Get help with DNS related problems or issues in #dns

New root hints

Use dig, drill or kdig to fetch them from any root server into whichever file is used to prime your server, e.g., dig @198.41.0.4 > named.cache

Hints, full zone and trust anchor (KSK) files are available from or via IANA using FTP or HTTPS.

New root DNSSEC KSK

The root DNSSEC KSK (trust anchor) was replaced (rolled) on 11 October 2018 -- originally planned for a year earlier it was postponed for cautionary reasons, see their announcement for details. For most this has been a non-event. ICANN has information for anyone interested, especially those running validating resolvers.

Software

Nameservers or proxies

NameVersionType
BIND9.14.2/9.12.4-P1/9.11.7authoritative and validating resolver in one
Cisco Prime Network Registrar DNS9.1.1.1authoritative and validating resolver
CoreDNS1.5.0DNS server written in Go, with service discovery and chaining plugins
djbdns1.05authoritative (limited record types supported) and non-validating resolver using distinct programs
DNRD2.20.3proxy
dnsdist1.3.3load balancer, DoT (since 1.3.0), dnscrypt
dnsmasq2.80filtering proxy with authoritative abilities
Dohnut4.5.2DNS to DoH proxy, load balancer, query fuzzer
gdnsd3.2.0authoritative
Knot DNS2.8.1authoritative
Knot Resolver4.0.0validating resolver
MaraDNS2.0.17authoritative
MaraDNS Deadwood3.2.14resolver
NSD4.1.27authoritative
NxFilter4.3.4.2filtering proxy
pdnsd1.2.9a-parproxy
Posadis0.60.6authoritative and resolver in one
PowerDNS Authoritative4.1.8authoritative
PowerDNS Recursor4.1.12resolver
SANS1.0.1authoritative
Simple DNS Plus8.0(110)authoritative and resolver all in one
systemd-resolved240optionally validating resolver (part of systemd), also supports DoT, LLMNR and mDNS
Technitium DNS Server3.3(beta)resolver and proxy supporting optional forwarding via DoH (standard or "JSON") or DoT
Unbound1.9.1validating resolver, DoT, dnscrypt
YADIFA2.3.9authoritative

Tools

NameVersionType
adns1.5.1cli: library that includes some utilities
BuddyNS Delegation Lab toolweb: visualize and troubleshoot delegation
Bulldohzer1.1.2cli: DNS & DoH latency measurements
c-ares1.15.0cli: library that includes some utilities
delvcli: lookup and DNSSEC validation (part of BIND 9.10+)
digcli: lookup (part of BIND)
DNSBajaj (DNS By Eye)0.9.6web: check the delegation of your domain by using graphs of dependencies
DNSDiag1.6.4cli: diagnostics and performance measurement
dnsperf/resperf2.2.1cli: benchmark nameserver performance
DNSSEC Analyzerweb: Verisign's DNSSEC problem debugger
dnssec-failed.orgweb: if you can see visit the site your resolver didn't perform DNSSEC validation -- it should show a page saying that but doesn't
dnssec-tools.orgcli: various DNSSEC tools
web: results of data submitted by dnssec-check
gui: tray monitor
dnssectest.netweb: lookup and DNSSEC validation, plus DNSSEC deployment stats
DNSstuffweb: domain name analysis
DNSViz0.8.2cli & web: zone visualization (including DNSSEC)
dnstracer1.9cli: trace name delegation
flamethrower0.10cli: benchmark nameserver performance
getdnsapi1.5.2new api to use dns
Google Public DNSweb: web based resolver
intoDNSweb: provides lots of info about a domain (some requires own interpretation)
kdigcli: advanced lookups including DoT (part of Knot DNS)
ldns1.7.0cli: library that includes a lookup tool (drill) that provides even more information than dig
Namebench2.0cli: benchmark nameserver performance
PacketQ1.4.1cli: run sql queries agaist pcap files
The Transitive Trust and DNS Dependency Graph Portalweb: graphs of transitive trust and dependencies
unbound-hostcli: lookup (part of unbound)
Zonemaster2018.2.2cli+web: zone delegation quality checker

Service providers

Authoritative services

Note that most registrars provide it for free, though some charge a fee - we don't attempt to enumerate them here.

ProviderCostNotes
Afraid FreeDNSfree with limitssecondary
Akamai (Cotendo)paid
Amazon - Route 53paidapi, registration
BuddyNSfree and paidapi
Cloudflarefree and paidapi, dynamic
ClouDNSfree and paid tierssecondary
DNS Made Easypaid with free trialapi
DNSimplepaidsecondary
Dynpaiddynamic, registration
easyDNSpaiddynamic (some plans), registration, secondary
GoDaddypaid
Google - Cloud DNSpaid with free trialapi
GratisDNSfreesecondary, danish
Hurricane Electricfreeapi, dynamic, limited record types (no dnssec), secondary
Namecheapfree, free if domain is purchased/renewed (BasicDNS) and paiddynamic, free has limited record types (no dnssec), secondary (premium only)
Neustar UltraDNSpaidapi, secondary
No-IP.comfree and paid
NS1free and paidapi, secondary
PUCKfreesecondary only
Rackspacefree if using other (paid) servicesapi
Verisign Managed DNSpaid
Verizon ROUTEpaidapi

Recursor services

Note that most ISPs and some datacenters provide it for free to their customers - we don't attempt to enumerate them here. Beware: some ISPs log and sell their resolver data, and some replace NXDOMAIN with their own server's address(es) to provide their form of safety and/or marketing, some do both.

Also, paid filtering services usually provide customization, so domains or classes of domains can be added or removed from the filters.

ProviderCostNotesAddresses
Akamai AnswerXpaid
CenturyLink (nee Level 3)does not officially provide a public resolver though their servers will respond; they have at times provided 'fake' responses - please do not use these addresses
  • 4.2.2.x
Cisco Umbrella (nee OpenDNS)free and paidfiltering, also on 5353/udp and 5353/tcp, dnscrypt on 443/tcp
check/purge entry at their cachecheck tool
check their system status (works even if your DNS isn't working)
Home:
  • 208.67.222.222
  • 208.67.220.220
  • 2620:0:CCC::2
  • 2620:0:CCD::2
FamilyShield (blocks adult content):
  • 208.67.222.123
  • 208.67.220.123
CleanBrowsingfree and paidfiltering, also on 5353/udp and 5353/tcp, DoH, DoT, dnscrypt on 8443/tcpSecurity Filter (malicious sites):
  • 185.228.168.9
  • 185.228.169.9
  • 2A0D:2A00:1::2
  • 2A0D:2A00:2::2
Adult Filter (blocks security (above) plus adult, pornographic and explict):
  • 185.228.168.168
  • 185.228.168.169
  • 2A0D:2A00:1::1
  • 2A0D:2A00:2::1
  • URL: https://doh.cleanbrowsing.org/doh/adult-filter/
Family Filter (blocks adult (above) plus proxy/vpn and mixed content):
  • 185.228.168.10
  • 185.228.168.11
  • 2A0D:2A00:1::
  • 2A0D:2A00:2::
  • URL: https://doh.cleanbrowsing.org/doh/family-filter/
TLS:
  • CN=cleanbrowsing.org
Cloudflare
announcement
free, limited logging, DoH, DoT
  • 1.1.1.1
  • 1.0.0.1
  • 2606:4700:4700::1111
  • 2606:4700:4700::1001
  • TLS: CN=*.cloudflare-dns.com
  • URL: https://cloudflare-dns.com/dns-query
    URL: https://mozilla.cloudflare-dns.com/dns-query
  • Proprietary JSON URL: https://cloudflare-dns.com/dns-query
  • SMS: telno:+18336721001
Comodo Secure DNSfreefiltering
  • 8.26.56.26
  • 8.20.247.20
Commons HostfreeDoH onlyDoH:
  • https://commons.host
  • Any subdomain or custom domain registered on the CDN also works
DNS-OARC ODVRfreevalidating
  • 184.105.193.73
  • 184.105.193.74
  • 2620:FF:C000:0:1::64:20
  • 2620:FF:C000:0:1::64:21
DNS.WATCHfreeno logging, validating
  • 84.200.69.80
  • 84.200.70.40
  • 2001:1608:10:25::1C04:B12F
  • 2001:1608:10:25::9249:D69B
Dyn Internet Guidefreefiltering, correcting
  • 216.146.35.35
  • 216.146.36.36
FreeDNSfreeno logging
  • 37.235.1.174
  • 37.235.1.177
Google Public DNSfreevalidating, DoH
flush a cached entry using their flush cache tool
  • 8.8.8.8
  • 8.8.4.4
  • 2001:4860:4860::8888
  • 2001:4860:4860::8844
  • TLS: CN=*.google.com
  • URL: https://dns.google.com/experimental
  • Proprietary JSON URL: https://dns.google.com/resolve
Norton ConnectSafefreefiltering, validating, shutting down november 15th 2018Security filtering only:
  • 199.85.126.10
  • 199.85.127.10
Security + Pornography:
  • 199.85.126.20
  • 199.85.127.20
Security + Pornography + Other:
  • 199.85.126.30
  • 199.85.127.30
Neustar DNS Advantagefreecorrecting, filtering, validatingReliability & Performance 1:
  • 156.154.70.1
  • 156.154.71.1
  • 2610:A1:1018::1
  • 2610:A1:1019::1
Reliability & Performance 2 (no correcting):
  • 156.154.70.5
  • 156.154.71.5
  • 2610:A1:1018::5
  • 2610:A1:1019::5
Threat Protection (Malware, Ransomware, Spyware & Phishing):
  • 156.154.70.2
  • 156.154.71.2
  • 2610:A1:1018::2
  • 2610:A1:1019::2
Family Secure (Threat + Gambling, Pornography, Violence & Hate/Discrimination):
  • 156.154.70.3
  • 156.154.71.3
  • 2610:A1:1018::3
  • 2610:A1:1019::3
Business Secure (Family + Gaming, Adult, Drugs, Alcohol & Anonymous Proxies):
  • 156.154.70.4
  • 156.154.71.4
  • 2610:A1:1018::4
  • 2610:A1:1019::4
Quad9free"Secure": filtering, logs only geoloc, does not send ecs, validating, DoT
"Unsecured": unfiltered, logs only geoloc, sends ecs, DoT
"Secure":
  • 9.9.9.9
  • 149.112.112.112
  • 2620:FE::FE
  • 2620:FE::9
"Unsecured":
  • 9.9.9.10
  • 149.112.112.10
  • 2620:FE::10
  • 2620:FE::FE:10
TLS:
  • CN=dns.quad9.net
SafeDNSpaid with free trial
  • 195.46.39.39
  • 195.46.39.40
SecureDNSfreevalidating, no logging, personally supported, DoH, DoT, dnscrypt on 5353/tcp, NameCoin & OpenNIC namespaces
  • 146.185.167.43
  • 2A03:B0C0:0:1010::E9A:3001

TLS: CN=securedns.eu/SAN=*.securedns.eu
SPKI Pin: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
DoH URL: https://doh.securedns.eu/dns-query
DoT Host: dot.securedns.eu
Verisign Public DNSfreevalidating
  • 64.6.64.6
  • 64.6.65.6
  • 2620:74:1B::1:1
  • 2620:74:1C::2:2
Yandex.DNSfree and paidfiltering, unfilteredBasic (unfiltered):
  • 77.88.8.8
  • 77.88.8.1
  • 2A02:6B8::FEED:0FF
  • 2A02:6B8:0:1::FEED:0FF
Safe (Secure + "infected sites, fraudulent sites, and bots"):
  • 77.88.8.88
  • 77.88.8.2
  • 2A02:6B8::FEED:BAD
  • 2A02:6B8:0:1::FEED:BAD
Family (Safe + "adult sites and adult advertising"):
  • 77.88.8.7
  • 77.88.8.3
  • 2A02:6B8::FEED:A11
  • 2A02:6B8:0:1::FEED:A11

Reading material

Resource Summary
RFC 1034 Domain names - concepts and facilities
RFC 1035 Domain names - implementation and specification
IANA DNS Parameters Compilation of DNS parameters with RFC references
IANA Protocol Registries Compilation of protocol registries, including among other things additional DNS and DNSSEC parameter compilations
Almost all DNS related RFCs Search rfc-editor.org for dns
Some DNS related RFCs Search rfc-editor.org for domain
An up to date list of Domain Name System RFCs Maintained by Frederic Cambus
Relevant Domain Name System RFCs Maintained by bert hubert
IANA Domain Name Services IANA maintains and operates several key aspects of the DNS
Blogged DNS links listing Compilation of blogged DNS links from Jan-Piet Mens
Alternative DNS Servers (Free) Book written by Jan-Piet Mens

Why does this site exist?

The topic of #dns on freenode was growing too long, so here is all that info, and more.

This page is also hosted via GitHub with its source code available. Pull requests are welcome!