Use dig, drill or kdig to fetch them from any root server into whichever file is used to prime your server, e.g., dig @198.41.0.4 > named.cache
Hints, full zone and trust anchor (KSK) files are available from or via IANA using FTP or HTTPS.
The root DNSSEC KSK (trust anchor) was replaced (rolled) on 11 October 2018 -- originally planned for a year earlier it was postponed for cautionary reasons, see their announcement for details. For most this has been a non-event. ICANN has information for anyone interested, especially those running validating resolvers.
| Name | Version | Type |
|---|---|---|
| BIND | 9.18.31/9.20.3 | authoritative and validating resolver in one |
| Cisco Prime Network Registrar DNS | 11.2 | authoritative and validating resolver |
| CoreDNS | 1.11.1 | DNS server written in Go, with service discovery and chaining plugins |
| djbdns | 1.05 | authoritative (limited record types supported) and non-validating resolver using distinct programs |
| DNRD | 2.20.3 | proxy |
| dnscrypt-proxy | 2.1.5 | proxy/forwarder |
| dnsdist | 1.9.7 | load balancer, DoT (since 1.3.0), DoH (since 1.4.0), DoH3 (since 1.9.0), DoQ (since 1.9.0), dnscrypt |
| dnsmasq | 2.90 | filtering proxy with authoritative abilities |
| Dohnut | 4.11.0 | DNS to DoH proxy, load balancer, query fuzzer |
| gdnsd | 3.8.2 | authoritative |
| Knot DNS | 3.3.8 | authoritative |
| Knot Resolver | 5.7.4 | validating resolver |
| MaraDNS | 3.5.0036 | authoritative (now includes the Deadwood resolver) |
| NSD | 4.10.0 | authoritative |
| NxFilter | 4.7.1.0 | filtering proxy |
| pdnsd | 1.2.9a-par | proxy |
| Posadis | 0.60.6 | authoritative and resolver in one - Site page link broken - Sourceforge.net files here Web Archive links: Site page here - Original Files [Posadis site] |
| PowerDNS Authoritative Server | 4.9.2 | authoritative |
| PowerDNS Recursor | 5.1.3 | resolver |
| SANS | 1.0.1 | authoritative - Broken link. Web Archive link: Site page here - Original Files [sourceforge.net] |
| Simple DNS Plus | 9.1(116) | authoritative and resolver all in one |
| stubby | 0.4.3 | proxy |
| systemd-resolved | 256.4 | optionally validating resolver (part of systemd), also supports DoT, LLMNR and mDNS |
| Technitium DNS Server | 12.2.1 | resolver and proxy supporting optional forwarding via DoH (standard or "JSON") or DoT |
| Unbound | 1.20.0 | validating resolver, DoH, DoT, dnscrypt |
| YADIFA | 2.6.7 | authoritative |
| Name | Version | Type |
|---|---|---|
| adns | 1.6.0 | cli: library that includes some utilities |
| BuddyNS Delegation Lab tool | web: visualize and troubleshoot delegation | |
| Bulldohzer | 1.3.1 | cli: DNS & DoH latency measurements |
| c-ares | 1.26.0 | cli: library that includes some utilities |
| delv | cli: lookup and DNSSEC validation (part of BIND 9.10+) | |
| dHSM | cli: Distributed Threshold Cryptography HSM | |
| dHSM zone signer | cli: Zone signer companion for dHSM by using PKCS11 | |
| dig | cli: lookup (part of BIND) | |
| DNSBajaj (DNS By Eye) | 0.9.6 | web: check the delegation of your domain by using graphs of dependencies download link broken. original sources here |
| DNS-collector | 0.46.0 | cli: high speed passive DNS stats collector. |
| DNSDiag | 2.5.0 | cli: diagnostics and performance measurement |
| dnsperf/resperf | 2.14.0 | cli: benchmark nameserver performance |
| DNSSEC Analyzer | web: Verisign's DNSSEC problem debugger | |
| dnssec-failed.org | web: if you can see visit the site your resolver didn't perform DNSSEC validation -- it should show a page saying that but doesn't | |
| dnssec-tools.org | 2.2.3 | cli: various DNSSEC tools web: results of data submitted by dnssec-check gui: tray monitor |
| dnssectest.net | web: lookup and DNSSEC validation, plus DNSSEC deployment stats | |
| DNSstuff | web: domain name analysis | |
| DNSViz | 0.9.4 | cli & web: zone visualization (including DNSSEC) |
| dnstop | 20200527 | cli & ncurses interactive: DNS stats "top" tool |
| dnstracer | 1.9 | cli: trace name delegation |
| dsc | 2.15.1 | cli: DNS Statistics Collector |
| dsp | 2.0.1 | cli: DNS Statistics Presenter (companion for dsc collector) - DISCONTINUED |
| flamethrower | 0.11.0 | cli: benchmark nameserver performance |
| getdnsapi | 1.7.3 | new api to use dns |
| Google Public DNS | web: web based resolver | |
| IBDNS | 0.3.4 | server: Intentionally Broken DNS server |
| intoDNS | web: provides lots of info about a domain (some requires own interpretation) | |
| kdig | cli: advanced lookups including DoT & DoH (part of Knot DNS) | |
| ldns | 1.8.3 | cli: library that includes a lookup tool (drill) that provides even more information than dig |
| Namebench | 2.0 | cli: benchmark nameserver performance |
| nsdiff | cli: nsdiff/nspatch/nsvi zone diff/update tool | |
| OpenDNSSEC | 2.1.13 | cli: policy-based zone signer with PKCS#11 interface |
| PacketQ | 1.7.1 | cli: run sql queries agaist pcap files |
| SoftHSM | 2.6.1 | cli: optional companion for OpenDNSSEC. Cryptographic store with PKCS#11 interface |
| The Transitive Trust and DNS Dependency Graph Portal | web: graphs of transitive trust and dependencies | |
| unbound-host | cli: lookup (part of unbound) | |
| Zonemaster | 2023.2.1 | cli+web: zone delegation quality checker |
Note that most registrars provide it for free, though some charge a fee - we don't attempt to enumerate them here.
| Provider | Cost | Notes |
|---|---|---|
| 1984 FreeDNS | free | dynamic, limited record types (dnssec), secondary (dnssec) |
| Afraid FreeDNS | free with limits | secondary |
| Akamai (Cotendo) | paid | |
| Amazon - Route 53 | paid | api, registration |
| BuddyNS | free and paid | api |
| Cloudflare | free and paid | api, dynamic |
| ClouDNS | free and paid | api, registration, secondary (dnssec) |
| DNS Made Easy | paid with free trial | api |
| DNSimple | paid | secondary |
| Dyn | paid | dynamic, registration |
| easyDNS | paid | dynamic (some plans), registration, secondary |
| GoDaddy | paid | |
| Google - Cloud DNS | paid with free trial | api |
| Hurricane Electric | free | api, dynamic, limited record types (no dnssec), secondary (dnssec) |
| Namecheap | free, free if domain is purchased/renewed (BasicDNS) and paid | dynamic, free has limited record types (no dnssec), secondary (premium only) |
| Neustar UltraDNS | paid | api, secondary |
| No-IP.com | free and paid | |
| NS-Global | free | secondary only (dnssec) |
| NS1 | free and paid | api, secondary |
| PUCK | free | secondary only |
| Rackspace | free if using other (paid) services | api |
| Verisign Managed DNS | paid | |
| Verizon ROUTE | paid | api |
| Hetzner DNS Console | free | API, no dnssec, no rDNS |
Note that most ISPs and some datacenters provide it for free to their customers - we don't attempt to enumerate them here. Beware: some ISPs log and sell their resolver data, and some replace NXDOMAIN with their own server's address(es) to provide their form of safety and/or marketing, some do both.
Also, paid filtering services usually provide customization, so domains or classes of domains can be added or removed from the filters.
| Provider | Cost | Notes | Addresses |
|---|---|---|---|
| AdGuard DNS | free | filtering | Default (filters advertising, counters, and malicious sites):
|
| Akamai AnswerX | paid | ||
| CenturyLink (nee Level 3) | does not officially provide a public resolver though their servers will respond; they have at times provided 'fake' responses - please do not use these addresses |
| |
| Cisco Umbrella (nee OpenDNS) | free and paid | filtering, also on 5353/udp and 5353/tcp, dnscrypt on 443/tcp check/purge entry at their cachecheck tool check their system status (works even if your DNS isn't working) | Home (customizable filtering):
|
| CleanBrowsing | free and paid | filtering, also on 5353/udp and 5353/tcp, DoH, DoT, dnscrypt on 8443/tcp | Security Filter (filters malicious sites):
|
| Cloudflare announcement | free, limited logging, DoH, DoT |
| |
| Comodo Secure DNS | free | filtering |
|
| Commons Host | free | DoH only |
|
| DNS.WATCH | free | no logging, validating |
|
| Dyn Internet Guide | free | filtering, correcting |
|
| Google Public DNS | free | validating, DoH flush a cached entry using their flush cache tool |
|
| Quad9 | free | "Recommended": filtering, logs only geoloc, does not send ecs, validating, DoH, DoT "Secured": filtering, logs only geoloc, does not send ecs, validating, DoH, DoT (currently identical to "Recommended") "Unsecured": unfiltered, logs only geoloc, does not send ecs, DoH, DoT "Secured w/ ECS support": filtering, logs only geoloc, sends ecs, validating, DoH, DoT | "Recommended":
|
| SafeDNS | paid with free trial |
| |
| Vercara UltraDNS Public (nee Verisign Public DNS, Neustar DNS Advantage) | free | validating | Unfiltered Resolution:
|
| Yandex.DNS | free and paid | filtering, unfiltered | Basic (unfiltered):
|
| Resource | Summary |
|---|---|
| RFC 1034 | Domain names - concepts and facilities |
| RFC 1035 | Domain names - implementation and specification |
| IANA DNS Parameters | Compilation of DNS parameters with RFC references |
| IANA Protocol Registries | Compilation of protocol registries, including among other things additional DNS and DNSSEC parameter compilations |
| Almost all DNS related RFCs | Search rfc-editor.org for dns |
| Some DNS related RFCs | Search rfc-editor.org for domain |
| An up to date list of Domain Name System RFCs | Maintained by Frederic Cambus |
| Relevant Domain Name System RFCs | Maintained by bert hubert |
| IANA Domain Name Services | IANA maintains and operates several key aspects of the DNS |
| Blogged DNS links listing | Compilation of blogged DNS links from Jan-Piet Mens |
| Alternative DNS Servers (Free) | Book written by Jan-Piet Mens |
The topic of #dns (orinally on freenode) was growing too long, so here is all that info, and more.
This page is hosted via GitHub with its source code available. Pull requests are welcome!