NixNet/dns.md

---
layout: page
title: DNS
description: Public and unlogged DNS servers with Anycast, DoT, and DoH running on NixNet
subtitle: Public but private DNS
permalink: /dns/
cover: /assets/pages/dns.png
---
# Preamble
Before going through and setting every device to use my DNS servers, I recommend you read sections 1 - 2 of a [previous post](/blog/dns-and-root-certificates-what-you-need-to-know/#1-what-is-dns-and-why-does-it-concern-you) so you actually understand what's happening and what you're doing. DNS is set up on the same servers as my [Tor exits](/tor-nodes/) so, if you're in a country that actively blocks Tor, you could run into issues unless you use the Anycast IP/hostname.

# Features
* Uncensored (the backend is [Unbound](https://en.wikipedia.org/wiki/Unbound_(DNS_server)))
* No logging (see [Privacy Policy](/privacy))
* [Anycast](https://en.wikipedia.org/wiki/Anycast)
* [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS)
* [QNAME minimisation](https://tools.ietf.org/html/rfc7816)
* [DNSSEC validation](https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en)
* Optional adblock w/ [Pi-Hole](https://pi-hole.net/) using my [hosts.txt](/hosts.txt)

# IPs & Hostnames
For simplicity's sake, I recommend using the [Anycast](https://en.wikipedia.org/wiki/Anycast) hostname as your primary, the location normally nearest to you as secondary, and a different provider for your tertiary DNS. With Anycast, you'll automatically use the server geographically nearest (the one with the lowest latency) and it will be secured with TLS. For more technical information on Anycast, click the link above. The second Anycast IP address is for plaintext DNS (**not recommended**); everything else is DNS-over-TLS. If you don't know what those are, the next section explains a bit more.

Uncensored Anycast
* `uncensored.any.dns.nixnet.xyz`
* `198.251.90.114:853` **(DoT)**
* `https://uncensored.any.dns.nixnet.xyz/dns-query` **(DoH)**
* `198.251.90.114` **(plaintext)**

Adblock Anycast
* `adblock.any.dns.nixnet.xyz`
* `198.251.90.89:853` **(DoT)**
* `https://adblock.any.dns.nixnet.xyz/dns-query` **(DoH)**
* `198.251.90.89` **(plaintext)**

Las Vegas
* `uncensored.lv1.dns.nixnet.xyz`
* `adblock.lv1.dns.nixnet.xyz`
* `209.141.34.95:853` **(DoT)**
* `https://uncensored.lv1.dns.nixnet.xyz/dns-query` **(DoH)**
* `https://adblock.lv1.dns.nixnet.xyz/dns-query` **(DoH)**

New York
* `uncensored.ny1.dns.nixnet.xyz`
* `adblock.ny1.dns.nixnet.xyz`
* `199.195.251.84:853` **(DoT)**
* `https://uncensored.ny1.dns.nixnet.xyz/dns-query` **(DoH)**
* `https://adblock.ny1.dns.nixnet.xyz/dns-query` **(DoH)**

Luxembourg
* `uncensored.lux1.dns.nixnet.xyz`
* `adblock.lux1.dns.nixnet.xyz`
* `104.244.78.231:853` **(DoT)**
* `https://uncensored.lux1.dns.nixnet.xyz/dns-query` **(DoH)**
* `https://adblock.lux1.dns.nixnet.xyz/dns-query` **(DoH)**

After setting them, you can test your connection with [ipleak.net](https://ipleak.net). If you have JavaScript enabled, the line below will tell you which server you'll connect to with Anycast at the moment. If you travel a lot, that server will change depending on your location.

<code id="server">This element requires JavaScript to be enabled</code>

\* Please note that your DNS-over-TLS client must support [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) (Server Name Indication).

# Recommendations
I recommend setting fallbacks with other providers (such as [Lelux.fi's](https://lelux.fi/resolver/)) in case mine are down for some reason. Redundancy is always a good thing. A friend of mine has a page with a list of [DNS resolvers](https://wiki.lelux.fi/dns/resolvers/) on it that you can peruse as well. I highly recommend DNS-over-TLS (DoT). Plaintext is . . . well . . . plaintext; anyone can snoop on your traffic. DoT is end-to-end encrypted so no one but you and the DNS server can see your queries. DNS-over-HTTPS (DoH) is just as secure but it's supported by far fewer devices and applications. It's also more difficult to set up 😅

The best thing to do, in my opinion, is set your DNS at the OS level with [Stubby](https://wiki.archlinux.org/index.php/Stubby) or [Unbound](https://wiki.archlinux.org/index.php/Unbound), for example, and not at the application level i.e. with Firefox's DoH implementation. For more information about configuring custom DNS servers on various devices, read the related [blog post](/blog/setting-dns-on-mobile-and-desktop/).

If you don't want to use DNS for blocking ads, take a look at my post on doing it [locally](/blog/blocking-ads-on-mobile-and-desktop/). There are solutions for most&trade; devices and none of the guides are *particularly* difficult to implement.

# "Source"
All the software running the backend is open source so the configs are really the only unique parts about my setup. They can be found at [NixNet/dns](https://git.nixnet.xyz/NixNet/dns) on my Gitea instance. If you have any questions, simply [contact me](/contact) somewhere!

<script>
fetch("https://check.any.dns.nixnet.xyz/check")
  .then((response) => response.text())
  .then((server) => document.getElementById("server").innerHTML = server)
</script>
various 2019-07-24 21:40:31 +00:00			`---`
			`layout: page`
			`title: DNS`
added service and DoH 2019-09-19 00:24:34 +00:00			`description: Public and unlogged DNS servers with Anycast, DoT, and DoH running on NixNet`
			`subtitle: Public but private DNS`
various 2019-07-24 21:40:31 +00:00			`permalink: /dns/`
			`cover: /assets/pages/dns.png`
			`---`
			`# Preamble`
			`Before going through and setting every device to use my DNS servers, I recommend you read sections 1 - 2 of a [previous post](/blog/dns-and-root-certificates-what-you-need-to-know/#1-what-is-dns-and-why-does-it-concern-you) so you actually understand what's happening and what you're doing. DNS is set up on the same servers as my [Tor exits](/tor-nodes/) so, if you're in a country that actively blocks Tor, you could run into issues unless you use the Anycast IP/hostname.`

various 2019-08-25 17:17:09 +00:00			`# Features`
modify some dns information 2019-08-28 03:52:04 +00:00			`* Uncensored (the backend is [Unbound](https://en.wikipedia.org/wiki/Unbound_(DNS_server)))`
			`* No logging (see [Privacy Policy](/privacy))`
various 2019-08-25 17:17:09 +00:00			`* [Anycast](https://en.wikipedia.org/wiki/Anycast)`
			`* [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS)`
			`* [QNAME minimisation](https://tools.ietf.org/html/rfc7816)`
			`* [DNSSEC validation](https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en)`
modify some dns information 2019-08-28 03:52:04 +00:00			`* Optional adblock w/ [Pi-Hole](https://pi-hole.net/) using my [hosts.txt](/hosts.txt)`
various 2019-08-25 17:17:09 +00:00
various 2019-07-24 21:40:31 +00:00			`# IPs & Hostnames`
			For simplicity's sake, I recommend using the [Anycast](https://en.wikipedia.org/wiki/Anycast) hostname as your primary, the location normally nearest to you as secondary, and a different provider for your tertiary DNS. With Anycast, you'll automatically use the server geographically nearest (the one with the lowest latency) and it will be secured with TLS. For more technical information on Anycast, click the link above. The second Anycast IP address is for plaintext DNS (not recommended); everything else is DNS-over-TLS. If you don't know what those are, the next section explains a bit more.

correct dns info 2019-08-28 14:36:13 +00:00			`Uncensored Anycast`
various 2019-07-24 21:40:31 +00:00			* `uncensored.any.dns.nixnet.xyz`
			* `198.251.90.114:853` (DoT)
mailto link finished and dns info added 2019-09-12 18:06:47 +00:00			* `https://uncensored.any.dns.nixnet.xyz/dns-query` (DoH)
various 2019-07-24 21:40:31 +00:00			* `198.251.90.114` (plaintext)

correct dns info 2019-08-28 14:36:13 +00:00			`Adblock Anycast`
			* `adblock.any.dns.nixnet.xyz`
			* `198.251.90.89:853` (DoT)
mailto link finished and dns info added 2019-09-12 18:06:47 +00:00			* `https://adblock.any.dns.nixnet.xyz/dns-query` (DoH)
correct dns info 2019-08-28 14:36:13 +00:00			* `198.251.90.89` (plaintext)

various 2019-07-24 21:40:31 +00:00			`Las Vegas`
			* `uncensored.lv1.dns.nixnet.xyz`
modify some dns information 2019-08-28 03:52:04 +00:00			* `adblock.lv1.dns.nixnet.xyz`
various 2019-07-24 21:40:31 +00:00			* `209.141.34.95:853` (DoT)
mailto link finished and dns info added 2019-09-12 18:06:47 +00:00			* `https://uncensored.lv1.dns.nixnet.xyz/dns-query` (DoH)
			* `https://adblock.lv1.dns.nixnet.xyz/dns-query` (DoH)
various 2019-07-24 21:40:31 +00:00
			`New York`
			* `uncensored.ny1.dns.nixnet.xyz`
modify some dns information 2019-08-28 03:52:04 +00:00			* `adblock.ny1.dns.nixnet.xyz`
various 2019-07-24 21:40:31 +00:00			* `199.195.251.84:853` (DoT)
mailto link finished and dns info added 2019-09-12 18:06:47 +00:00			* `https://uncensored.ny1.dns.nixnet.xyz/dns-query` (DoH)
			* `https://adblock.ny1.dns.nixnet.xyz/dns-query` (DoH)
various 2019-07-24 21:40:31 +00:00
			`Luxembourg`
			* `uncensored.lux1.dns.nixnet.xyz`
modify some dns information 2019-08-28 03:52:04 +00:00			* `adblock.lux1.dns.nixnet.xyz`
various 2019-07-24 21:40:31 +00:00			* `104.244.78.231:853` (DoT)
mailto link finished and dns info added 2019-09-12 18:06:47 +00:00			* `https://uncensored.lux1.dns.nixnet.xyz/dns-query` (DoH)
			* `https://adblock.lux1.dns.nixnet.xyz/dns-query` (DoH)
various 2019-07-24 21:40:31 +00:00
			`After setting them, you can test your connection with [ipleak.net](https://ipleak.net). If you have JavaScript enabled, the line below will tell you which server you'll connect to with Anycast at the moment. If you travel a lot, that server will change depending on your location.`

			`<code id="server">This element requires JavaScript to be enabled</code>`

			`\* Please note that your DNS-over-TLS client must support [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) (Server Name Indication).`

			`# Recommendations`
			I recommend setting fallbacks with other providers (such as [Lelux.fi's](https://lelux.fi/resolver/)) in case mine are down for some reason. Redundancy is always a good thing. A friend of mine has a page with a list of [DNS resolvers](https://wiki.lelux.fi/dns/resolvers/) on it that you can peruse as well. I highly recommend DNS-over-TLS (DoT). Plaintext is . . . well . . . plaintext; anyone can snoop on your traffic. DoT is end-to-end encrypted so no one but you and the DNS server can see your queries. DNS-over-HTTPS (DoH) is just as secure but it's supported by far fewer devices and applications. It's also more difficult to set up 😅

			`The best thing to do, in my opinion, is set your DNS at the OS level with [Stubby](https://wiki.archlinux.org/index.php/Stubby) or [Unbound](https://wiki.archlinux.org/index.php/Unbound), for example, and not at the application level i.e. with Firefox's DoH implementation. For more information about configuring custom DNS servers on various devices, read the related [blog post](/blog/setting-dns-on-mobile-and-desktop/).`

modify some dns information 2019-08-28 03:52:04 +00:00			`If you don't want to use DNS for blocking ads, take a look at my post on doing it [locally](/blog/blocking-ads-on-mobile-and-desktop/). There are solutions for most™ devices and none of the guides are particularly difficult to implement.`

			`# "Source"`
			`All the software running the backend is open source so the configs are really the only unique parts about my setup. They can be found at [NixNet/dns](https://git.nixnet.xyz/NixNet/dns) on my Gitea instance. If you have any questions, simply [contact me](/contact) somewhere!`
various 2019-07-24 21:40:31 +00:00
			`<script>`
			`fetch("https://check.any.dns.nixnet.xyz/check")`
			`.then((response) => response.text())`
			`.then((server) => document.getElementById("server").innerHTML = server)`
			`</script>`