Get help with DNS related problems or issues in #dns on the Libera.Chat IRC network.

New root hints

Use dig, drill or kdig to fetch them from any root server into whichever file is used to prime your server, e.g., dig @198.41.0.4 > named.cache

Hints, full zone and trust anchor (KSK) files are available from or via IANA using FTP or HTTPS.

New root DNSSEC KSK

The root DNSSEC KSK (trust anchor) was replaced (rolled) on 11 October 2018 -- originally planned for a year earlier it was postponed for cautionary reasons, see their announcement for details. For most this has been a non-event. ICANN has information for anyone interested, especially those running validating resolvers.

Software

Nameservers or proxies

NameVersionType
BIND9.18.31/9.20.3authoritative and validating resolver in one
Cisco Prime Network Registrar DNS11.2authoritative and validating resolver
CoreDNS1.11.1DNS server written in Go, with service discovery and chaining plugins
djbdns1.05authoritative (limited record types supported) and non-validating resolver using distinct programs
DNRD2.20.3proxy
dnscrypt-proxy2.1.5proxy/forwarder
dnsdist1.9.7load balancer, DoT (since 1.3.0), DoH (since 1.4.0), DoH3 (since 1.9.0), DoQ (since 1.9.0), dnscrypt
dnsmasq2.90filtering proxy with authoritative abilities
Dohnut4.11.0DNS to DoH proxy, load balancer, query fuzzer
gdnsd3.8.2authoritative
Knot DNS3.3.8authoritative
Knot Resolver5.7.4validating resolver
MaraDNS3.5.0036authoritative (now includes the Deadwood resolver)
NSD4.10.0authoritative
NxFilter4.7.1.0filtering proxy
pdnsd1.2.9a-parproxy
Posadis0.60.6authoritative and resolver in one - Site page link broken - Sourceforge.net files here
Web Archive links: Site page here - Original Files [Posadis site]
PowerDNS Authoritative Server4.9.2authoritative
PowerDNS Recursor5.1.3resolver
SANS1.0.1authoritative - Broken link.
Web Archive link: Site page here - Original Files [sourceforge.net]
Simple DNS Plus9.1(116)authoritative and resolver all in one
stubby0.4.3proxy
systemd-resolved256.4optionally validating resolver (part of systemd), also supports DoT, LLMNR and mDNS
Technitium DNS Server12.2.1resolver and proxy supporting optional forwarding via DoH (standard or "JSON") or DoT
Unbound1.20.0validating resolver, DoH, DoT, dnscrypt
YADIFA2.6.7authoritative

Tools

NameVersionType
adns1.6.0cli: library that includes some utilities
BuddyNS Delegation Lab toolweb: visualize and troubleshoot delegation
Bulldohzer1.3.1cli: DNS & DoH latency measurements
c-ares1.26.0cli: library that includes some utilities
delvcli: lookup and DNSSEC validation (part of BIND 9.10+)
dHSMcli: Distributed Threshold Cryptography HSM
dHSM zone signercli: Zone signer companion for dHSM by using PKCS11
digcli: lookup (part of BIND)
DNSBajaj (DNS By Eye)0.9.6web: check the delegation of your domain by using graphs of dependencies
download link broken. original sources here
DNS-collector0.46.0cli: high speed passive DNS stats collector.
DNSDiag2.5.0cli: diagnostics and performance measurement
dnsperf/resperf2.14.0cli: benchmark nameserver performance
DNSSEC Analyzerweb: Verisign's DNSSEC problem debugger
dnssec-failed.orgweb: if you can see visit the site your resolver didn't perform DNSSEC validation -- it should show a page saying that but doesn't
dnssec-tools.org2.2.3cli: various DNSSEC tools
web: results of data submitted by dnssec-check
gui: tray monitor
dnssectest.netweb: lookup and DNSSEC validation, plus DNSSEC deployment stats
DNSstuffweb: domain name analysis
DNSViz0.9.4cli & web: zone visualization (including DNSSEC)
dnstop20200527cli & ncurses interactive: DNS stats "top" tool
dnstracer1.9cli: trace name delegation
dsc2.15.1cli: DNS Statistics Collector
dsp2.0.1cli: DNS Statistics Presenter (companion for dsc collector) - DISCONTINUED
flamethrower0.11.0cli: benchmark nameserver performance
getdnsapi1.7.3new api to use dns
Google Public DNSweb: web based resolver
IBDNS0.3.4server: Intentionally Broken DNS server
intoDNSweb: provides lots of info about a domain (some requires own interpretation)
kdigcli: advanced lookups including DoT & DoH (part of Knot DNS)
ldns1.8.3cli: library that includes a lookup tool (drill) that provides even more information than dig
Namebench2.0cli: benchmark nameserver performance
nsdiffcli: nsdiff/nspatch/nsvi zone diff/update tool
OpenDNSSEC2.1.13cli: policy-based zone signer with PKCS#11 interface
PacketQ1.7.1cli: run sql queries agaist pcap files
SoftHSM2.6.1cli: optional companion for OpenDNSSEC. Cryptographic store with PKCS#11 interface
The Transitive Trust and DNS Dependency Graph Portalweb: graphs of transitive trust and dependencies
unbound-hostcli: lookup (part of unbound)
Zonemaster2023.2.1cli+web: zone delegation quality checker

Service providers

Authoritative services

Note that most registrars provide it for free, though some charge a fee - we don't attempt to enumerate them here.

ProviderCostNotes
1984 FreeDNSfreedynamic, limited record types (dnssec), secondary (dnssec)
Afraid FreeDNSfree with limitssecondary
Akamai (Cotendo)paid
Amazon - Route 53paidapi, registration
BuddyNSfree and paidapi
Cloudflarefree and paidapi, dynamic
ClouDNSfree and paidapi, registration, secondary (dnssec)
DNS Made Easypaid with free trialapi
DNSimplepaidsecondary
Dynpaiddynamic, registration
easyDNSpaiddynamic (some plans), registration, secondary
GoDaddypaid
Google - Cloud DNSpaid with free trialapi
Hurricane Electricfreeapi, dynamic, limited record types (no dnssec), secondary (dnssec)
Namecheapfree, free if domain is purchased/renewed (BasicDNS) and paiddynamic, free has limited record types (no dnssec), secondary (premium only)
Neustar UltraDNSpaidapi, secondary
No-IP.comfree and paid
NS-Globalfreesecondary only (dnssec)
NS1free and paidapi, secondary
PUCKfreesecondary only
Rackspacefree if using other (paid) servicesapi
Verisign Managed DNSpaid
Verizon ROUTEpaidapi
Hetzner DNS ConsolefreeAPI, no dnssec, no rDNS

Recursor services

Note that most ISPs and some datacenters provide it for free to their customers - we don't attempt to enumerate them here. Beware: some ISPs log and sell their resolver data, and some replace NXDOMAIN with their own server's address(es) to provide their form of safety and/or marketing, some do both.

Also, paid filtering services usually provide customization, so domains or classes of domains can be added or removed from the filters.

ProviderCostNotesAddresses
AdGuard DNSfreefilteringDefault (filters advertising, counters, and malicious sites):
  • 94.140.14.14
  • 94.140.15.15
  • 2a10:50c0::ad1:ff
  • 2a10:50c0::ad2:ff
  • TLS: dns.adguard.com (CN=*.adguard.com)
  • DoH: https://dns.adguard.com/dns-query
Family protection ("default" + adult content):
  • 94.140.14.15
  • 94.140.15.16
  • 2a10:50c0::bad1:ff
  • 2a10:50c0::bad2:ff
  • TLS: dns-family.adguard.com (CN=*.adguard.com)
  • DoH: https://dns-family.adguard.com/dns-query
Akamai AnswerXpaid
CenturyLink (nee Level 3)does not officially provide a public resolver though their servers will respond; they have at times provided 'fake' responses - please do not use these addresses
  • 4.2.2.x
Cisco Umbrella (nee OpenDNS)free and paidfiltering, also on 5353/udp and 5353/tcp, dnscrypt on 443/tcp
check/purge entry at their cachecheck tool
check their system status (works even if your DNS isn't working)
Home (customizable filtering):
  • 208.67.222.222
  • 208.67.220.220
IPv6 (security filtering):
  • 2620:119:35::35
  • 2620:119:53::53
FamilyShield (adult content filtering):
  • 208.67.222.123
  • 208.67.220.123
Unfiltered IPv6:
  • 2620:0:CCC::2
  • 2620:0:CCD::2
CleanBrowsingfree and paidfiltering, also on 5353/udp and 5353/tcp, DoH, DoT, dnscrypt on 8443/tcpSecurity Filter (filters malicious sites):
  • 185.228.168.9
  • 185.228.169.9
  • 2A0D:2A00:1::2
  • 2A0D:2A00:2::2
Adult Filter ("security" + adult, pornographic, and explict):
  • 185.228.168.10
  • 185.228.168.11
  • 2A0D:2A00:1::1
  • 2A0D:2A00:2::1
  • DoH: https://doh.cleanbrowsing.org/doh/adult-filter/
Family Filter ("adult" + proxy/vpn, and mixed content):
  • 185.228.168.168
  • 185.228.169.168
  • 2A0D:2A00:1::
  • 2A0D:2A00:2::
  • DoH: https://doh.cleanbrowsing.org/doh/family-filter/
  • TLS: CN=cleanbrowsing.org
Cloudflare
announcement
free, limited logging, DoH, DoT
  • 1.1.1.1
  • 1.0.0.1
  • 2606:4700:4700::1111
  • 2606:4700:4700::1001
  • TLS: CN=cloudflare-dns.com/SAN=*.cloudflare-dns.com
  • DoH: https://cloudflare-dns.com/dns-query
  • DoH: https://mozilla.cloudflare-dns.com/dns-query
  • Proprietary JSON DoH: https://cloudflare-dns.com/dns-query
  • SMS: telno:+18336721001
Comodo Secure DNSfreefiltering
  • 8.26.56.26
  • 8.20.247.20
Commons HostfreeDoH only
  • https://commons.host
  • Any subdomain or custom domain registered on the CDN also works
DNS.WATCHfreeno logging, validating
  • 84.200.69.80
  • 84.200.70.40
  • 2001:1608:10:25::1C04:B12F
  • 2001:1608:10:25::9249:D69B
Dyn Internet Guidefreefiltering, correcting
  • 216.146.35.35
  • 216.146.36.36
Google Public DNSfreevalidating, DoH
flush a cached entry using their flush cache tool
  • 8.8.8.8
  • 8.8.4.4
  • 2001:4860:4860::8888
  • 2001:4860:4860::8844
  • TLS: CN=dns.google/SAN=dns.google.com or IPs
  • DoH: https://dns.google/dns-query
  • Proprietary JSON DoH: https://dns.google/resolve
Quad9free"Recommended": filtering, logs only geoloc, does not send ecs, validating, DoH, DoT
"Secured": filtering, logs only geoloc, does not send ecs, validating, DoH, DoT (currently identical to "Recommended")
"Unsecured": unfiltered, logs only geoloc, does not send ecs, DoH, DoT
"Secured w/ ECS support": filtering, logs only geoloc, sends ecs, validating, DoH, DoT
"Recommended":
  • 9.9.9.9
  • 149.112.112.112
  • 2620:FE::FE
  • 2620:FE::FE:9
  • DoH: https://dns.quad9.net/dns-query
"Secured":
  • 9.9.9.9
  • 149.112.112.9
  • 2620:FE::9
  • 2620:FE::FE:9
  • DoH: https://dns9.quad9.net/dns-query
"Unsecured":
  • 9.9.9.10
  • 149.112.112.10
  • 2620:FE::10
  • 2620:FE::FE:10
  • DoH: https://dns10.quad9.net/dns-query
"Secured w/ ECS support":
  • 9.9.9.11
  • 149.112.112.11
  • 2620:FE::11
  • 2620:FE::FE:11
  • DoH: https://dns11.quad9.net/dns-query
TLS:
  • CN=*.quad9.net
SafeDNSpaid with free trial
  • 195.46.39.39
  • 195.46.39.40
Vercara UltraDNS Public (nee Verisign Public DNS, Neustar DNS Advantage)freevalidatingUnfiltered Resolution:
  • 64.6.64.6
  • 64.6.65.6
  • 2620:74:1B::1:1
  • 2620:74:1C::2:2
Threat Protection:
  • 156.154.70.2
  • 156.154.71.2
  • 2610:a1:1018::2
  • 2610:a1:1019::2
Family Secure:
  • 156.154.70.3
  • 156.154.71.3
  • 2610:a1:1018::3
  • 2610:a1:1019::3
Yandex.DNSfree and paidfiltering, unfilteredBasic (unfiltered):
  • 77.88.8.8
  • 77.88.8.1
  • 2A02:6B8::FEED:0FF
  • 2A02:6B8:0:1::FEED:0FF
Safe (filters infected sites, fraudulent sites, and bots):
  • 77.88.8.88
  • 77.88.8.2
  • 2A02:6B8::FEED:BAD
  • 2A02:6B8:0:1::FEED:BAD
Family ("Safe" + adult sites and adult advertising):
  • 77.88.8.7
  • 77.88.8.3
  • 2A02:6B8::FEED:A11
  • 2A02:6B8:0:1::FEED:A11

Reading material

Resource Summary
RFC 1034 Domain names - concepts and facilities
RFC 1035 Domain names - implementation and specification
IANA DNS Parameters Compilation of DNS parameters with RFC references
IANA Protocol Registries Compilation of protocol registries, including among other things additional DNS and DNSSEC parameter compilations
Almost all DNS related RFCs Search rfc-editor.org for dns
Some DNS related RFCs Search rfc-editor.org for domain
An up to date list of Domain Name System RFCs Maintained by Frederic Cambus
Relevant Domain Name System RFCs Maintained by bert hubert
IANA Domain Name Services IANA maintains and operates several key aspects of the DNS
Blogged DNS links listing Compilation of blogged DNS links from Jan-Piet Mens
Alternative DNS Servers (Free) Book written by Jan-Piet Mens

Why does this site exist?

The topic of #dns (orinally on freenode) was growing too long, so here is all that info, and more.

This page is hosted via GitHub with its source code available. Pull requests are welcome!