Secure DNS servers

I was sure this has been already posted on my blog, but I guess I was wrong (or was it my old blog). Anyway, here they are, listed again. Most widely known and used DNS servers that can be used as alternative to the DNS servers provided by your ISP. In general, most users don’t really need to use these, but those who want extra security in a form of blocking websites that are serving malware or host phishing sites along with DNS poisoning defense, these alternative DNS servers can be useful. Some (like Norton ConnectSafe also offer blocking of porn, but you have to visit their webpage for those IP addresses, I’m only listing the antimalware/antiphishing one). Instructions to use each are also provided on their webpages if you don’t know how to set them up.

Open DNS
208.67.222.222
208.67.220.220

Cloudflare DNS
1.1.1.1
1.0.0.1

Quad 9
9.9.9.9 (Blocklist, DNSSEC, No EDNS Client-Subnet)
9.9.9.10 (ONLY FOR DEBUGGING! No blocklist, no DNSSEC, send EDNS Client-Subnet)

FreeDNS
37.235.1.174
37.235.1.177

OpenNIC
185.121.177.177
169.239.202.202

Neustar DNS Advantage
156.154.70.1
156.154.71.1

VeriSign Public DNS
64.6.64.6
64.6.65.6

Norton ConnectSafe DNS
199.85.126.10
199.85.127.10

Comodo Secure DNS
8.26.56.26
8.20.247.20

StrongArm
8.26.56.26
8.20.247.20

Level3 DNS
209.244.0.3
209.244.0.4

Yandex.DNS
77.88.8.8
77.88.8.1

Google DNS
8.8.8.8
8.8.4.4

Advertisements

6 thoughts on “Secure DNS servers

  1. Hello Rejzor,

    Thank you for sharing this list :), but do you plan on testing them (including Yandex DNS http://dns.yandex.com/) and ranking them based on best overall blocking of malicious websites (including grayware/whatever like spam, scam, adware, phishing, potentially unwanted software, browser exploits, et cetera)?

    I think that it would be nice to see how you rank them in terms of malicious website protection. 😉

    Thank you,
    -John Jr

    Like

    1. From my experience, Symantec DNS is the most aggressive. The rest doesn’t really block much. Haven’t tried Yandex yet though. I mostly use these for reliability over protection. Antiviruses usually have much better URL blocking anyway…

      Like

      1. Hello Rejzor,

        Thank you for responding. 🙂

        You are right about antimalware/antivirus products usually having better URL blocking, but I like to have layers of protection especially layers that do no need to be installed and that can work across different operating systems; and I often use inferior antimalware products like Microsoft Security Essentials/Windows Defender and ClamTK because they are a better fit for the people that I usually help who can not handle having to register their products or buy their products or deal with ads in products et cetera so having extra layers is helpful.

        I use Windows and Ubuntu Linux so having an extra layer of protection for my Ubuntu partition is helpful even though malware has never been a problem on this partition yet but I like to have some protection, most people who I help with computer problems usually have malware infected computers because they do not have functional or updated antimalware products and most of them need automatic layers of protection to help them because they do not know much and are not willing or able to learn, and so every little automatic and free layer of protection like that helps a bit. 😉

        I hope that you and/or someone else will do an annual test of these free DNS services to see how they rank in malicious URL blocking each year, it would nice to have updated tests each year from different people to have a better idea of how well they perform, because most of the tests that I have seen are from years ago and I have seen no test for Yandex DNS because it is the newest.

        Thank you,
        -John Jr

        Like

  2. All the official Cisco DNS resolvers log traffic so may not be wanted if privacy is also an issue.
    See here https://dnscrypt.info/public-servers
    You will also notice Cloudflare DNS in the list and that they do not keep logs.

    DNSCrypt adds encryption and validation to your DNS lookups, thus helping to protect against man in the middle attacks.
    It also supports the unique identifier keys used by the Cisco Umbrella DNS, should you want or need to use it.

    From the full list of supported Open DNS (including official Cisco DNS), you can filter by DNSSec, logging and filtering.
    Many of the resolvers also use Quad9, and SimpleDNSCrypt will fallback to regular Quad9 to fetch the resolver list if it cannot use its own.

    You can select your preferred DNS by country or filters
    By default it will automatically use the fastest from the list.
    Disable automatic mode to select as many specific resolvers as you prefer.

    Block lists can be imported into the SimpleDNSCrypt client, and it recognises standard ad-block HOSTS files such as MVPS and hpHosts
    If you prefer to manage your own block lists, you can opt to use this instead of a HOSTS file or a resolver with filters

    Quad9 Note:
    Recent tests showed that the site blocking provided by Quad9 is not good.
    View story at Medium.com
    It clearly shows that DNS filters are no where near as good as AV or manual HOSTS management.

    DNSCrypt
    https://dnscrypt.info
    ——————————

    NOTE:
    Having a secure connection between you and your DNS is only half of the picture.
    You may stop a man in the middle between you and the DNS, but is there a MITM between the site and the DNS it uses ?
    If you would like to see if the site you are connected to is using DNSSec, and can actually be properly validated (separate to cert validation) you can use this site
    https://dnssec-name-and-shame.com

    To add DNSSec/DANE validation to your browser you have to use an extension, but it will make you very unhappy as you browse, because you will quickly see how few sites are configured to use DNSSec or configured properly.
    https://www.dnssec-validator.cz

    Liked by 1 person

  3. Hello Rejzor,

    I have been using Adguard DNS for over a year now, having ad-blocking at the DNS level is helpful when we are using the Xbox 360 and whatever else is connected to the network, but I am not sure how good its malicious / greyware website blocking is compared to other services like Norton ConnectSafe or whatever it is called now so I hope that someone will test it one day against other DNS services.

    Have you tried Adguard DNS yet?

    -John Jr

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s