===
DNS
===

Public DNS Resolvers
====================

View performance statistics for public DNS resolvers at DNSPerf. The
statistics reported at DNSPerf tend to be very similar to the results I get
using the namebench tool. You may also find it useful to look at NixNet's page
about DNS. It lists their DNS resolvers along with useful general information.

Under Linux there are a number of services that seem to like over-writing
/etc/resolv.conf. Once you have edited /etc/resolv.conf to your liking you can
prevent it from being over-written by setting the immutable bit.

# chattr +i /etc/resolv.conf

AdGuard

94.140.14.14
94.140.15.15
2a10:50c0::ad1:ff
2a10:50c0::ad2:ff

https://dns.adguard.com/dns-query

CloudFlare

1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001

https://cloudflare-dns.com/dns-query

Dyn

216.146.35.35
216.146.36.36

FreeDNS.zone

172.104.237.57  (Frankfurt, Germany)
172.104.49.100  (Singapore)
37.235.1.174    (Vienna, Austria)
37.235.1.177    (Vienna, Austria)
45.33.97.5      (Atlanta, GA, USA)

Google

8.8.8.8
8.8.4.4
2001:4860:4860::8888
2001:4860:4860::8844

https://dns.google/dns-query

Hurricane Electric

74.82.42.42
2001:470:20::2

https://ordns.he.net/dns-query

Namecheap SafeServe

198.54.117.10
198.54.117.11

NextDNS

45.90.28.219
45.90.30.219

OpenDNS

208.67.222.222
208.67.220.220
2620:0:ccc::2
2620:0:ccd::2

https://doh.opendns.com/dns-query

OpenNIC Project

Go to https://www.opennic.org to see which of their DNS resolvers
are closest to you. OpenNIC servers periodically go down and
occasionally just disappear. Servers that have worked for me
(in North America) are:

192.3.165.37
172.98.193.42

Of course, keep in mind what I noted above, that OpenNIC servers
periodically go down and occasionally just disappear. Yes, I
thought that point needed to be repeated.

Quad9

9.9.9.9
149.112.112.112
2620:fe::fe

https://dns.quad9.net/dns-query

Yandex Basic

77.88.8.8
77.88.8.1
2a02:6b8::feed:0ff
2a02:6b8:0:1::feed:0ff

Yandex Safe

77.88.8.88
77.88.8.2
2a02:6b8::feed:bad
2a02:6b8:0:1::feed:bad

I sometimes mix DNS resolvers from different providers:

nameserver 45.33.97.5  # FreeDNS.zone
nameserver 74.82.42.42 # Hurricane Electric

DNS RECORDS
===========

DNSSEC

Enabling DNSSEC:

Generate DNSSEC keys and DS records at your DNS host.
Add the DS records at your domain registrar.

Disabling DNSSEC:

Remove the DS records at your domain registrar.  Wait 24
hours for most domains, but 48 hours for domains registered
through EU.org. Do a "dig ds" check for the DS TTL on whatever
domain from which you are removing DNSSEC.

Remove or disable DNSSEC at your DNS host.

Examples of DS records:

debian.org. 10762 IN DS 6487 8 2 A9528F2409C5F6A95AE6E0F8A6C5A223AC4EFD54B45884CB855F044E 82F7F4C6
yandex.com. 9595 IN DS 31456 5 1 593F529E8942948DE9D6646AC5F9E2208F49D606

*NOTE: At EU.org, you need to paste the complete DNS DS records
one at a time. First:

oldfolio.eu.org. 86400 IN DS 12658 13 1 F6DA0F5AE673070AD8BF615F9FB8089649AAB35B

Then after that has been accepted:

oldfolio.eu.org. 86400 IN DS 12658 13 2 391D8D873C923079B3873F02A36CBC6A454CD7BBFED8B1D391E5F2AE94D10CB9

DMARC Records

_dmarc.domain.tld. IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]"

DMARC action to take if either SPF or DKIM fail:

p=none; - take no action
p=quarantine; - mark message as spam
p=reject; - reject message outright

To send DMARC reports to an address outside the email sending domain, create a
TXT record in the DNS of the receiving domain:

email-sending-domain.tld._report._dmarc.receiving-domain.tld.  IN TXT
"v=DMARC1"

Of course, you will still need to create the basic DMARC record in the DNS of
the email sending domain:

_dmarc.email-sending-domain.tld. IN TXT "v=DMARC1; p=none;
rua=mailto:[email protected]"

MX Records

Fastmail

IN MX 10 in1-smtp.messagingengine.com.
IN MX 20 in2-smtp.messagingengine.com.

Gandi

IN MX 10 spool.mail.gandi.net.
IN MX 50 fb.mail.gandi.net.

Google

IN MX 1 aspmx.l.google.com.
IN MX 5 alt1.aspmx.l.google.com.
IN MX 5 alt2.aspmx.l.google.com.
IN MX 10 alt3.aspmx.l.google.com.
IN MX 10 alt4.aspmx.l.google.com.

MXroute (Replace SERVER with the name of the server on which your account is
hosted, e.g., longhorn.)

IN MX 10 SERVER.mxrouting.net.
IN MX 20 SERVER-relay.mxrouting.net.

Runbox

IN MX 10 mx.runbox.com.

Yandex

IN MX 10 mx.yandex.net.

SPF Records

v=spf1 -all # Do not accept mail from this domain
v=spf1 include:server.com -all # Accept mail sent by server.com, but no one else
v=spf1 a mx -all # Accept mail sent by the servers specified in the domain's A and MX records

Fastmail

include:spf.messagingengine.com

Gandi

include:_mailcust.gandi.net

Google

include:_spf.google.com

MXroute: Any one of the following should work. According to
        Jarland, the last involves the fewest DNS lookups.

include:mxlogin.com
include:mxroute.com
include:_s00002163.autospf.email

Runbox

include:spf.runbox.com

Yandex

include:_spf.yandex.net

Multiple "include" example:

domain.tld. IN TXT "v=spf1 include:_spf.yandex.net
include:spf.messagingengine.com -all"

Multiple servers: Accept mail from the server specified in
the mail server's A record as well as from any server specified
by the SPF record for Yandex.

domain.tld. IN TXT "v=spf1 a:mail-server.domain.tld include:_spf.yandex.net ~all"

Miscellaneous
=============

Disable IPv6 in Firefox by changing

network.dns.disableIPv6

from false to true in about:config.

General note about serving web sites: If your server only has an IPv6 address,
I have found two options for serving sites over IPv4:

   Use Cloudflare's DNS, and set Cloudflare to proxy.
   Add an A record for the Netiter proxy service.

You are viewing proxied material from republic.circumlunar.space. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.