wiki:doc/DnsResolver/PublicDnsResolvers

Public DNS Servers/Resolvers And Their Practices

  DNS Resolver [wiki:doc/DnsResolver] (the parent, DnsResolver) article of this page, and all other articles & projects under that page/article are non-official articles & non-official projects. Author(s) of these articles & projects is/are not affiliated with torproject.org. The Tor developers are not responsible for these articles/projects. Also see Disclaimer for more information. DnsResolver related (articles &) project(s) here, are produced independently from the Tor® anonymity software and carries no guarantee no warranty from 'The Tor Project' about quality, suitability or anything else.

( Notes for Editors Only: (non-Editor Readers, please goto next paragraph): Editors, in this article (and articles under it) you must use such words which make sense to people (if necessary, explain in different style, way, words, even multiple times), these articles are for people from different discipline and background. This is not an Academic or Research article nor it is a Technical/Manual document. Must keep it useful for practical purpose (for what a regular user *see* on their computer screen, and what a regular user can *use* practically by following guidelines from this page). Explain in simple words, which practical command-line(s) or step(s) can be applied, and also add info on what it does and why is it necessary for Anonymity (2) (3) (4) and Privacy (6) (7) (8). Even if one portion appears to be unnecessary, to you, but remember it may be necessary for another type of person to understand, so please do not remove/modify any sections. This page is not intended for only one type of users. You are welcome to create a short sub-paragraph under any paragraph, and explain with a different language and/or style. You are welcome to create a new page NOT UNDER this article/project, outside, and place a link here, and in that new page explain the same matter or new matter with a different language or whatever style you choose to be. Do not copy text directly, write in your own style own language. Put technical words inside "Acronyms"/"Legend" section, and explain+mention what it means (please make it easy for regular user to understand), then use a common general non-technical synonym or simple word(s) in article which make(s) sense to general/regular level users, and add URL/reference link to that technical term inside acronym/legend section. If you are not following these guidelines, I will remove your additions and you are welcome to start your own pages with your own content. If you are not able to write with simple+easy (non-technical) words, then DO NOT edit. Thanks. )

This article & all articles under the parent (DnsResolver) page, This project & all projects under the parent project, are written & developed by Bry8Star. Copyright (C) 2012 Bry8Star.

(Start reading from here):
List of Public DNS servers, nameservers, resolvers, and further information on if they really respect user's Privacy & Anonymity (that is, they do not store, or, they do not keep Log on any portion of any user's any information, any ISP information, any location (AS codes) information, any dns query, etc), and if they support IPv6, DNSsec, Resolve via non-DNS port, Encrypted Tunnels or Connections, etc feature(s) or not.

(In below, if an entry specifically does not say or mention, that, it supports DNSsec, then dont assume it does support DNSsec. Some DNS servers support DNSsec completely, and some partially, and some does not at all).

Root-Servers & TLD-Level DNS Servers

Root Servers: Except for B (psi.net / USC-ISI), C (umd.edu / Cogent Comm), E (isc.org / NASA), G (army.mil / DoD-NIC) all other "Root Servers"(3) support IPv6. DNSsec is completely supported by all 13 of them (actually these are combination of hundreds of networked servers located globally around the world). These (Root) servers are able to resolve these TLDs. TLD means Top Level Domains. Those (Root) DNS servers mainly keep IP-address records of 13 named root-servers in a "root-hints" file (which holds IP-address list of Root zone servers or Root zone name servers), and they also keep a list of authoritative (TLD/"Registry" level) DNS-server's (aka, name-server's) name & their IP-address for all TLDs (which are governed by ICANN/IANA) in a "root-zone" file. DNS Servers or DNS Resolvers which are able to perform/process DNSSEC verification(s), are also "Validating" DNS Server or DNS Resolver. The ".org" portion is TLD of "torproject.org" domain-name. This ".org" TLD is managed by PIR entity. The ".com", ".net" TLDs are now managed by VeriSign entity. (At this moment 2012-09-20), there are 19 Registry (also known as: Company, Corporation, Sponsor, Organization, Operator) under ICANN for maintaining 21 TLDs (gTLDs) (full-list). IANA is one of those 19 Registry & technical implementation side of ICANN. IANA maintains (around) 255 two-letters based country-code level TLD (ccTLDs) Registries, 2 TLDs for IANA itself, 39 IDN TLDs, 11 Test IDN TLDs (full-list). ICANN assigned IANA as maintainer of Root-Zone "Root-Servers", IANA uses 12 managers (we can also say: members, entities, companies) to maintain Root DNS Servers. ( Root-Zone-DNS <--> TLD-DNS ). You can very easily create your own TLD on your own server(s) (or, on online hosting-service provider based server(s)), and start to use it, and share it with others, for example: ".MyName", and in such case, your nameservers will become TLD level DNS-server, and those who will or want to use your TLD, will have to query your DNS-servers. Also see below Alternative TLD-Providers section. The "ICANN" (gTLDs), "IANA" (ccTLDs, TLDs, IDN TLDs) and TLD level maintainer(s) (also known as: manager(s), operators(s), sponsor(s), registries) have censored & blocked site-names, IP-addresses, etc.

SLD Level DNS Servers

Under each TLD/Registry level DNS Servers, next level of DNS Servers are SLD level DNS Servers. SLD means Second Level Domains. Various "Registrar" (for example, here is just one partial list: accredited-list(ICANN)) entities, data-centers, companies etc (on different countries, continents) manages such SLD level DNS Servers. These are authoritative for SLD portion of a domain-name which has TLD in Root-Servers/Root-zone-file. For example, the word or portion "torproject" is a SLD of "torproject.org" domain-name. The ".org" is a TLD and operated by PIR. ( Root-Zone-DNS <--> TLD-DNS <--> SLD-DNS ). SLD level DNS Server service providers, registrars have censored & blocked web sites & services.

HSP, 3L-DNS, 4L-DNS, etc Level DNS Servers

HSP (Hosting Service Providers): There are various companies which can provide Internet & online based services from their servers or data-centers, and these can distribute, exchange & share your domain-name(s), file(s), webpage(s), email(s), media-file(s) etc with (& for) public & visitors on behalf of you, such companies are Hosting Service Providers (HSP). Some of these HSPs are actually providing services, based on sub-contracted service(s) obtained from different & other service-providers, "Registrars", etc. Most of these entities (or companies) use name-servers or DNS-servers which connect under & with the SLD level DNS-Servers, or, with their parent company's DNS-servers, that is why DNS-servers used by such entities are also known as 3rd-Level DNS-Servers, (not "3rd or Third Level Domains"), we can also identify them with "3LDNS" or "3L-DNS" (along with "HSP"). ( Root-Zone-DNS <--> TLD-DNS <--> SLD-DNS <--> 3LDNS ). There are vast & huge numbers of, and various types of online & Internet service(s) providers all around the world, which fall in these (3LDNS or HSP) level. For example: Hotmail/Live mail, Yahoo Mail, Google Mail etc are online email (hosting) service providers. "Cloud" based services are basically HSP based services, since they use bit-more advanced software and techniques with little bit more computing resources, they "like" to use (& renamed the HSP, VPS, KVM, etc similar type of online remote server based services with) that catchy or fancy name. You can very easily create your own 4LDNS or 3LDNS level DNS-servers, by using your own server(s), or an online hosting-service provider's server(s), which has a fixed & static IP-address, for example: if you have "ns1" and "ns2" nameservers for your domain-name, lets say: "example2.com", and in such case, your nameservers (or DNS-servers) ("ns1.example2.com" & "ns2.example2.com") will become "3LDNS" level DNS-servers if you have added your nameservers under your "Registrar" (or SLD) entity's DNS-servers. ( Root-Zone-DNS <--> TLD-DNS <--> SLD-DNS <--> 3LDNS ). But, if you add your nameservers (or your DNS-servers) under your DNS (or Domain) Hosting Service Provider's (or HSP's) DNS-server(s), then your nameservers (or your DNS-servers) will become 4th-Level DNS-Servers, which can also be identified as "4LDNS" or "4L-DNS". ( Root-Zone-DNS <--> TLD-DNS <--> SLD-DNS <--> HSP/3LDNS <--> 4LDNS ). Many of these type of HSPs are not DNSSEC signed, so its easier to fake them, and thus easier to provide fake or hijacked or spoofed connections to people. Various HSP or 3LDNS or 4LDNS level DNS (or Domain) Service Provider(s) & other web-service(es) providers, are publicly known for complying & doing various type of disruption, disconnection, redirection, censorship on user's content, they (HSP/3LDNS/4LDNS level) apply various censoring tricks so that visitor & public cannot reach correct destinations or web-services, and instead forwarded to other content site(s), which are nominated & chosen by them, and, such HSP/3LDNS/4LDNS level Service Providers are also known for dis-honoring "Privacy rights" of users, these companies also binds users with various unjust contracts.

ISP DNS Servers

Most (Internet Service Provider) ISP (the company which you use, to connect with Internet) (including Mobile Carrier Service providers which you use on your Mobile Phone/Device for Internet/Data connection service) provides their customers, clients, their Recursive/Caching DNS Server, which most of the time answers from cached record, and obtains DNS Server's IP address list from TLD & SLD, and HSP, 3LDNS, 4LDNS etc level DNS-servers. Many ISPs does not use DNSSEC signed domains or DNS-Servers, so its easier to fake them, and thus easier to provide fake or hijacked or spoofed connections to people. Many ISP & Mobile-Carrier-Service-Provider's DNS-Server(s) redirects (in technical terms, it is known as "DNS hijacking") & censors & blocks web sites & services constantly. See below links on DNS Hijacking, or links which are mentioned in parent page.

You can skip ISP practice and related (below) sections, and goto next major section Alternative TLD Providers.

  • It is also (publicly) known & observed that, some group(s) & ISP(s) has even tried to block & censor, by blocking the IP-address of Public DNS Server(s) and/or 4LDNS (4th-Level DNS-servers) and/or 3LDNS (3rd-Level DNS-servers) and/or Hosting Service Provider's (HSP) DNS-Server(s) and/or "Registrar"/SLD level DNS-Servers. And as a consequence to overcome such blockage/censorship, various circumvention technique(s) & methods(s) has also occurred: Proxy Servers, VPN / SSH / Encrypted tunnels, DNS based on non-DNS port (and/or usage of TLS/SSL encrypted connections on port 443, 110 or on other ports and along with usage of different types of encryptions), etc were used on & with DNS-Servers & supporting servers. (A circle/triangle of Cat-&-Mouse-&-Dog). You can see Censorship circumvention.

  • Another form of censorship technique "Transparent DNS Proxy Hijacking Censorship" is also known, described here. DNS protocol (communication-mechanism to convert domain-name into IP-address) can use TCP packets destined to port 53 on a TCP supported DNS-server, and, DNS can also use UDP packets destined to port 53 on DNS-Server, (UDP is used by default, for DNS). (TCP & UDP are type of network communication mechanism and computer-language, which uses certain type & size of data packets.) Various Group(s) & ISP(s) can intercept any open DNS packets and on-the-fly (instantly) change them to their nominated & chosen DNS-servers to force you to connect with false, edited, and/or censored websites, and can also force you to connect with compromised, backdoor-based, and/or censored Internet-based web-services. (Thanks to user 'adrelanos' for mentioning this finding). To overcome, along with techniques mentioned in above paragraph, these: DNSCrypt, Whonix, Jondo, etc can also be used.

  • Many (ISP's & their) backbone Internet Data cable, fiber-optics, satellite connection service providers & their systems, either share or provide DPI (Deep Packet Inspections) services & connections with various surveillance authorities.

    I'm quoting a note from bill's blog, from here: "In 1994, Congress passed the Communications Assistance for Law Enforcement Act (CALEA). This act required all digital telecommunications carriers to enable wiretapping of their digital switches. In 2005, CALEA was extended, at the behest of the DOJ, FBI, and DEA, to include the tapping of all ISP traffic. Prior to this extension, the FBI had relied on court order or voluntary cooperation of individual ISPs, engaging in packet sniffing with programs such as Carnivore. So the government spying on your net usage is nothing new."

    Not all, but some US States did re-voted to ban on some portion(s) of such federal level (illegal & unethical) laws.

  • Such Monitoring & surveillance everyone at a mass-level or mass-scale, (instead of properly using a specific court permission for a specific suspect), and usage of contracted-out or sub-contracted entities (instead of using federal government level office(s) & instead of using dedicated full-time government employees who has (University-)degree(s) and are trained in multiple ethics & multiple expertise), etc type of in-appropriate measures & activities, already has and are encouraging various fundamental (for example, like: constitution) level of mis-using, rules & law bending and twisting, and these type of in-appropriate activities has degraded the entire system & standards, and such activities are now a grave harm on civil liberties and Privacy Act protections & rights of every people & users. If another country or group doing it (even in smaller scale), then you wouldn't see any less amount or level of double or multi-standard comments & opinions. In the name of so called "security" stemmed from fear & mis-leaded people, various agencies, departments, etc are spending money on various in-effective surveillance & monitoring related groups, peoples & entities. For more info, also see Data-Sharing Centers, Fusion Centers, History of Patriot Act, First Amendment, Fourth Amendment.

  • First Amendment of US Constitution : " Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances. "
    It is part of Bill of Rights and it prohibits the making of any law related to establishment of a national religion by Congress, also prohibits making of any law related to any preference by the U.S. Government of one religion over another, it prohibits impeding the free exercise of religion related activities, abridging the freedom of speech, infringing on the freedom of the press, interfering with the right to peaceably assemble or prohibiting the petitioning for a governmental redress of grievances.

  • Fouth Amendment of US Constitution : " The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. "
    It is part of Bill of Rights, these rights guards against unreasonable searches and seizures, along with pre-requiring any warrant to be judicially sanctioned first, and which must have to be supported by probable cause. It is related to Privacy, and to stop violating & abusing the rights of people's privacy.

  • By encouraging Private entities to not follow or practice some set of US Constitution level of rules & laws & rights & liberties, while operating (& located) inside US, is not right thing to do, and then also provide or help them with another set of rules & laws & resources, is another mistake. If you do not respect or if you do not follow or if you do not practice or if you do not encourage: rules & laws & rights & liberties of every members inside your own home or inside a non-public establishment, then no one should expect, such person to learn or follow rules & laws or respect rights of others, when they go outside of it, in a public place. When a child or a kid, (or an employee), of such a parent (or under such an employer), where parent (or employer) is a thief or abuser or violator or lier or killer (or running business of twisting & bending or making guns, bombs, bullets, violent/killing games) etc, and if this child or kid (or employee) is living-with or trained-by such parent (or such employer) (for long time), and when they will go out of home (or office) to for example: to a mall, or grocery store, (or to public servant location, or to a governing location of rules & laws which suppose to serve people), then what this kid (or employee) will do ? most likely, what their parents (or employer) has taught or trained them to do.

  • And also exist & seen, practice of using remotely located or locally located various private or semi-private or semi-public or sub-contracted entities & processing centers, for bending & twisting laws & rules & rights & liberties, and their applications. Various government uses various such remotely (or local private) agencies, when rules & laws & rights cannot be broken or twisted so easily by a direct government agency or department, or, when they need to hide (some) criminal activities.

Alternative TLD Providers DNS Servers

Except for few "Alternative Root DNS Providers/Operators" (also known as: Alternative TLD Providers, Other TLD Providers, Alternative TLD Service Privider, Alt.Root.DNS.Opr, TLD Providers, TLD Service Providers (TSP), etc) (a short list is here) who provides other alternative TLDs/domains, most of the below "Public DNS Servers/Resolvers" are simply a recursive or caching or combination mode of DNS Resolver, performing DNS resolving on behalf of those Root-Servers, TLD & SLD, and 3LDNS, HSP, 4LDNS level DNS-Servers. But notice that in below, some has "Does not Censor", "Not Censored", "Censorfree" or "Censorship free", "Censor-free" etc feature, these censorship-free DNS servers/resolvers can answer on behalf of Root-Servers, TLD, SLD, HSP, 3LDNS, 4LDNS etc level DNS-servers, and they can *ALSO* answer for those domains/sites which "Root-Servers", TLD, SLD, HSP, 3LDNS, 4LDNS etc level DNS-server maintainer(s) (who are also known as: manager(s), registries, registrar(s), operators(s), companies, DNS-Service-Providers, etc) have censored & blocked without getting a global consensus discussion and agreement, from all related (legal, ethical, etc) parties, groups, sides, peoples etc involved in such decision making process. Or, they have censored & blocked unjustly because of intimidation (or pressure) from other authorities.

 
Root-zone DNS┌┐<-----┐
         Srvr└┘      |
TLD-DNS┌┐<--┐        V
   Srvr└┘   └---> ┌———————┐     ┌—————————————┐
SLD-DNS┌┐<------> |Public |     |   (Your)    |
   Srvr└┘         |  DNS  |<--->| DNS-Client  |
3LDNS/HSP┌┐<----> |Servers|     |    or       |
     Srvr└┘  ┌--> └———————┘     |Stub-Resolver|
4LDNS┌┐<-----┘                  └—————————————┘
 Srvr└┘

Use Unicode fonts (for example: DejaVu Sans Mono) to view above diagram properly (if you are having difficulty viewing boxes or shapes, and if not appearing aligned). In above Box, you can also change the box "Public DNS Servers" with "Other TLD Providers". If you want to use all other TLDs from all Alternative TLD Providers (aka, Alt. Root DNS Operators), then you will have to use your own DNS-Resolver.

Public DNS Servers

  • FoeBuD : Does not Censor.
    85.214.20.141
    85.214.73.63 | anonymisierungsdienst.foebud.org
  • TeleComix : Info: (2). Does not Censor.
    91.191.136.152 <- No DNSsec yet. Active.
    (85.229.85.109 <- Probably not active anymore).
  • Chaos Computer Club (CCC) Berlin : censorfree.
    213.73.91.35 | dnscache.berlin.ccc.de
    80.237.196.2 | dnsc1.dtfh.de <- (Erdgeist)
    194.150.168.168 | dns.as250.net <- AS250.net, The Sacred Chao. anycast DNS. Europe.
  • German Privacy Foundation e.V. : Does not Censor.
    87.118.100.175 | ns.anon.privacyfoundation.de <- Ports 53,110, DNSSEC, IPv6.
    94.75.228.29 | privacybox.de <- Ports: 53, 110, HTTPS-DNS, DNSSEC, IPv6.
    62.141.58.13 | 85.25.251.254 | 94.75.228.28 <- these does not filter. From DNS Server related book.
  • Swiss Privacy Foundation : Does not Censor.
    87.118.104.203 <- Ports: 53, 110, DNSSEC.
    62.141.58.13 <- Ports: 53, 110, HTTPS-DNS, DNSSEC, IPv6.
    87.118.109.2 <- Ports: 53, 110, DNSSEC.
  • OpenNICproject : Tier2.
    Find DNS server from OpenNIC site, which has disclosed that it does not do any form of Redirect and does not keep log, and does not store records, and does not store user's information. Use only those which meets your need and which respects Privacy & Anonymity. Find server operator's policy on log query privacy/anonymization.
    216.87.84.211 <- (USA) does not filter.
    58.6.115.42 <- (AU) does not filter.
    200.252.98.162 <- (Brazil) does not filter.
    217.79.186.148 <- (Germany) does not filter.
    2002:d857:54d2:2:20e:2eff:fe63:d4a9 <- (USA)
    2001:470:8388:2:20e:2eff:fe63:d4a9 <- (USA) does not filter.
    2001:470:1f07:38b::1 <- (USA) does not filter.
    2001:470:1f10:c6::2 <- (USA) does not filter.
    82.229.244.191 <- (France) does not filter.
    66.244.95.20 <- (USA) does not filter.
  • Antartica DNS (Cyberbunker NL) :
    84.22.106.30
  • Comodo SecureDNS server :
    8.26.56.26 | 8.20.247.20 <- These Filters/Blocks phishing, malware, spyware, etc sites using RBL (real-time block list).
    156.154.70.22 <- Filters only malicious sites.
    156.154.71.22 <- Filters only malicious sites.
  • Norton/Symantec DNS :
    198.153.192.40 <- Filtered.
    198.153.194.40 <- Filtered.
    198.153.192.50 | 198.153.194.50 <- these blocks/filters malicious/phishing sites + pornography.
    198.153.192.60 | 198.153.194.60 <- these blocks/filters malicious+phishing sites, pornography & non-family-friendly sites. Non-Family-Friendly objects are "mature content, abortion, alcohol, crime, cult, drugs, gambling, hate, sexual orientation, suicide, tobacco or violence".
  • DnsAdvantage / NeuStar :
    156.154.70.1 | 156.154.71.1 <- these Blocks/Filters (only few) malicious sites.
  • CensurFriDNS.dk : Does not Censor (claimed by Thomas Steen Rasmussen in Denmark).
    89.233.43.71 | ns1.censurfridns.dk | 2002:d596:2a92:1:71:53::
    89.104.194.142 | ns2.censurfridns.dk | 2002:5968:c28e::53
  • ValiDOM : Does not Censor. Germany.
    78.46.89.147 | mail.va6.de <- Active.
    88.198.75.145 <- probably not active anymore.
  • ScrubIt :
    67.138.54.100 | 207.225.209.66 <- No porn/malicious-sites, so Filtered.
  • OpenDNS : IPv6 DNS.
    208.67.222.222 | resolver1.opendns.com <- Blocks/Filters only malicious sites.
    208.67.220.220 | resolver2.opendns.com <- Blocks/Filters only malicious sites.
    208.67.222.123 | 208.67.220.123 <- these blocks pornography, proxy servers, phishing sites and some malware.
    2620:0:ccc::2 | 2620:0:ccd::2
  • DNS OARC :
    bind.odvr.dns-oarc.net | 2001:4f8:3:2bc:1::64:20
  • ISC : USA.
    f.6to4-servers.net | 2001:4F8:0:2::14 | 204.152.184.76
  • NTT :
    x.ns.ntt.net | 2001:418:3ff::53
    y.ns.ntt.net | 2001:418:3ff::1:53
  • Cisco Systems : USA.
    171.70.168.183 | 171.69.2.133 | 128.107.241.185 | 64.102.255.44 <- these do not filter.
  • Freie Unzensierte Nameserver : Germany. These do not filter.
    85.25.149.144 | 87.106.37.196
  • Cesidian Root :
    92.241.164.86 | i-root.cesidio.net <- does not filter. This server is in Russia.
  • Christoph Hochstätter : These does not filter.
    209.59.210.167 <- (USA)
    85.214.117.11 <- (Germany)
  • Google DNS : Info: (2). See issues.
    8.8.8.8 | 2001:4860:4860::8888
    8.8.4.4 | 2001:4860:4860::8844
    ISSUES: Google deletes IP address for a DNS query after 24 hours, but permanently stores ISP, location information for that DNS query. See Google Public DNS (wikipedia) and check reference area.
  • VERIZON (Level 3 / GTEI) : See issues.
    4.2.2.1
    4.2.2.2 | vnsc-bak.sys.gtei.net
    4.2.2.3
    4.2.2.4
    4.2.2.5
    4.2.2.6
    ISSUES: Verizon publicly known for manipulating, filtering, redirecting DNS answers.
  • jali/CCCH :
    88.198.24.111
  • ClaraNet :
    212.82.225.7 | 212.82.226.212 <- these does not filter.
  • German Xail.net :
    85.88.19.10 | 85.88.19.11
  • Dataflash :
    88.198.130.211
  • awxcnx :
    62.75.219.7 <- Ports: 53, 110. DNSSEC, IPv6. Does not filter.
  • Dotplex : Does not Censor.
    91.102.11.144 | 212.222.128.86

Local DNS Server

( Main article is here, DnsResolver )

Your Own DNS Server or DNS-Resolver : It is usually best, if you have a spare or old computer, and if you turn it into your own DNS Server, and you can also use it as your gateway to Tor-proxy network, from any other computer which are in your home/office. Or, install a 3rd Party DNS server software in your own computer which you can customize with your own choice of configuration. See parent DNS Resolver page.

 
                              ┌————————————————┐
Root-zone DNS┌┐<----┐   ┌---->|Alternative TLD |.
         Srvr└┘     |   |     |  Providers, or,|.
TLD-DNS┌┐<--┐       V   V     |Alt.Root.DNS.Opr|.
   Srvr└┘   └---> ┌————————┐  |  DNS Servers   |
SLD-DNS┌┐<------> | Your   |  └————————————————┘
   Srvr└┘         |  own   |     ┌————————┐
3L-DNS/HSP┌┐<---> |  DNS   |---->|Software|
   Srvr   └┘  ┌-> |Resolver|<----| on your|
4L-DNS┌┐<-----┘   └————————┘     |Computer|
  Srvr└┘                         └————————┘
            diagram: B

┌—————┐  ┌———┐      ┌———┐  ┌——————┐  ┌——————┐  .
|Root |  |TLD|      |SLD|  |3L-DNS|  |4L-DNS|  .
|zone |  |DNS|      |DNS|  | Srv  |  | Srv  |  .
| DNS |  |Srv|      |Srv|  └——————┘  └——————┘
|Servr|  └———┘      └———┘    Ạ   Ạ     Ạ  Ạ
└—————┘   Ạ  Ạ       Ạ  Ạ    |   |     |  |
 Ạ   Ạ    |  |       |  |    |   |     |  |
 |   └----|--┴-------|--┴----|---┴-----|--┴--┐
 ├--<-->--┴---<-->---┴-<-->--┴--<-->---┘     |
 |                                           V
 V                           ┌------>┌—————————————┐
┌———————┐   ┌————————┐<------┘       |Alternative  |
|Censor-|   |Your own|   ┌————————┐  |TLD Providers|.
| -free |-->|  DNS   |-->|Software|  |    (or)     |.
|Public |<--|Resolver|<--| on Your|  |Alt.Root.DNS.|.
|  DNS  |   └————————┘   |Computer|  |          Opr|
|Servers|                |or Servr|  | DNS-Servers |
└———————┘                └————————┘  └—————————————┘
            diagram: C

Your own DNS-Resolver software can be configured to directly connect with Root-Servers, TLD, SLD, 3L-DNS, 4L-DNS, etc level DNS-Servers for resolving DNS queries, like shown in above diagram B, (when you will follow the "Short Note:" section, mentioned under the textbox of configuration file). DNS-Resolver configuration file(s) which are mentioned in (or under) [wiki:doc/DnsResolver DnsResolver] (parent) page, is(/are) pre-configured to perform like above diagram C, which will use censorship-free DNS-servers for resolving TLDs which are under ICANN/IANA governed Root-Servers, and DNS-Resolver is ALSO pre-configured to resolve TLDs of "Alternative TLD Providers" (these are not under and outside of ICANN/IANA Root-Servers), and DNS-Resolver will connect directly with them (Alternative TLD providers) for DNS resolving, (Note: some of these "Alternative TLD Providers" (aka, Alt.Root.DNS.Opr) operated DNS-Servers are also able to connect with Root-Servers, TLD, SLD, 3L-DNS, 4L-DNS, etc level DNS-Servers. So such type can resolve TLDs from ICANN/IANA, and can also resolve TLDs under that specific TLD-Provider, but not all other type of TLDs from all Other Alternative TLD Providers). Most of the "Public DNS Servers" are not yet able to resolve all TLDs from "Alternative TLD Providers". So using your own (properly configured) DNS-Resolver is best.

Note / Legend / Acronyms

You can skip (below) Acronyms, Short-Notes, etc sub-sections, and go directly to next major section: IPv6 DNS Servers.

Sub-sections are: | aka | malicious | porn | censor free | hijack | filter | protocol | nameserver | encryption | user-agent | dns-client | Email-Client | SSL | Self-Signed | CA-cert/Root-Cert | file-sharing |

  • aka = Also Known As | Can also be called or identified as or grouped as = CABCA / CABIA / CABGA | We can also call it = WCACI | Which is similar to = WIST | Similar To = ST = s.t.
  • malicious = usually means, dns-server blocks such sites which has spyware, trojan, virus, backdoor etc malware or harmful codes in them.
  • porn / pornography = means, dns server blocks such web-sites which has adult image, text, content, etc, which are not suitable for kids/childs. In office or in kid's or in child's computer, this type of filtering DNS-server is very helpful, but still many other sites which discusses, talks, criticizes such content, also gets blocked because of lack of human level of appropriate filtering-intelligence inside filtering software or mechanisms.
  • censor free = Does not Censor = Censorship free = usually means, DNS-server which does NOT block web-sites or web-services related to political opinion, exposure or publishment of criminal activities of public or corporation figures, or some adversary, or some country government, freedom of speech, free speech, freedom of opinion, freedom of expression, etc.

    • When someone doing something wrong/good, then someone will report/ talk about it, that is everybody's right & normal-way of life, and then greedy people & group(s) exercises their power (and connections) to suppress, erase, manipulate expressions, which reported, expressed or revealed their criminal, illegal, unjust activities. And, (most) people tend to find and group together with similar type & minded people, and they also start to avoid other type of people. But, some group or type of people start to exhibit, do or show extreme level of avoidance, dis-honoring, dis-respecting, harmful activities unjustly, violent actions toward other side(s), some of these people purpose-fully mis-represents various information for various sake. Which consequentially creates unbalance, in-equality & double-or-multi standard or treatments. And, there are also group of people who abuses, they obtain (and even take-away) various ideas, services & resources from other type of people (or, group), but do not give-back, and/or do not allow, and/or do not return, a fair & just exchange amount for such other side(s). Which consequentially results in mass-protest, deeper level of in-equality in between societies, localities, etc, and also starts-up vengeful & re-vengeful exchange of violent activities. And, there are also group (of people, entity, entities) who are supported, funded, driven, motivated, encouraged by other parent, related groups, these groups of multiple-groups work together, fabricate, manufacture, instigate, distribute various type of virtual-curtains, virtual-bubbles, false-situations, circumstances, false-spin-media-news, false-promises, propaganda, etc using all type of various channel(s) where they have (some level of) controls, and, these type of multiple-group (which consist of various types of entities, like: collection of companies, corporations, ideological-parties, professional-groups, etc), places their own representative & member on (key positions of) public servant level (aka, government level) areas & places where many type of transactions, laws, rules, etc are handled, (and created & twisted-around), and such (double or multi-agent) members who are suppose to help & protect & serve common people, but they start to help & serve their own interests, these members pretend to be what they are not, and hide their previous jobs info, hides close family-member's asset, (stakes,) & connection information with other entities, etc from public, so that ultimately one or more members (of that multiple-groups) can sell (something) & make profit & rip benefit & support for each other. These consequentially creates massive (entire country wide and even multiple country wide) level of unbalance, only few side(s) become massively resourceful while majority remain (or left-alone for) living, barely with some minimum, or, almost no-resources for their survival, and these multiple-groups even extends their affect to such level that all ways for living or income are destroyed or massacred, and these groups of multi-groups often runs hidden (aka, secret) operations to create enemy-ship (aka, unfriendliness) in between other groups (& countries), so that, their victims fight in-between & exhaust them-selves and so that ultimately all victims (groups & countries) start to buy & depend for further supplies (various type of products & services) from them, total-collapse of systems, even war & extreme level of civil-unrest breaks out.
      Goto (top of) Acronyms section.
  • hijack = Redirect = when DNS server starts to answer, server-service provider's or company's own choice of nominated content or IP-address, instead of showing the correct, real, original IP-address, such is known as redirecting and hijacking. These DNS servers are usually paired with other supporting web-servers, for showing their own contents, advertisements, false-information, etc, even when the site or service does not exist. Such behavior is against standards, policies & rules, and causes other DNS servers not being able to find real or actual content, and causes in-appropriate chain of effects. Many many ISP's & HSP/3LDNS's recursive DNS servers do such activities.
  • filter = usually means, DNS-server which does not allow it's user to have the ip address of certain type of web-sites or web-pages. Some DNS server even send back altered & different DNS server.
  • protocol = different types of digital (and analog) electronic communication language(s), for computers and network-devices, to perform different type of functions & tasks. For example: TCP, UDP, DNS, etc.
  • nameserver = DNS Server = name-server = DNS-Server . DNS keeps resource-record data on various type of server-name (aka: node-name, host-name) & their IP-addresses and also keeps various other related data. The DNS-server which is specified inside a "NS" DNS resource-record, is usually identified as "nameserver" or "name-server" or "NS server". Instead of using "DNS-Server", many also prefers to use the word "nameserver" as it resolves (domain) names, and as it is found from 'NS' records. Many also indicates or points toward the DNS-server which is mentioned inside 'NS' record.
  • encryption = means, to scramble the data.
  • user-agent = a component, used by a "client" type of software (which connects with a "server" type of software to perform something).
    Goto (top of) Acronyms section.
  • DNS-client = DNS-client or stub-resolver or user-agent software asks DNS-Servers (mentioned in Network Interface Adapter settings), first, to provide the "SOA" type of DNS record/data for a domain-name, which is a "authoritative" type of record/data for that domain-name, and usually only one DNS-server keeps it. And then by using a process of chain-of-queries on or via different level of DNS servers, the "NS" record/data is collected from the 'SOA' based DNS server (when it answers back with 'AA' record/data). The 'NS' record/data based name-server (which is also a DNS-server) holds further DNS records/data like, 'A', 'AAAA', 'MX', etc for different type of related servers under & for that domain-name. DNS-client software can also be used to find a very specific DNS record/data. Web-browser type of user-agent or software uses DNS-client software to find the 'A' or 'AAAA' record for the domain-name portion (of what was typed in the web-browser's URL textbox or was clicked on). That 'A' / 'AAAA' record/data holds the IP address number of webpage/HTTP server, then web-browser connects with that server's IP-address on port 80, using the HTTP protocol. If user used https in URL or clicked on, then web-browser connects with server's IP-address on port 443 using TLS/SSL protocols, which uses encryption.
  • Email-Client = Email exchanging type of user-agent or software also uses DNS-client, it asks for the 'MX' DNS record/data, to get the IP-address of email-server, and then connects with that email-server's IP address. Connecting to which port on email-server, depends on, what type of function & feature your email-client software is pre-configured to do. To download emails from email-server, an email-client software (like: Thunderbird, Outlook, Mail, etc) can use POP3 protocol and connect on port 110 of email-server. If email-server supports TLS/SSL encryption, for downloading emails on email-client, then email-client can use POP3S protocol with email-server's IP-address on port 995. When users want to perform downloading & viewing & syncing of emails, all of these functions, then they can use IMAP (143) or IMAPS (993). So IMAPS, is better than POP3S, and IMAP is better than POP3. One email-server can send email to another email-server, by using SMTP (25 or 587) or SMTPS (465) on source & destination. User's email-client software can send email (via his/her email-server to a destination email-server) by first connecting with his/her email-server, on port 25, 587 or 465.
    Goto (top of) Acronyms section.
  • Accessing & Using Email via Web-Interface on Web-Browser: When you use, webpage (or web-interface) based email, like: Hotmail, Yahoo Mail, GMail (Google Mail), etc, then such online Email Service Providers (a short list is here) can receive your email(s) from other senders, (on behalf of you), and can also show you email on webpages, when you connect on their email-server's web-site. Your web-browser software may use regular or open webpage based connection & port, which is, HTTP port 80 on email-server, and if that email-server supports secured & encrypted communication, then your web-browser will use secured & encrypted HTTPS connection on port 443 of email-server. Warning: When you use such online Email Service Providers, and if you are not using GPG/PGP or other (X.509, etc) type of encryptions (which are not-broken) to encrypt your emails, (and, if you are not using a "portable" email-client software from your personal portable device (for example: Flash-Memory based portable drives) which stays physically close to you, or, stays in a encrypted & password protected partition or drive), and if your attached files are not password protected & encrypted, then body & content of such online-based email and contents of files are very easily viewable, publicly by anyone, who is running packet-analyzers & logging network traffic packets in gateway computers. If you are not scrambling it, then its open & viewable.
    Goto (top of) Acronyms section.
  • SSL Certificate, Proxy-based Connections, DNSSEC: If you will use such web-interface based email-services, via proxy-servers (or any type of proxy or middle-node), then it is better if your email-server uses public CA (certificate authority) based (TLS or) SSL certificate and it is better if your email-client software already includes their Root-Certificate. Cert = Certificate. Usually most email-client software pre-includes all common & widely used CA Cert-Providers Root- Certificates.

    • If your email-server uses a self-signed SSL (or TLS) certificate, then you will need to understand this paragraph: When Email-Clients software cannot resolve a certificate, it happens when a email-server uses a self-signed certificate, then email-client software (like Mozilla Thunderbird, Microsoft Outlook, etc) shows a warning message (with unnecessary sentences and left out necessary helpful messages), (Major & Public CA entities, supports & backs Email-client software developers and software components, for showing such type of Warning messages to scare users, so that they prefer and use alternative server or service which does not cause a warning, and such warning(s) also forces & intimidates a self-signed cert based server's operator(s) to load a $PAID$ (or $Purchased$) (lower-strength) SSL or TLS Certificate(s). Which is not right. Instead, that Warning message should show helpful messages on how to make sure and use self-signed certificates properly. Anyway, next step is, properly Torify or Anonymize your email-client software, then, either obtain that email server-certificate (or obtain the root-certificate from email-server service provider's website) over a direct & regular connection, but remember that, connecting directly with a self-signed or any server is not recommended, as it will reveal your IP-address & location, so you must use a generic, common or John-Doe type of user-email-id (as it is just for obtaining or getting the SSL cert), but connecting directly to an email-server that you own or you have control in it, (or, if email-server service provider entity has declared publicly that they do not spy on (that is, they do not log or store) any user's any information and instantly erases such related records, so that no chance of mis-use exist, then connecting to such trustworthy email-server directly) is ok. And then load that Cert on your (Torified or Anonymized) email-client and on your web-browser. It is best (and recommended) to use multiple different tor-circuits via using "Tor Network Map" in Vidalia, multiple times (at-least 3 or 4 times), and each time first view & inspect the Cert (do not do temporary accept, do not do permanent accept, at this stage) and write down the cert fingerprint so it helps to match & check on next inspection attempt, make sure you used each time a different tor-circuit and which had different nodes, and use a generic, common or John-Doe type of user or email-id, (and even use two or more different user names, one when connecting via tor-net, and another different name if you will also attempt connect directly), then you must compare these certificates, and when all are same (same fingerprint, same ip address, and same domain-name, and same detail cert info exist) then you can load or accept the cert "permanently", on your (Torified or Anonymized) email-client and web-browser.

      • Also encourage & request online email-server service provider (who uses self-signed cert) to (1) first create a Self-Signed CA-Certificate or Root-Certificate, (use such a computer or hardware which has very high entropy and random number generation capability), and (2) share it ("public" side) with others from a publicly accessible website or webpage, with fingerprint and other detail shown publicly on that webpage (and save "private" side of CA-certificate (ca-cert) or root-certificate (root-cert) in a very very secured place), if you add such ca-cert or root-cert in your client software (for example: irc software, or web-browser, or email-client, etc), then your client-sofwtare can connect to a self-signed server with much more assurity and avoid (up to some level,) connecting with a middle-man(MITM) based server(s), and then they should (3) use the root-cert to create further & other server-certificate(s) (server-cert) to use on other server computers or server software. And then (4) configure server properly with proper access-rights, so that only the cert verifying component has access to "private" portion of (root-cert and) server-cert(s), and no-one else has any access. Then they should (5) add public side (or portion) of certificate fingerprints or keys & other keys etc in appropriate DNS-records, and then they should (6) DNSSEC sign the entire domain-name (& related all DNS-records), also set DNSSEC records in (your Domain-name Service Provider's (Domain-SP) server, or on your own name-) server, (7) further modify your name-server or request Domain-SP to modify their (DNS/name) server's local DNS-Resolver or DNS-Server, and enable DNSSEC support in it, and also enable options in email-server to use DNSSEC & related other features (for all communications), it is much harder to impersonate a DNSSEC signed server, when components on your side & your accessing network system also supports DNSSEC, (8) then all other users, who will use DNSSEC supported DNS-Resolver & DNSSEC supported email-client software, will receive very accurate information on these (domain-name, dnssec fingerprints & keys, dnssec rrsig, IP-address, certificates, etc), whether an user connects directly, or via multiple-proxies, and if that user properly uses those components, then communication will be much more secured & accurate.
        Goto (top of) Acronyms section.

    • DNSSEC allows you to share your (public-side) various type of certificates, keys, fingerprints, etc with visitors & users very accurately, so use newer DNSSEC standard supported software & mechanism(s) & system(s).

    • Please also see Secured & Accurate Email Exchanging section. It shows, How DNSSEC based solution can be used to overcome various email-exchanging related difficulties, if adopted & used widely.
      Goto (top of) Acronyms section.
  • file-sharing, bit-torrent: bit-torrent system or mechanism, has evolved from peer to peer (which can also be identified and better understood as: user to user, or, end-user public or private computer(s) to another end-user public or private computer(s)) file-sharing mechanism, like: gnutella, etc. It was intended & created for users & community to help each other, by sharing portion of their Internet connection (speed &) bandwidth and their computer's disk area, (and computing power,) etc type of resources, for sharing larger sized files & discs, which are legal(1) & free(2) to share (for example: (most) Linux Installation discs, Public-Domain and Copyleft type of files(software), images, music, videos etc, GPL (Licensed or based) files, images, videos, and files which are developed by an open community for sharing with any community-members, and, sharing of files, images, videos which falls under these type of Licenses: MIT License, zLib, BSD, Apache, MPL(limited), ZPL, CC0, WTFPL, Beerware, ISC, CDDL, OpenSSL, Works of US Gov, CC-ShareAlike etc, and any software which it's author or creator or developer has shared once (and sharing) via bit-torrent (or shared or released or broadcasted publicly once via a server-less or control-less method), and most of such items which are based on more than 20 years older patent works, and any type of any works whose intellectual property rights have expired: for example, more than 50 years (to 70 yrs, copyright varies in country to country) old any Copyrighted items, and there are also usage related to Limitations of Copyright). But, many many (greedy) users have abused this system, and started to share files illegally (for example: Newly released Music Disc images, Movie Disc images, Newly released closed-source commercial software files & discs, etc). Many needy (low-income) users use it for to get such software which are necessary for a very specific task (for their survival or for education or test purpose) when price is set on too high. Because of greedy & unethical file-sharing, as a consequence, many groups, authorities & entities have also blocked entire (web-)site, illegally. Whereas they suppose to block or filter specifically only the illegal contents, products or portions. If government opens up a website to receive public opinions & feedback, (or if a corporation company starts Twitter, Facebook, etc for public to share their opinions), then can they monitor the entire or all feedbacks ? (No, not easily). And if a feedback or opinion is revealing or hinting towards some facts, or loophole(s), or a process to bend a law without completely breaking it, then can an authority (or a Judge) shut down that entire government (or that Twitter or Facebook) web-site ? is that right thing to do ? No. If "Google, Inc" is indexing and caching, and also sharing links of cached content of even illegal sites, or such sites which have some objectionable items, and may be not be allowed or legal in some US states or areas, then will you take entire google site down ? No. Musicians & their support & development groups, Movie makers & their support & development groups, software developers & their supporters are copying (and has copied), they do not creatively re-invent every little steps or portions, they copy various portion from various other base or sources, (as that is what humans (naturally) do, and that is what happens with ideas, open-source software, or happens with developers who work with both commercial or trial software source-codes and also with open-source software, and also those who works on commercial software (who obviously develops or improves a previous base or core)). (Everything in universe has come into existence from another object or idea or pattern or stage, and these are affected by interaction of other objects (ideas, patterns, stages) and also affecting actively (or passively) another object, (ideas, patterns, stages) and ALL can trace back to the beginning of it from a single point of space-time-energy). Are these type people or entity (and their support group) properly paying & compensating each of their sources properly ? (No, they are not & they have not, and we can easily find plethora of public news & documents of such entities taking violators into court). Just another example, if a software programmer has stolen (aka, "copied") certain set of codes & ideas from another set of programmers, and then renamed it, and developed it further, and started to selling it and then also started to saying to others don't "copy" it, i hope you are able to see the problem in it. So, torrent users do not expect that they will be treated any differently. No one likes or prefers, such person or such entity or such system, which will treat certain groups or other side or apply or do something on certain group or other side, but, this person/entity/system will not treat or apply it on ALL in Equal manner or with equal-standard or in equally justified-proportion. If a person is non-corrupted, and is talking about how to block corruptions, then that is more valuable and has more weight & has some credibility, which will create repercussions (chain of affected actions & reactions), and as a consequence, others will start to act & show (& exhibit) moral & balanced-virtues & balanced-values & really helpful & creative activities, and they will start to avoid corruptions & criminal activities. Do and Show it to others, apply exact same law on yourself first, what you would like to apply on others, then you will see, goodness (& what you did) is spreading-out from person to person, and goodness (& what you did) coming back to you. No one should expect good behavior from another side, if they themselves cannot behave. We do have some very creative people (among us) who really and uniquely invents & solves, and we do have some people with very good morals & values.
    • If price of products, or fee for services, are within buying capacity of middle-class, or below-middle-class level people, and if they were set with fair & just amount, then (most of) such user or people will not go for piracy, (and, buying capacity does not mean that only one product priced at US$0.99, which seems low-priced, but you will have to add up various products & other living expenses, for such middle-class, or below-middle class level users or people, what they can afford out of what they earn). A globally inter-connected & inter-depended employer and employees, and inter-connected & depended people & consumers, etc must have to realize options & alternatives, re-analyze, re-factor, and re-value prices and fees of various products & services, based on various factors, for example like: source & destination's approximate (not exact) location or area (such as, by using IP-address allocation & location-codes of end-user ISP, and traffic origination & destination based detection mechanism, for setting prices & fees), country-code of payment-card (payment processing company can share buyer's only "Country" code portion (or the jurisdiction area's code portion) with a product manufacturer or developer or a service provider, for setting prices & fees), etc. Really helpful & newer developments & research creates new products that results in improved components and lowers the cost on all levels (for example: electrical or battery power usage efficiency increases, heat dissipation properly managed, channeled & lowered, higher bandwidth & amount of data becomes possible inside a narrow channel or frequency-range, better compression & encryption techniques on various level and also on transmitter (TX) & receiver (RX), etc), thus a service fee (and product price) must go down, not increase ! (Only where manufacturing process involves higher cost, then a slightly higher price of a "product" make sense (for some short amount of time to cover the difference of higher-spending portion), but not for a "service", and definitely not when charged for very long time). When more user are using, then cost must go down, price & fee cannot be a fixed amount for everyone for years after years, it must vary. Currently most mobile operator's SMS text message fee in most country, are almost 1000 times less than what is charged in US, than even in world's most poor or undeveloped countries ! Voice rate is also unbalanced. An example related to software product: suppose, you want to use Windows XP Professional inside a Virtual Machine (VM), this Operating System (OS) is almost 10 Yrs old. And lets assume, it's official support is about to be ended within or under 1 yr, then, would it be justified & fair to charge a buyer, US$129 or so for that ? No, definitely not $129. A corporation or LLC paying lesser amount of taxes and always finding loopholes to pay even lesser amount, and if a regular individual person even does any slightly similar he/she will either be in jail or money directly taken out as tax purpose from bank account, plus he/she will also have to pay for that tax collection process as well ! Various companies & corporations firing & closing offices here in USA and employing (it can also be called as: outsourcing) and using "Low Cost" (aka, cheap) labors & services & employees & products located in other low-cost or economically less-developed areas or countries, producing products and services with very reduced & cheaper & lower cost, but selling products & services here in USA at previous rate and/or higher rate, are these right ? No. Do you see most product provider or most service provider entities are doing something that is justified and fair ? mostly, No.
      Goto (top of) Acronyms section.

IPv6 Supported DNS Servers

IPv6 based Public DNS Servers are listed inside the Public DNS Servers section. If an IP-address with hexadecimal numbers has :: or : (colon) symbols, then that is (usually) indicating it is a IPv6 IP address. Hexadecimal numbers uses 0 to 9, 10 numeric digits, and A to F, 6 alphabets, a total of (10 + 6 =) 16 different symbols, in IPv6 based IP-address. All ISP still does not support IPv6 completely. Many still using IPv4 based Internet communication systems. Sometime 6to4 (IPv6-over-IPv4) related techniques may need to be used to communicate with a IPv6 DNS Server. If your local network and your (Internet connection) ISP and your computer's OS is using IPv6, then use a IPv6 DNS-Server for faster/better performance. IPv6 uses more symbols/numbers so many IP-address are possible.

Test Public DNS Servers

How to test Public DNS servers ? First use a torified Firefox web-browser and find out a list of or few censored website's correct & full domain-name or hostname or nodename (FQDN). Then by using the 'dig' tool (get from ISC.org or use Cygwin, more info), try to resolve such one of the censored website (that is, try to get website's IP address, or 'A' or 'AAAA' record) using each dns server's @IP.ADRS.NUM (with a leading @ symbol) which you want to test or use, including your ISP provided DNS server(s), via your Internet connection directly, see here. Soon you will see different server returning different answers ! Install a "Server IP Address" type of addon/plugin (in a torified Firefox) which can show IP address of visiting website server, using it find actual IP address of censored site. If you want to query DNS via or using Tor Exit-node's Internet, then you will have to load or use a (3rd party or) configurable DNS-resolver/server, (and also load or use either a tun/tap interface and/or transparent proxy server type of tool) on your computer, configure them, then 'dig' can be made to query from the Tor exit-node(s), see inside Unbound Tweak section, here.
Warning: Using DNS Server which connect via Tor proxy system, is not a good idea at all when same computer will be used for both "Anonymity" and "Private" purpose web-surfing. You can use a VM (Virtual Machine) only for "Anonymity" purpose usage, on the same computer. If you are going to use a dedicated VM (Virtual machine) or use a computer, only for "Anonymity" purpose usage, only then, DNS via Tor system should be used. Torified Applications which does not leak DNS query via direct local Internet connection, and properly connects with DNS-Server(s) via using Tor Exit node(s), using such are fine & ok.

  • DNS2SOCKS: A very very simple & small purpose local (UDP) DNS-Resolver/Server for windows, which can use up-to four remote/online (TCP DNS supported) DNS/nameserver at a time, via Tor (Socks5) proxy. (DNS2SOCKS.exe, v1.2, 50,176 Bytes, SHA1: 76875E0D181DDE83F5F64A09324D17ED2B6165EA.) Get it, Run it either using a batch (.cmd, .bat) file or use Command Prompt, and change your Network Interface Adapter's preferred first DNS Server into 127.0.0.1 and remove all other DNS Server IP addresses. Now all software will use local (127.0.0.1) DNS resolver, and DNS2SOCKS will connect with destination remote DNS/nameserver from the Exit-Node, and get the DNS query result, and then deliver it to local software which requested for it. Use such a remote DNS/nameserver (from above list) which respects Privacy and Anonymity. It does not yet support IPv6, DNSSEC, as of my writing (Sept 15, 2012). Note: When an App resolves a DNS (domainname-to-IP-address conversion) query (via DNS2SOCKS), then Tor circuits & system takes a while to get the answer/result so you may (or will) see timeout or not found, etc messages, simply do a refresh or try again, once the answer or result is inside the database of DNS2SOCKS, from then on for any future query for that same site or domain-name, Dns2socks will answer from it's database instantly super-fast.

Does the Public DNS Server supports DNSSEC ? If a DNS query is done for a (known & DNSSEC signed) domain-name, via using using a very specific DNS-server, by using dig command-line with +dnssec as an option, then if answer/result has ad bit inside "flags:", and you also see "NO ERROR" two words in "status:", then that specific dns server supports DNSSEC.

Secured & Accurate Email Exchanging

A very secured & accurate email exchanging is possible (over open Internet), when such combinations are used: (1) DNSSEC supported DNS query mechanism is used by your DNSSEC-supported email-client software. (2) your own email-address domain-name is DNSSEC signed. (3) your destination domain-name is also "DNSSEC signed". (Then, very correct IP address information can be obtained, along with various other DNS record/data, like, your & destination's "public" side of encryption certificates or keys, etc). (4) your DNSSEC-supported email-client software has properly encrypted email(s). (5) your email-client has used secured & encrypted connection protocol & mechanism in between you & your (DNSSEC-supported) email-server. (Important: Your email-client & your email-server, both, need to use (and both must be capable of using) techniques to bypass IP-address spoofers & redirectors, and connect with authentic destination IP-address of email-server specified in DNSSEC answer). (6) your email-server & your destination's email-server, both side are using DNSSEC-supported email-server(s), also see this section on DNSSEC-signing, and both side's server are using secured & encrypted connection protocol & mechanism, (DNSSEC also allows to share various Certificate & keys with visitors or users very accurately, and your email-client & both email-server have properly utilized those), and both email-servers are using ''FCrDNS'' (forward-confirmed reverse DNS, also known as: full-circle reverse DNS, double-reverse DNS, iprev, etc), (Important: Your email-server & your destination email-server both must need to bypass IP-address spoofers or redirectors, and connect with authentic email-server). (7) you are using "portable" email-client software, from your own personal portable storage drive, where your personal use purpose software are located inside password protected & encrypted partition or drive and stays physically close to you, (and not on an online based server). (8) once email user downloads email(s), email-server should be set to erase all trace of it, as the email is for you. And, after you download emails, delete those from Inbox and then empty Trash-box to (apparently) completely erase such emails. (9) you are encrypting emails end-to-end using OpenPGP or Self-Signed X.509 certs, and you have shared such certs with the destination "person" (or destination group only), and no one else. Please also see above, "SSL Certificate", "Email-Client", etc paragraphs under Note / Legend / Acronyms section, and see below diagram: D.

  • Though not very thoroughly tested, I2P closed-Internet-network system (also known as, I2P-darknet, here "dark" points & indicates to "unknown") based email exchanging is considered to be very secured. Also see, even a newer & better "i2pbote", which is a distributed & server-less, and p2p based encrypted email exchanging system.
    Warning: I2P is based on Java (JRE, JDK) and I2P functions as a P2P server type of software, so in Windows, avoid using your system's default location Java JRE as a server (because you will need to open inbound port toward default location Java JRE binaries, which is not safe). (Windows by default does not have Sandbox or Jailed Box or chroot/Jail or Virtual Box for any apps. 3rd party applications are required for such functionality). Install portable Java JRE in a different folder, and configure I2P to use that 2nd Java JRE binary file as a server, and allow "inbound" connection in (your) firewall, (firewalls have such rule making options), and make sure that it is going only toward that 2nd (portable or copied) Java JRE binary files, (that is, if you use a firewall software and which you must or should). You can also copy your existing default Java JRE folder, to a 2nd different folder, then you must first configure that 2nd Java JRE to use other files inside the 2nd folder location, and then also configure I2P to use that 2nd Java JRE folder. Another solution is to run I2P inside a VM (guest) and then it can be used from your (host) computer or from inside the VM.
  • You can (also as usual) use GnuPG/GPG, Enigmail, Thunderbird, etc for exchanging GPG/PGP (encryption or Other X.509, etc) encryption based (end-to-end) protected emails over regular open Internet for your Personal email. And you can also use those software, through Tor-proxy network if you have a different email with different username for "Anonymity" usage purpose, then make sure you've in-early Anonymized or Torified these software or components (see Torbirdy & load into Thunderbird), so that these are using TLS/SSL based encrypted connections through the tor-proxy network.
  • You can (also as usual) communicate from your email-client software, with your email-server, if both side supports login-mechanism via using self-signed or purchased (SSL/TLS (X.509), etc based) certificates or keys, then connection (or communication) between both side remains much secured & encrypted, even if you use multiple proxies. Find out if your email-server supports it or not, and if it does, send them your public side of certificate, and make sure to use a very secure and definite process or method to send it to that email-server operator's side or hand.
 
┌——————————┐  ┌——————————┐  ┌——————————┐
|Censorship|  |Censorship|  |Censorship|
|     -free|  |     -free|  |     -free|
|DNSSEC    |  |DNSSEC    |  |DNSSEC    |
| supported|  | supported|  | supported|
|Public DNS|  |Public DNS|  |Public DNS|
|  Servers |  |  Servers |  |  Servers |
└——————————┘  └——————————┘  └——————————┘
   |   Ạ        |   Ạ         |   Ạ
   |   |        |   |         |   |
   V   |        V   |         V   |
┌————————┐    ┌————————┐    ┌————————┐
|(DNSSEC)|    |(DNSSEC)|    |(DNSSEC)|
|        |    |        |    |        |
|  DNS   |    |  DNS   |    |  DNS   |
|Resolver|    | Client |    | Client |
|  or    |    |   or   |    |   or   |
| Client |    | Server |    | Server |
└————————┘    └————————┘    └————————┘
   |   Ạ        |   Ạ         |   Ạ
   |   |        |   |         |   |
   V   |        V   |         V   |
┌————————┐    ┌————————┐    ┌———————————┐
| Your   |    | Your   |    |Destination|
| Email  |--->| Email  |--->|  Email    |
| Client |<---| Server |<---|  Server   |
|        |    |        |    |           |
|(DNSSEC)|    |(DNSSEC)|    |  (DNSSEC) |
└————————┘    └————————┘    └———————————┘
        diagram: D

Credits

By Bry8Star. Copyright (C) 2012 Bry8Star (bry8 star a.t ya hoo d.o.t c om).

See Disclaimer. See Guidelines(2). See Contact.

Information Reference/Source

Almost all provider's domain address or URL is added, where info was & can be obtained from or verified directly.

Last modified 5 years ago Last modified on Oct 8, 2012, 11:18:33 AM