportunistic TLS refers to extensions in plain text communication protocols, which offer a way to upgrade a plain text connection to an encrypted connection instead of using a separate port for encrypted communication. Several protocols use a command named "STARTTLS" for this purpose. It is a form of opportunistic encryption and is primarily intended as a countermeasure to passive monitoring.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

Unbound is a validating, recursive, and caching DNS resolver product from NLnet Labs. It is distributed free of charge in open-source form under the BSD license.

DNSCurve is a proposed secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein.

Google Public DNS is a Domain Name System (DNS) service offered to Internet users worldwide by Google. It functions as a recursive name server. Google Public DNS was announced on December 3, 2009, in an effort described as "making the web faster and more secure." As of 2018, it is the largest public DNS service in the world, handling over a trillion queries per day. Google Public DNS is not related to Google Cloud DNS, which is a DNS hosting service.

DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. It was originally designed by Frank Denis and Yecheng Fu.

<span class="mw-page-title-main">Knot DNS</span>

Knot DNS is an open-source authoritative-only server for the Domain Name System. It was created from scratch and is actively developed by CZ.NIC, the .CZ domain registry. The purpose of this project is to supply an alternative open-source implementation of an authoritative DNS server suitable for TLD operators to increase overall security, stability and resiliency of the Domain Name System. It is implemented as a multi-threaded daemon, using a number of programming techniques and data structures to make the server very fast, notably Read-copy-update or a special kind of a radix tree.

In computer networking, TCP Fast Open (TFO) is an extension to speed up the opening of successive Transmission Control Protocol (TCP) connections between two endpoints. It works by using a TFO cookie, which is a cryptographic cookie stored on the client and set upon the initial connection with the server. When the client later reconnects, it sends the initial SYN packet along with the TFO cookie data to authenticate itself. If successful, the server may start sending data to the client even before the reception of the final ACK packet of the three-way handshake, thus skipping a round-trip delay and lowering the latency in the start of data transmission.

DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).

QUIC is a general-purpose transport layer network protocol initially designed by Jim Roskind at Google, implemented, and deployed in 2012, announced publicly in 2013 as experimentation broadened, and described at an IETF meeting. QUIC is used by more than half of all connections from the Chrome web browser to Google's servers. Microsoft Edge, Firefox and Safari support it.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.

EDNS Client Subnet (ECS) is an option in the Extension Mechanisms for DNS that allows a recursive DNS resolver to specify the subnetwork for the host or client on whose behalf it is making a DNS query. This is generally intended to help speed up the delivery of data from content delivery networks (CDN), by allowing better use of DNS-based load balancing to select a service address near the client when the client computer is not necessarily near the recursive resolver.

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

<span class="mw-page-title-main">Quad9</span> Global public recursive DNS resolver based in Switzerland

Quad9 is a global public recursive DNS resolver that aims to protect users from malware and phishing. Quad9 is operated by the Quad9 Foundation, a Swiss public-benefit, not-for-profit foundation with the purpose of improving the privacy and cybersecurity of Internet users, headquartered in Zurich. Quad9 is entirely subject to Swiss privacy law, and the Swiss government extends that protection of the law to Quad9's users throughout the world, regardless of citizenship or country of residence.

1.1.1.1 is a free Domain Name System (DNS) service by the American company Cloudflare in partnership with APNIC. The service functions as a recursive name server, providing domain name resolution for any host on the Internet. The service was announced on April 1, 2018. On November 11, 2018, Cloudflare announced a mobile application of their 1.1.1.1 service for Android and iOS. On September 25, 2019, Cloudflare released WARP, an upgraded version of their original 1.1.1.1 mobile application.

A virtual private network (VPN) service provides a proxy server to help users bypass Internet censorship such as geoblocking and users who want to protect their communications against data profiling or MitM attacks on hostile networks.

References

  1. "How to Change Your Default DNS to Google DNS for Fast Internet Speeds". TechWorm. 2016-08-20. Retrieved 2016-10-22.
  2. "A simple way to get around Rogers' DNS re-directing". IT Business. Retrieved 2016-10-22.
  3. "OpenDNS Adds Centralized Reporting, IP-Layer Enforcement to Umbrella". mspmentor.net. Archived from the original on 2016-10-22. Retrieved 2016-10-22.
  4. "Austrian Pirate Bay Blockade Censors Slovak Internet - TorrentFreak". TorrentFreak. 2015-12-03. Retrieved 2016-10-22.
  5. Security; Iana. "DNS devastation: Top websites whacked offline as Dyn dies again". The Register. Retrieved 2016-10-22.
  6. AdGuard DNS Privacy Notice
  7. AdGuard DNS FAQ: What is DNSSEC?
  8. The official release of AdGuard DNS — a new unique approach to privacy-oriented DNS
  9. AdGuard DNS-over-QUIC
  10. Adguard DNS now supports DNSCrypt
  11. 1 2 3 4 AdGuard DNS Setup guide
  12. NOC.org / dcid. "CleanBrowsing Privacy and Terms of Service". Cleanbrowsing.org. Retrieved 2019-01-04.
  13. "Parental Control with DNS over TLS Support".
  14. NOC.org / dcid. "Parental Control with DNS Over HTTPS (DoH) Support". Cleanbrowsing.org. Retrieved 2019-01-04.
  15. NOC.org / dcid. "Parental Control with DNSCrypt Support". Cleanbrowsing.org. Retrieved 2019-01-04.
  16. "Privacy Policy". Cloudflare. Retrieved 2019-01-04.
  17. "The Nitty Gritty - Cloudflare Resolver". 24 January 2023.
  18. Cloudflare Inc (2018-03-31). "DNS over TLS - Cloudflare Resolver". Developers.cloudflare.com. Retrieved 2019-01-04.
  19. Cloudflare Inc. "DNS over HTTPS - Cloudflare Resolver". Developers.cloudflare.com. Retrieved 2019-01-04.
  20. "DNS over QUIC (DoQ)". Cloudflare Community. Retrieved 2022-09-12.
  21. "Test DNS owner one.one.one.one". 2018-08-21.
  22. "Supporting IPv6-only Networks". Archived from the original on 2020-12-09. Retrieved 2019-01-20.
  23. Google Public DNS: Your Privacy
  24. Google Public DNS: DNS-over-HTTPS
  25. "Get Started | Public DNS".
  26. Google Public DNS64
  28. "Privacy policy - Guides". Mullvad VPN. Retrieved 2023-08-27.
  29. 1 2 3 4 "DNS over HTTPS and DNS over TLS - Guides". Mullvad. 2023-08-08. Retrieved 2023-08-23.
  30. Cisco Online Privacy Statement
  31. OpenDNS: DNSSEC General Availability
  32. OpenDNS: Querying OpenDNS using DoH
  33. OpenDNS: OpenDNS and DNSCrypt
  34. Quad9: Compliance and Applicable Law
  35. Quad9: Data and Privacy Policy
  36. 1 2 Quad9 FAQ: Does Quad9 implement DNSSEC?
  37. Quad9 FAQ: Does Quad9 support DNS over TLS?
  38. Quad9 FAQ: Does Quad9 support DNS over HTTPS (DoH)?
  39. Quad9 FAQ: Does Quad9 support dnscrypt?
  40. Quad9 FAQ: Is there a service that Quad9 offers that does not have the blocklist or other security?
  41. Terms of use of the Yandex.DNS service
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.