Get help with DNS related problems or issues in #dns

New root hints

Use dig, drill or kdig to fetch them from any root server into whichever file is used to prime your server, e.g., dig @ > named.cache

Hints, full zone and trust anchor (KSK) files are available from or via IANA using FTP or HTTPS.


The root DNSSEC KSK (trust anchor) was replaced (rolled) on 11 October 2018 -- originally planned for a year earlier it was postponed for cautionary reasons, see their announcement for details. For most this has been a non-event. ICANN has information for anyone interested, especially those running validating resolvers.


Nameservers or proxies

BIND9.16.10/9.11.26authoritative and validating resolver in one
Cisco Prime Network Registrar DNS10.1.0.2authoritative and validating resolver
CoreDNS1.7.1DNS server written in Go, with service discovery and chaining plugins
djbdns1.05authoritative (limited record types supported) and non-validating resolver using distinct programs
dnsdist1.5.0load balancer, DoH (since 1.4.0), DoT (since 1.3.0), dnscrypt
dnsmasq2.82filtering proxy with authoritative abilities
Dohnut4.11.0DNS to DoH proxy, load balancer, query fuzzer
Knot DNS3.0.2authoritative
Knot Resolver5.2.0validating resolver
MaraDNS3.5.0016authoritative (now includes the Deadwood resolver)
NxFilter4.3.8.5filtering proxy
Posadis0.60.6authoritative and resolver in one
PowerDNS Authoritative4.4.0authoritative
PowerDNS Recursor4.4.2resolver
Simple DNS Plus8.0(110)authoritative and resolver all in one
systemd-resolved246optionally validating resolver (part of systemd), also supports DoT, LLMNR and mDNS
Technitium DNS Server5.2resolver and proxy supporting optional forwarding via DoH (standard or "JSON") or DoT
Unbound1.13.0validating resolver, DoH, DoT, dnscrypt


adns1.6.0cli: library that includes some utilities
BuddyNS Delegation Lab toolweb: visualize and troubleshoot delegation
Bulldohzer1.3.1cli: DNS & DoH latency measurements
c-ares1.16.1cli: library that includes some utilities
delvcli: lookup and DNSSEC validation (part of BIND 9.10+)
dHSMcli: Distributed Threshold Cryptography HSM
dHSM zone signercli: Zone signer companion for dHSM by using PKCS11
digcli: lookup (part of BIND)
DNSBajaj (DNS By Eye)0.9.6web: check the delegation of your domain by using graphs of dependencies
download link broken. original sources here
DNSDiag1.7.0cli: diagnostics and performance measurement
dnsperf/resperf2.3.4cli: benchmark nameserver performance
DNSSEC Analyzerweb: Verisign's DNSSEC problem debugger
dnssec-failed.orgweb: if you can see visit the site your resolver didn't perform DNSSEC validation -- it should show a page saying that but doesn't
dnssec-tools.org2.2.3cli: various DNSSEC tools
web: results of data submitted by dnssec-check
gui: tray monitor
dnssectest.netweb: lookup and DNSSEC validation, plus DNSSEC deployment stats
DNSstuffweb: domain name analysis
DNSViz0.8.2cli & web: zone visualization (including DNSSEC)
dnstop20200527cli & ncurses interactive: DNS stats "top" tool
dnstracer1.9cli: trace name delegation
dsc2.11.0cli: DNS Statistics Collector
dsp2.0.1cli: DNS Statistics Presenter (companion for dsc collector)
flamethrower0.11.0cli: benchmark nameserver performance
getdnsapi1.6.0new api to use dns
Google Public DNSweb: web based resolver
intoDNSweb: provides lots of info about a domain (some requires own interpretation)
kdigcli: advanced lookups including DoT & DoH (part of Knot DNS)
ldns1.7.1cli: library that includes a lookup tool (drill) that provides even more information than dig
Namebench2.0cli: benchmark nameserver performance
OpenDNSSEC2.1.6cli: policy-based zone signer with PKCS#11 interface
PacketQ1.4.2cli: run sql queries agaist pcap files
SoftHSM2.6.1cli: optional companion for OpenDNSSEC. Cryptographic store with PKCS#11 interface
The Transitive Trust and DNS Dependency Graph Portalweb: graphs of transitive trust and dependencies
unbound-hostcli: lookup (part of unbound)
Zonemaster2019.2.3cli+web: zone delegation quality checker

Service providers

Authoritative services

Note that most registrars provide it for free, though some charge a fee - we don't attempt to enumerate them here.

Afraid FreeDNSfree with limitssecondary
Akamai (Cotendo)paid
Amazon - Route 53paidapi, registration
BuddyNSfree and paidapi
Cloudflarefree and paidapi, dynamic
ClouDNSfree and paid tierssecondary
DNS Made Easypaid with free trialapi
Dynpaiddynamic, registration
easyDNSpaiddynamic (some plans), registration, secondary
Google - Cloud DNSpaid with free trialapi
GratisDNSfreesecondary, danish
Hurricane Electricfreeapi, dynamic, limited record types (no dnssec), secondary
Namecheapfree, free if domain is purchased/renewed (BasicDNS) and paiddynamic, free has limited record types (no dnssec), secondary (premium only)
Neustar UltraDNSpaidapi, secondary
No-IP.comfree and paid
NS1free and paidapi, secondary
PUCKfreesecondary only
Rackspacefree if using other (paid) servicesapi
Verisign Managed DNSpaid
Verizon ROUTEpaidapi

Recursor services

Note that most ISPs and some datacenters provide it for free to their customers - we don't attempt to enumerate them here. Beware: some ISPs log and sell their resolver data, and some replace NXDOMAIN with their own server's address(es) to provide their form of safety and/or marketing, some do both.

Also, paid filtering services usually provide customization, so domains or classes of domains can be added or removed from the filters.

AdGuard DNSfreefilteringDefault (filters advertising, counters, and malicious sites):
  • 2a10:50c0::ad1:ff
  • 2a10:50c0::ad2:ff
  • TLS: (CN=*
  • DoH:
Family protection ("default" + adult content):
  • 2a10:50c0::bad1:ff
  • 2a10:50c0::bad2:ff
  • TLS: (CN=*
  • DoH:
Akamai AnswerXpaid
CenturyLink (nee Level 3)does not officially provide a public resolver though their servers will respond; they have at times provided 'fake' responses - please do not use these addresses
  • 4.2.2.x
Cisco Umbrella (nee OpenDNS)free and paidfiltering, also on 5353/udp and 5353/tcp, dnscrypt on 443/tcp
check/purge entry at their cachecheck tool
check their system status (works even if your DNS isn't working)
Home (customizable filtering):
IPv6 (security filtering):
  • 2620:119:35::35
  • 2620:119:53::53
FamilyShield (adult content filtering):
Unfiltered IPv6:
  • 2620:0:CCC::2
  • 2620:0:CCD::2
CleanBrowsingfree and paidfiltering, also on 5353/udp and 5353/tcp, DoH, DoT, dnscrypt on 8443/tcpSecurity Filter (filters malicious sites):
  • 2A0D:2A00:1::2
  • 2A0D:2A00:2::2
Adult Filter ("security" + adult, pornographic, and explict):
  • 2A0D:2A00:1::1
  • 2A0D:2A00:2::1
  • DoH:
Family Filter ("adult" + proxy/vpn, and mixed content):
  • 2A0D:2A00:1::
  • 2A0D:2A00:2::
  • DoH:
  • TLS:
free, limited logging, DoH, DoT
  • 2606:4700:4700::1111
  • 2606:4700:4700::1001
  • TLS:*
  • DoH:
  • DoH:
  • Proprietary JSON DoH:
  • SMS: telno:+18336721001
Comodo Secure DNSfreefiltering
Commons HostfreeDoH only
  • Any subdomain or custom domain registered on the CDN also works
DNS-OARC ODVRfreevalidating, might be shutting down Q3'2020
  • 2620:FF:C000:0:1::64:20
  • 2620:FF:C000:0:1::64:21
DNS.WATCHfreeno logging, validating
  • 2001:1608:10:25::1C04:B12F
  • 2001:1608:10:25::9249:D69B
Dyn Internet Guidefreefiltering, correcting
FreeDNSfreeno logging
Google Public DNSfreevalidating, DoH
flush a cached entry using their flush cache tool
  • 2001:4860:4860::8888
  • 2001:4860:4860::8844
  • TLS: or IPs
  • DoH:
  • Proprietary JSON DoH:
Norton ConnectSafefreefiltering, validating, shutting down november 15th 2018Security filtering only:
Security + Pornography:
Security + Pornography + Other:
Neustar DNS Advantagefreecorrecting, filtering, validatingReliability & Performance 1:
  • 2610:A1:1018::1
  • 2610:A1:1019::1
Reliability & Performance 2 (no correcting):
  • 2610:A1:1018::5
  • 2610:A1:1019::5
Threat Protection (filters Malware, Ransomware, Spyware & Phishing):
  • 2610:A1:1018::2
  • 2610:A1:1019::2
Family Secure ("Threat" + Gambling, Pornography, Violence & Hate/Discrimination):
  • 2610:A1:1018::3
  • 2610:A1:1019::3
Business Secure ("Family" + Gaming, Adult, Drugs, Alcohol & Anonymous Proxies):
  • 2610:A1:1018::4
  • 2610:A1:1019::4
Quad9free"Recommended": filtering, logs only geoloc, does not send ecs, validating, DoH, DoT
"Secured": filtering, logs only geoloc, does not send ecs, validating, DoH, DoT (currently identical to "Recommended")
"Unsecured": unfiltered, logs only geoloc, does not send ecs, DoH, DoT
"Secured w/ ECS support": filtering, logs only geoloc, sends ecs, validating, DoH, DoT
  • 2620:FE::FE
  • 2620:FE::FE:9
  • DoH:
  • 2620:FE::9
  • 2620:FE::FE:9
  • DoH:
  • 2620:FE::10
  • 2620:FE::FE:10
  • DoH:
"Secured w/ ECS support":
  • 2620:FE::11
  • 2620:FE::FE:11
  • DoH:
  • CN=*
SafeDNSpaid with free trial
SecureDNSfreevalidating, no logging, personally supported, DoH, DoT, dnscrypt on 5353/tcp, NameCoin & OpenNIC namespaces
  • 2A03:B0C0:0:1010::E9A:3001
  • TLS:*
  • SPKI Pin: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
  • DoH:
    DoT Host:
Verisign Public DNSfreevalidating
  • 2620:74:1B::1:1
  • 2620:74:1C::2:2
Yandex.DNSfree and paidfiltering, unfilteredBasic (unfiltered):
  • 2A02:6B8::FEED:0FF
  • 2A02:6B8:0:1::FEED:0FF
Safe (filters infected sites, fraudulent sites, and bots):
  • 2A02:6B8::FEED:BAD
  • 2A02:6B8:0:1::FEED:BAD
Family ("Safe" + adult sites and adult advertising):
  • 2A02:6B8::FEED:A11
  • 2A02:6B8:0:1::FEED:A11

Reading material

Resource Summary
RFC 1034 Domain names - concepts and facilities
RFC 1035 Domain names - implementation and specification
IANA DNS Parameters Compilation of DNS parameters with RFC references
IANA Protocol Registries Compilation of protocol registries, including among other things additional DNS and DNSSEC parameter compilations
Almost all DNS related RFCs Search for dns
Some DNS related RFCs Search for domain
An up to date list of Domain Name System RFCs Maintained by Frederic Cambus
Relevant Domain Name System RFCs Maintained by bert hubert
IANA Domain Name Services IANA maintains and operates several key aspects of the DNS
Blogged DNS links listing Compilation of blogged DNS links from Jan-Piet Mens
Alternative DNS Servers (Free) Book written by Jan-Piet Mens

Why does this site exist?

The topic of #dns on freenode was growing too long, so here is all that info, and more.

This page is hosted via GitHub with its source code available. Pull requests are welcome!