appworks.tw

The Supports We Offer

AppWorks provides 2 main services that ca

Thehttps://appworks.tw/Supports We Offer

AppWorks provides 2 main services that cater to startups in 2 different stages. AppWorks
Accelerator helps seed-stage startups go from 0 to 1. AppWorks Funds provide financing
to help growth-stage startups scale faster. On top of that, our AppWorks School provides 
education to talents and prepare them for a thriving career in the startup land.

ter to startups in 2 different stages. AppWorks
Accelerator helps seed-stage startups go from 0 to 1. AppWorks Funds provide financing
to help growth-stage startups scale faster. On top of that, our AppWorks School provides 
education to talents and prepare them for a thriving career in the startup land.

SNI Proxy代理 安装教程

那些可以科学上网的DNS和hosts,都是使用的自建或者公共SNI代理。

原理说明

SNI详细的我也不懂,假如你有一台 海外的服务器 IP为: 233.233.233.233 ,上面搭建了 SNI Proxy,并且配置正常并启动。

然后你本地Hosts文件在最后添加一条:

  1. 233.233.233.233 www.google.com

保存Hosts文件并打开浏览器访问 https://www.google.com ,然后你就会发现你可以进入 https://www.google.com 网站了。

原理解析:

  1. Hosts设置 233.233.233.233 www.google.com 后,浏览器访问 https://www.google.com  =>> 浏览器搜索Hosts文件发现设置的解析IP(233.233.233.233) =>> 浏览器访问 SNI Proxy(233.233.233.233) =>> SNI Proxy收到信息然后去访问 https://www.google.com 并获取网站数据,然后把网站数据原封不动的返回给你 =>> 浏览器收到 SNI Proxy返回的 网站数据并显示出来 =>> 你看到了 https://www.google.com 网页

简单的来说,SNI Proxy 会把请求的网站比如 https://www.google.com 获取并原封不动的返回请求者,不需要对证书进行解密和加密,所以不需要配置证书。

SNI Proxy 可以简单的实现这样的 反向代理功能。

安装环境

本教程只适用于 Ubuntu 14.04 + 以上版本的系统。

Debian 7 / 8 的安装方法请看随后的文章

安装步骤

  1. apt-get install python-software-properties software-properties-common -y
  2. add-apt-repository ppa:dlundquist/sniproxy

第二行代码执行后提示大概如下:

  1. root@ubuntu:~# add-apt-repository ppa:dlundquist/sniproxy
  2.  
  3. More info: https://launchpad.net/~dlundquist/+archive/ubuntu/sniproxy
  4. Press [ENTER] to continue or ctrl-c to cancel adding it
  5.  
  6. gpg: keyring `/tmp/tmpnr3gi1cx/secring.gpg' created
  7. gpg: keyring `/tmp/tmpnr3gi1cx/pubring.gpg' created
  8. gpg: requesting key ED122FA0 from hkp server keyserver.ubuntu.com
  9. gpg: /tmp/tmpnr3gi1cx/trustdb.gpg: trustdb created
  10. gpg: key ED122FA0: public key "Launchpad PPA for Dustin Lundquist" imported
  11. gpg: Total number processed: 1
  12. gpg: imported: 1 (RSA: 1)
  13. OK

继续安装

  1. apt-get update && apt-get install sniproxy -y

配置说明

SNI Proxy的默认配置文件:/etc/sniproxy.conf

vim的具体使用教程:Linux中VIM编辑器的真 · 简单使用教程

我们可以使用 VIM 等编辑器添加修改,也可以直接用 echo写入文件。

VIM操作简单说明(可选):

  1. echo "" > /etc/sniproxy.conf
  2. # 清空配置文件
  3. vi /etc/sniproxy.conf
  4. # 打开配置文件

然后按 I 键 进入编辑模式,复制下面的内容到配置文件中(手动把 echo -e "和 " > /etc/sniproxy.conf 去掉),然后按 Esc 键 推出编辑模式,然后输入 :wq 保存并退出vi。

下面是 echo 方式直接写入配置文件。

泛反向代理:

泛反向代理,指的是所有请求 SNI Proxy 的域名都会反向代理。

  1. echo -e "user daemon
  2. pidfile /var/run/sniproxy.pid
  3.  
  4. listen 443 {
  5. proto tls
  6. table https_hosts
  7. access_log {
  8. filename /var/log/sniproxy/https_access.log
  9. priority notice
  10. }
  11. }
  12. table https_hosts {
  13. .* *:443
  14. }" > /etc/sniproxy.conf

自定义反向代理:

自定义反向代理,指的是自己指定域名,只有通过这些域名请求 SNI Proxy 的才会反向代理。

比如只设置了 (.*.|)google.com$ * ,那么你只能通过www.google.com、google.com 和其他以 google.com 为主的二级 三级域名 访问SNI Proxy并请求反向代理。其他没有设置的域名都会忽略。

要反向代理什么域名就在 table https_hosts {} 中添加规则,例如 我要反向代理任何以 google.com 为主的二级 三级域名 ,那么就写:

  1. (.*.|)google.com$ *

这样只要是以 google.com 为主的域名都会被反向代理,比如www.google.com news.google.com mail.google.com 都会反向代理。

  1. echo -e "user daemon
  2. pidfile /var/run/sniproxy.pid
  3.  
  4. listen 443 {
  5. proto tls
  6. table https_hosts
  7. access_log {
  8. filename /var/log/sniproxy/https_access.log
  9. priority notice
  10. }
  11. }
  12. table https_hosts {
  13. .* *:443
  14. }
  15.  
  16. table https_hosts {
  17. (.*.|)google.com$ *
  18. (.*.|)google.com.hk$ *
  19. (.*.|)googlemail.com$ *
  20. (.*.|)googlecode.com$ *
  21. (.*.|)blogspot.com$ *
  22. (.*.|)gmail.com$ *
  23. (.*.|)youtube.com$ *
  24. }" > /etc/sniproxy.conf

使用说明

使用命令

  1. service sniproxy start
  2. # 如果运行无反应并没有启动,那么请直接使用 sniproxy 来启动试试
  3. # 启动SNI Proxy
  4.  
  5. service sniproxy stop
  6. # 停止SNI Proxy
  7.  
  8. service sniproxy restart
  9. # 重启SNI Proxy
  10.  
  11. service sniproxy status
  12. # 查看状态

启动SNI Proxy后,查看一下 网络连接端口监听情况:

  1. netstat -lntp

当出现大概如下所示的信息时,代表正常启动并监听端口443,注意最后的sniproxy。

  1. root@ubuntu:~# netstat -lntp
  2. Active Internet connections (only servers)
  3. Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
  4. tcp6 0 0 :::443 :::* LISTEN 11673/sniproxy

如果没有发现 sniproxy 的监听端口信息,那么看一下是否有其他的进程/服务 占用了 443 端口,如果有的话请关闭后再尝试启动 SNI Proxy。

如果没有异常情况,那么我们就可以使用 SNI Proxy 代理了。

运行优化说明

建议在运行 SNIProxy前,执行一下这个命令,作用是提高系统的文件符同时打开数量,对于TCP连接过多的时候系统默认的 1024 就会成为速度瓶颈。

  1. ulimit -n 51200

这个命令只有临时有效,重启后失效,如果想要永久有效,请执行:

  1. echo "* soft nofile 51200
  2. * hard nofile 51200" >> /etc/security/limits.conf

然后最后再执行一下 ulimit -n 51200 即可。

Hosts

找到你电脑的Hosts文件,并打开(注意Hosts可能是隐藏文件,需要设置显示出来,还有win10修改Hosts文件需要管理员权限)。

Windows xp / 7 / 10 系统Hosts位置:C:\windows\system32\drivers\etc\hosts

在最后一行添加你要反向代理的网站,比如 www.google.com

  1. 233.233.233.233 www.google.com

其他想要反向代理的域名按这个格式添加(233.233.233.233是你的SNI Proxy服务器IP),当然Hosts设置比较麻烦,而且比如 youtube.com 看视频的话要设置很多 Hosts域名,很麻烦,所以如果只是访问谷歌,那么可以使用这个Hosts方法.

-----------

系统要求

本教程只适用于 Debian7 / 8 系统,其他系统都不适用。

安装SNI Proxy依赖需要 最少150MB大小的空间,所以请确保你的系统硬盘空闲空间有 300MB。

简单说明

SNI Proxy 简单的来说是一个 反向代理软件,可以把你的请求原封不动的发送给指定网站,然后再把指定网站返回的数据原封不动的返回给你,目前网上可以 科学上网的Hosts和DNS,都是通过把 谷歌等域名指向 SNI Proxy代理的IP来实现“直连”访问谷歌的,所以在某种程度上,SNI Proxy承担一个流量数据搬运工的作用。

因为 Hosts和DNS科学上网,都必须使用 https 来访问,所以过程都是加密的,而SNI Proxy只会原封不动的把流量转发过去,所以不会去解密(也不能),也就不需要担心安全问题了。

SNI Proxy Github项目:https://github.com/dlundquist/sniproxy

安装步骤

安装依赖

首先为了确保依赖安装正常、完整,我们需要更换系统 软件包源为最新的稳定源 jessie (本步骤必做,否则很容易出错)。

默认下面的代码是 美国的镜像源,可以更换下面代码 us.sources.list 中的 us ,具体可以看这里

  1. rm -rf /etc/apt/sources.list && wget -N --no-check-certificate -O "/etc/apt/sources.list" https://raw.githubusercontent.com/ToyoDAdoubiBackup/doubi/master/sources/us.sources.list

注意:这个更换 镜像源的步骤,Debian 8、Debian 9 不需要执行,可以直接跳过,Debian 7 必须执行!

然后我们更新软件包列表,并开始安装依赖

  1. apt-get update
  2. apt-get install autotools-dev cdbs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre3-dev libudns-dev pkg-config fakeroot devscripts build-essential unzip -y
  3. # 安装依赖会很大,可能会有 100-300MB大小,所以一开始的镜像源一定要选近的,否则会很慢。
  1. # 在安装过程中可能会提示如下内容,选择 Yes 即可。
  2. ======================== Configuring libc6:amd64 ========================
  3. x ....... x
  4. x ....... x
  5. x Restart services during package upgrades without asking? x
  6. x x
  7. x Yes No x
  8. x x
  9. =========================================================================

安装SNI Proxy

  1. mkdir sniproxy && cd sniproxy
  2. # 新建一个 SNI Proxy文件夹并进入
  3.  
  4. wget -N --no-check-certificate https://github.com/dlundquist/sniproxy/archive/master.zip
  5. # 下载 SNI Proxy 最新软件包
  6.  
  7. unzip master.zip && cd sniproxy-master
  8. # 解压 SNI Proxy 软件包并进入解压后的文件夹
  9.  
  10. ./autogen.sh && dpkg-buildpackage
  11. # 开始构建 deb 包
  12.  
  13. sniproxy_deb=$(ls ..|grep "sniproxy_.*.deb") && echo ${sniproxy_deb}
  14. # 获取构建后的 deb 包的文件名,正常情况下会返回一个类似于 sniproxy_0.X.X_amd64.deb 这样的文件名
  15.  
  16. [[ ! -z ${sniproxy_deb} ]] && dpkg -i ../${sniproxy_deb}
  17. # 判断获取的文件名是否为空,如果不为空就 安装 deb 包。

最后安装完毕,我们可以用 sniproxy -V 来查看是否安装成功,正常情况下会返回版本号。

安装完毕之后,还需要配置一下配置文件,才能使用,具体看这个教程:一个 反代无需证书 适用于DNS/Hosts的小工具 —— SNI Proxy代理 安装教程

DNS服务搭建教程:

  1. 『原创』快速自建DNS服务器以 科学上网+屏蔽广告 —— dowsDNS 一键脚本
  2. Linux 使用 dowsDNS 快速自建DNS服务器以 科学上网+屏蔽广告
  3. Linux 自建DNS 并使用SNI Proxy实现科学上网 —— DNSmasq配置教程

使用说明

启动:/etc/init.d/sniproxy start(如果运行无反应并没有启动,那么请直接使用 sniproxy 来启动试试)

停止:/etc/init.d/sniproxy stop

重启:/etc/init.d/sniproxy restart

查看状态:/etc/init.d/sniproxy status

配置文件:/etc/sniproxy.conf

通过 dpkg -S sniproxy 命令可以查询 SNI Proxy 的所有安装文件。

运行优化说明

建议在运行 SNIProxy前,执行一下这个命令,作用是提高系统的文件符同时打开数量,对于TCP连接过多的时候系统默认的 1024 就会成为速度瓶颈。

  1. ulimit -n 51200

这个命令只有临时有效,重启后失效,如果想要永久有效,请执行:

  1. echo "* soft nofile 51200
  2. * hard nofile 51200" >> /etc/security/limits.conf

然后最后再执行一下 ulimit -n 51200 即可。

添加开机启动

  1. update-rc.d -f sniproxy defaults

取消开机启动

  1. update-rc.d -f sniproxy remove

卸载SNI Proxy

  1. apt-get remove --purge sniproxy

--------------------

 

使用dnscrypt-proxy v2.x和Unbound搭建更好用的 DNS 服务器


需要的程序:

dnscrypt-proxy v2.x

unbound


DNSCrypt-proxy的配置

修改文件/usr/local/etc/dnscrypt-proxy.toml,

127.0.0.1:5353 就是下面 unbound 的配置里 DNSCrypt 的监听地址。


Unbound的配置

修改文件/usr/local/etc/unbound/unbound.conf。没有这个文件的话,一般需要找一下。


软件包里提供的配置 example 文件复制过去。这里列出的仅包含需要修改的部分,


其他的按照默认配置一般没有问题。

 

num-threads: 2 # 线程数可以修改为物理核心数

interface: 0.0.0.0 # 侦听所有 IPv4 地址

interface: ::0 # 侦听所有 IPv6 地址

# 如果只需要本机使用,则一个 interface: 127.0.0.1 即可

so-rcvbuf: 4m

so-sndbuf: 4m # 本机使用的话,这俩 buf 可以取消注释

so-reuseport: yes # 如果开了多线程,就写 yes

msg-cache-size: 64m # 本机可以设置 4m 或者更小

rrset-cache-size: 128m # 本机可以设置 4m 或者更小

cache-max-ttl: 3600 # 建议设置一个不太大的值...专治各种运营商 DNS 缓存不服

outgoing-num-tcp: 256 # 限制每个线程向上级查询的 TCP 并发数

incoming-num-tcp: 1024 # 限制每个线程接受查询的 TCP 并发数

# 下面这四个不需要解释了吧,不想用那个就写 no

do-ip4: yes

do-ip6: yes

do-udp: yes

do-tcp: yes

tcp-upstream: no # 默认是 no,隧道状态比较稳的话也不需要写 yes。一些情况下强制使用 tcp 连上游的话写 yes

access-control: 0.0.0.0/0 allow # 本机用的话建议设置 127.0.0.0/8 allow,局域网用适当调整

root-hints: "/etc/unbound/root.hints" # 没有的话在 ftp://FTP.INTERNIC.NET/domain/named.cache 下载一份

hide-identity: yes # 不返回对 id.server 和 hostname.bind 的查询。

hide-version: yes # 不返回对 version.server 和 version.bind 的查询。

# 不过下面有 identity 和 version 的自定义选项,不隐藏这些的话,修改下选项还可以卖个萌(´・ω・`)

harden-glue: yes # 建议打开

module-config: "iterator" # 禁用 DNSSEC 检查,如果上游不支持 DNSSEC 就关掉。注意这个选项有可能在其他 include 的文件里

unwanted-reply-threshold: 10000000 # 针对各种网络不服,数值为建议值,具体可以自己修改看看效果

do-not-query-localhost: no # 一般是为了防止扯皮丢包开着,不过等下要用 DNSCrypt 所以关掉

prefetch: yes # 蛮好用的,开着吧

minimal-responses: yes # 省带宽,开着吧。本机用可以关掉

# 关键部分来了,把默认查询全部丢给 DNSCrypt。使用 [地址]@[端口] 指定查询地址和端口,默认端口 53。

# 然后把国内的地址丢给国内的缓存服务器。这两个选项的顺序不能错哟。

# 如果使用隧道查询,把这个地址改为隧道对端的地址,或者一个国外的 DNS 服务器都可以,例如 8.8.8.8。

# 具体看是在对端开 DNS 还是直接用国外的服务器。后者的话,前面 outgoing-interface 可以直接设置隧道本地端的地址,

不过要配合 dnsmasq-china-list 的话,还是写路由表比较合适,否则不够灵活。

include: "/etc/unbound/accelerated-domains.china.unbound.conf"

forward-zone:

    name: "."

    forward-addr: 127.0.0.1@5353

如果需要 edns-client-subnet 支持的话,需要手动编译源码安装。命令:

# 克隆源码

svn co http://unbound.nlnetlabs.nl/svn/branches/edns-subnet/

# 编译安装

./configure --enable-subnet --with-libevent && make && sudo make install

配置文件的格式:

# 默认向所有服务器发送 edns-client-subnet

send-client-subnet: 0.0.0.0/0

如果只对特定权威 DNS 发送 edns-client-subnet 请求,则按照此格式写多行 IP.

----------------------------------------------------

 

brew install dnscrypt-proxy ,安装完成后,可执行文件为

/usr/local/bin/dnscrypt-proxy


配置文件为/usr/local/etc/dnscrypt-proxy.toml

(如果/usr/local/etc/里面没有dnscrypt-proxy.toml,那么

cp /usr/local/Cellar/dnscrypt-proxy/2.0.19/.bottle/etc/dnscrypt-proxy.toml /usr/local/etc/


nano /usr/local/etc/dnscrypt-proxy.toml

修改后的一些地方:

ipv4_servers = true

 

ipv6_servers = false

 

dnscrypt_servers = true

 

doh_servers = true

 

require_dnssec = false

 

require_nolog = true

 

require_nofilter = true

force_tcp = true

 

proxy = "socks5://127.0.0.1:1080"

 

ignore_system_dns = true

 

修改完成后,你需运行一个本地的socks5代理服务器程序,比如ssh tunnel.

sudo dnscrypt-proxy -config /usr/local/etc/dnscrypt-proxy.toml

信息获取工具

Telegram 及其好用的聊天及信息交流工具,除了有高度加密的一对一私聊功能,还可以很方便地组成超大群组,获取特定人群领域的信息。单就聊天和群组而言,实在是比微信好用不少。

微信公众号 我从哲学理念的角度非常厌恶以微信为代表的封闭互联网。将信息圈养在商业的护城河之内在很大程度上掩杀了信息的流动性。而加之其上的言论管制则从进一步使得大众无从经由对观点的自由辩驳认识世界。但是不管怎么说,墙内的世界就是只能看看微信了。

Evernote 利用 Everntoe 的网页插件方便地备份有意思的文章本身。一大好处是日后想要搜索自己看过的某篇文章,可以方便地在自己个人文摘集合里面搜索。另一好处自然就是避免日后文章消失在互联网上再也找不到的风险。Evernote也有免费的全平台全功能开源替代品:Joplin

信息源

以下信息源以墙外为主,我所列出的消息源的任何看法并不代表我的看法,我也不对其中任何阐述负责。墙内新闻的部分可以根据自己喜欢随意从比如人日、央视、头条、观察者、门户网站、公众号、朋友圈等中选择正能量来源。

财经时事 

天上阁(原墙外楼) 这个网站背后是何方势力并不清楚,但是堪称墙外中文网摘平台中平均文章质量最高的信息源之一。许多次我在墙内外别的渠道发现了一篇好文之后过几天都能在这里看到。从这个网站十年间惊人的稳定性和提供了包括Android,iOS客户端等丰富入口的方式来看应该背后有机构或组织支撑。建议使用RSS订阅方式浏览获得最佳体验。很遗憾的是该网站在2018年12月起已经停止更新。

新世纪 NewCenturyNet 是一个品味不错的转发各种财经类文章的博客。每天都能转十来篇,量很大。如果不用RSS订阅直接看网页的话会迷失在博客页面极其垃圾反人类的导航设计中。同样建议使用RSS订阅方式浏览获得最佳体验。

Exploring the World 是一个转发较为精选的时事文章的个人博客。一个月也就十来篇的样子,我觉得选文章的品味也很不错。

Info Aggregator 是另一个品味不错的新闻转发型的聚合型博客。一周的转发量能有二三十篇。原网站的界面也是很烂,强烈建议使用RSS订阅获得更好体验。

蛮族勇士 以从各种官方统计年鉴中直接提取数据进行分析著称。我特别喜欢这种基于(虽然是已经被改得乱七八糟的)实际数据的实证精神。目前的新文章发表在微信公众号上,不过时不时就转世一次。过往文章全集目前在一些文摘网上可以通过使用蛮族勇士作为关键词搜到,比如这个不知道还能活多久的蛮族勇士文章合集。不过蛮族勇士有的时候的分析也是断章取义瞎带节奏,建议多学习他的实证精神,观点要自己思考查证。

端点星 项目是一个专注备份微信、微博等平台被删文章的开源站点。文章总体质量还是相当不错的。在官方的Github页面也提供了大量镜像站点的链接,方便墙内用户免翻墙使用。

扑克投资家 是在财经类新媒体里面我个人最欣赏的一家。相对专注于大宗商品,深度报道的文字比较有质感,订阅微信公众号较为方便。

中国社会与政治 

端媒体 是目前两岸三地我认为深度报道写的最好的独立新闻媒体。端媒体本部在台湾避免了大陆的新闻审查,但是在选题上视野十分广阔,富有人文关怀,完全没有台湾媒体常见的通病。我购买了端媒体的年费会员以阅读其收费的深度报道,并以此表示我对这种难得的真正媒体的支持。

编程随想 是中文博客中致力于开启民智,注重传授思考的工具和方法,而不是试图简单传达观点的教育重镇。如果我只能向一个人推荐一个博客以希望他能学会批判性的思考,那么我会选择这个博客。

中国数字时代 是一个专注于中国内地社会新闻以及政治新闻的网站。

新品葱 目前可以理解为集中讨论墙内无法讨论的政治问题的海外版知乎。目前有着用户群体太小和平均讨论水平较低的问题。但无论如何这里是海外中文互联网难得的没有审查的主题讨论区。

科技互联网 

月光博客 是中文互联网世界极其长寿,专注于互联网领域新闻的个人博客。每日一篇的频率在追踪热点和全局视野之间的平衡较好。

湾区日报 每天推送5篇科技领域优质英文文章,并且配有简单的中文评论。如果你想看更多的关于互联网创业方面的优质内容,我强烈推荐湾区日报的这篇索引:湾区日报的文章都是从哪来的?

36氪 是中文高质量的科技创业板块新闻媒体,属于新创业公司必拜的码头之一。

极客与消费电子 

小众软件 在所有帮助你更好的使用软件提高生产效率的中文网站里,小众软件 可以算是久经考验长盛不衰的一家。在这里常能发出“哇原来还有软件能做这个?”的惊叹。

数字尾巴 基本上可以作为平民级别的消费电子选购参考看看。

ChipHell 是比数字尾巴逼格更高土豪更多的消费电子及大宗男性败家选购参考。

其他 

知乎每日精选RSS 知乎是一个内容质量泥沙俱下的大粪坑,但是RSS形式的知乎每日精选RSS提供了一个花不到10秒扫一眼就可以了解知乎最近自认为比较优质的内容的方式。该链接需复制到RSS浏览器订阅功能打开才能正常浏览。

Xkcd 是一个长期更新各种以硬核科学知识为笑点的幽默漫画网站。属于和PhdComics类似的把科学性、可读性和幽默结合的极好的表达范本。What-if是xkcd的王牌栏目,每一期都是用数学和物理严格论证一个超大的脑洞想法,非常有趣。有结集出版的中文版图书。

王孟源的部落格 可以说是我最希望我自己的博客在十到二十年内能打磨到的境界。王孟源是清華大學物理系毕业,哈佛物理博士然后在金融界干到退休。现在他的博客里却可以将军事、经济、历史、社会和物理学话题信手拈来,鞭辟入里,举重若轻,真的让我十分羡慕。

Sentry is a DNS proxy

Sentry - dns for fun and profit!

Sentry is a DNS proxy that allows you to inspect, block, rewrite, redirect and resolve queries。

Installing

  1. Download sentry
  2. python setup.py install

Configuring

You should start up with a basic json config file like this:

{
    "port" : 5300,
	"host" : "0.0.0.0",
	"rules" : [
		"resolve ^(.*) using 8.8.4.4, 8.8.8.8"
	]
}

The example above tells sentry to:

  • listen on port 5300 (udp)
  • resolve all inbound queries using DNS servers 8.8.4.4 and 8.8.8.8 (google's public DNS servers)

Running it

To run sentry you just need to pass it the config file you created:

$ sentry -c CONFIG
[07/01/2012 06:38:28] [sentry] INFO: using config: sentry.config
[07/01/2012 06:38:28] [sentry.core] INFO: starting, 1 known rules
[07/01/2012 06:38:28] [sentry.net] INFO: Server started on 0.0.0.0:5300

For the prestige, you can use dig to verify sentry is responding to requests:

dig @localhost -p 5300 nytimes.com

Rules - doing things you never thought possible with DNS

Sentry allows you to log, block, rewrite, redirect and resolve queries based upon simple rules that are matched, in order, against the inbound DNS query.

Redirecting a query:

A redirect rule can redirect an inbound requests to nytimes.com to google.com with a CNAME response.

"redirect ^(.*)nytimes.com to google.com"

Now, for the prestige:

$ dig @localhost -p 5300 nytimes.com

; <<>> DiG 9.7.3-P3 <<>> @localhost -p 5300 nytimes.com
; (3 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56474
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;nytimes.com.			IN	A

;; ANSWER SECTION:
nytimes.com.		300	IN	CNAME	google.com.

;; Query time: 502 msec
;; SERVER: 127.0.0.1#5300(127.0.0.1)
;; WHEN: Sun Jul  1 00:37:17 2012
;; MSG SIZE  rcvd: 50

Logging a query:

A log rule tells sentry to log an inbound queries matching a certain regular expression

"log ^(.*)google.com"

Blocking a query:

A block rule tells sentry to return an empty response to all queries matching a certain regular expression

"block ^(.*).xxx"

Blocking rules can also be conditional - new!

"block ^(.*).google.com if type is MX"

A few more conditional examples:

"block ^(.*).google.com if type is MX and class is IN"
"block ^(.*).google.com if class is IN"

Resolving a query:

A resolve rule tells sentry to return to resolve all queries matching a certain regular expression using one, or more, upstream DNS servers

""resolve ^(.*)facebook.com using 10.10.1.2 ","

* If you would like your sentry server to resolve all inbound requests you must include at the bottom of your rules list a catch all entry like below:

"resolve ^(.*) using 8.8.4.4, 8.8.8.8"

If you list more than one upstream DNS server, sentry will query all of them in parallel and return the first successful response (new feature on v0.5).

Here's an example of a configuration file including multiple rules:

{
	"port" : 5300,
	"host" : "0.0.0.0",
	"rules" : [
		"block ^(.*)youtube.com",
		"block ^(.*).xxx",
		"log ^(.*)google.com",

		"rewrite ^www.google.com to google.com",

		"redirect ^(.*)nytimes.com to google.com",
		"redirect ^(.*)reddit.com to google.com",

		"resolve ^(.*)facebook.com using 10.10.1.2 ",
		"resolve ^(.*) using 8.8.4.4, 8.8.8.8"


	]
}

Sentry Metrics

Like metrics? Just send sentry a SIGUSR1 posix signal and bam!

sending the signal (replace $PID with sentry's process id):

$ kill -30 $PID

output in the sentry log:

[07/01/2012 00:57:12] [sentry.core] INFO: system stats:
+-------------------------------------+---------------+
| metric                              | value         |
+-------------------------------------+---------------+
| net.bytes_received                  | 85            |
| net.bytes_sent                      | 458           |
| net.packets_received                | 3             |
| net.packets_sent                    | 3             |
| requests_pending                    | 0             |
| requests_total                      | 3             |
| response_time_msec_avg              | 3.07466666667 |
| response_time_msec_max              | 4.138         |
| response_time_msec_min              | 1.435         |
| uptime                              | 23.628207922  |
| <class 'sentry.rules.RedirectRule'> | 1             |
| <class 'sentry.rules.LoggingRule'>  | 2             |
| <class 'sentry.rules.ResolveRule'>  | 2             |
+-------------------------------------+---------------+
[07/01/2012 00:57:12] [sentry.core] INFO: domain stats:
 +--------------+---------+
| domain       | queries |
+--------------+---------+
| google.com.  | 2       |
| nytimes.com. | 1       |
+--------------+---------+

Performance (updated in version 0.5)

DNS is an inherently lightweight protocol (connection-less, small payload size, etc) so you should be able to handle many hundreds of connections per second in a single tight loop thread (sentry's default mode of operation).

There is however a particular case in which what I just told you is a complete lie: slow upstream servers. If you are getting responses from upstream servers greater than single digits msec you might want to consider increasing the size of Sentry's internal thread pool so more requests are outstanding at once.

Here's an example of a custom thread pool size:

{
    "port" : 5300,
    "host" : "0.0.0.0",
    "threadpool_size" : 4,
    "rules" : [
        "block ^(.*)youtube.com if type is MX",
        "block ^(.*).xxx",
        "log ^(.*)google.com",

        "rewrite ^www.google.com to google.com",

        "redirect ^(.*)nytimes.com to google.com",
        "redirect ^(.*)reddit.com to google.com",

        "resolve ^(.*)facebook.com using 10.10.1.2 ",
        "resolve ^(.*) using 8.8.4.4, 8.8.8.8"

    ]
}

Benchmarking

Sentry comes with a built in benchmark tool that you can use against sentry itself or any other DNS servers. In essence, it's based upon resolving Alexa's top 1M dns names (http://www.alexa.com/topsites).

benchmarking a server running on 127.0.0.1 port 5300 using the top 1000 sites:

$./sentry --benchmark -s 127.0.0.1:53000 -l 1000

sample results:

[03/05/2013 23:52:05] [sentry.benchmark] INFO: results:
+------------------------+---------------+
| metric                 | value         |
+------------------------+---------------+
| elapsed_time_seconds   | 9             |
| queries_failed         | 26            |
| queries_per_second     | 11            |
| queries_successful     | 74            |
| response_time_msec_avg | 606.538994892 |
| response_time_msec_max | 1007.17687607 |
| response_time_msec_min | 472.496032715 |
| uptime                 | 9.07831001282 |
+------------------------+---------------+

fromhttps://github.com/rferreira/sentry

最好在virtualenv下进行。版本可能不兼容。

dns servers/proxies

Get help with DNS related problems or issues in #dns

   New root hints

Use dig, drill or kdig to fetch them from any root server into whichever file is used to prime your server, e.g., dig @198.41.0.4 > named.cache

Hints, full zone and trust anchor (KSK) files are available from or via IANA using FTP or HTTPS.

   New root DNSSEC KSK

The root DNSSEC KSK (trust anchor) was replaced (rolled) on 11 October 2018 -- originally planned for a year earlier it was postponed for cautionary reasons, see their announcement for details. For most this has been a non-event. ICANN has information for anyone interested, especially those running validating resolvers.

   Software

   Nameservers or proxies

Name Version Type
BIND 9.14.3/9.11.8 authoritative and validating resolver in one
Cisco Prime Network Registrar DNS 9.1.1.1 authoritative and validating resolver
CoreDNS 1.5.2 DNS server written in Go, with service discovery and chaining plugins
djbdns 1.05 authoritative (limited record types supported) and non-validating resolver using distinct programs
DNRD 2.20.3 proxy
dnscrypt-proxy 1.9.5 proxy/forwarder
dnsdist 1.3.3 load balancer, DoT (since 1.3.0), dnscrypt
dnsmasq 2.80 filtering proxy with authoritative abilities
Dohnut 4.5.2 DNS to DoH proxy, load balancer, query fuzzer
gdnsd 3.2.0 authoritative
Knot DNS 2.8.2 authoritative
Knot Resolver 4.1.0 validating resolver
MaraDNS 2.0.17 authoritative
MaraDNS Deadwood 3.2.14 resolver
NSD 4.2.1 authoritative
NxFilter 4.3.4.5 filtering proxy
pdnsd 1.2.9a-par proxy
Posadis 0.60.6 authoritative and resolver in one
PowerDNS Authoritative 4.1.10 authoritative
PowerDNS Recursor 4.1.14 resolver
SANS 1.0.1 authoritative
Simple DNS Plus 8.0(110) authoritative and resolver all in one
stubby 0.2.6 proxy
systemd-resolved 240 optionally validating resolver (part of systemd), also supports DoT, LLMNR and mDNS
Technitium DNS Server 4.0(beta) resolver and proxy supporting optional forwarding via DoH (standard or "JSON") or DoT
Unbound 1.9.2 validating resolver, DoT, dnscrypt
YADIFA 2.3.9 authoritative

   Tools

Name Version Type
adns 1.5.1 cli: library that includes some utilities
BuddyNS Delegation Lab tool   web: visualize and troubleshoot delegation
Bulldohzer 1.1.2 cli: DNS & DoH latency measurements
c-ares 1.15.0 cli: library that includes some utilities
delv   cli: lookup and DNSSEC validation (part of BIND 9.10+)
dHSM   cli: Distributed Threshold Cryptography HSM
dHSM zone signer   cli: Zone signer companion for dHSM by using PKCS11
dig   cli: lookup (part of BIND)
DNSBajaj (DNS By Eye) 0.9.6 web: check the delegation of your domain by using graphs of dependencies
DNSDiag 1.6.4 cli: diagnostics and performance measurement
dnsperf/resperf 2.2.1 cli: benchmark nameserver performance
DNSSEC Analyzer   web: Verisign's DNSSEC problem debugger
dnssec-failed.org   web: if you can see visit the site your resolver didn't perform DNSSEC validation -- it should show a page saying that but doesn't
dnssec-tools.org 2.2.3 cli: various DNSSEC tools
web: results of data submitted by dnssec-check
gui: tray monitor
dnssectest.net   web: lookup and DNSSEC validation, plus DNSSEC deployment stats
DNSstuff   web: domain name analysis
DNSViz 0.8.2 cli & web: zone visualization (including DNSSEC)
dnstracer 1.9 cli: trace name delegation
flamethrower 0.10 cli: benchmark nameserver performance
getdnsapi 1.5.2 new api to use dns
Google Public DNS   web: web based resolver
intoDNS   web: provides lots of info about a domain (some requires own interpretation)
kdig   cli: advanced lookups including DoT (part of Knot DNS)
ldns 1.7.0 cli: library that includes a lookup tool (drill) that provides even more information than dig
Namebench 2.0 cli: benchmark nameserver performance
OpenDNSSEC 2.1.4 cli: policy-based zone signer with PKCS#11 interface
PacketQ 1.4.1 cli: run sql queries agaist pcap files
SoftHSM 2.5.0 cli: optional companion for OpenDNSSEC. Cryptographic store with PKCS#11 interface
The Transitive Trust and DNS Dependency Graph Portal   web: graphs of transitive trust and dependencies
unbound-host   cli: lookup (part of unbound)
Zonemaster 2019.1.1 cli+web: zone delegation quality checker

   Service providers

   Authoritative services

Note that most registrars provide it for free, though some charge a fee - we don't attempt to enumerate them here.

Provider Cost Notes
Afraid FreeDNS free with limits secondary
Akamai (Cotendo) paid  
Amazon - Route 53 paid api, registration
BuddyNS free and paid api
Cloudflare free and paid api, dynamic
ClouDNS free and paid tiers secondary
DNS Made Easy paid with free trial api
DNSimple paid secondary
Dyn paid dynamic, registration
easyDNS paid dynamic (some plans), registration, secondary
GoDaddy paid  
Google - Cloud DNS paid with free trial api
GratisDNS free secondary, danish
Hurricane Electric free api, dynamic, limited record types (no dnssec), secondary
Namecheap free, free if domain is purchased/renewed (BasicDNS) and paid dynamic, free has limited record types (no dnssec), secondary (premium only)
Neustar UltraDNS paid api, secondary
No-IP.com free and paid  
NS1 free and paid api, secondary
PUCK free secondary only
Rackspace free if using other (paid) services api
Verisign Managed DNS paid  
Verizon ROUTE paid api

   Recursor services

Note that most ISPs and some datacenters provide it for free to their customers - we don't attempt to enumerate them here. Beware: some ISPs log and sell their resolver data, and some replace NXDOMAIN with their own server's address(es) to provide their form of safety and/or marketing, some do both.

Also, paid filtering services usually provide customization, so domains or classes of domains can be added or removed from the filters.

Provider Cost Notes Addresses
Akamai AnswerX paid
CenturyLink (nee Level 3)   does not officially provide a public resolver though their servers will respond; they have at times provided 'fake' responses - please do not use these addresses
  • 4.2.2.x
Cisco Umbrella (nee OpenDNS) free and paid filtering, also on 5353/udp and 5353/tcp, dnscrypt on 443/tcp
check/purge entry at their cachecheck tool
check their system status (works even if your DNS isn't working)
Home:
  • 208.67.222.222
  • 208.67.220.220
  • 2620:0:CCC::2
  • 2620:0:CCD::2
FamilyShield (blocks adult content):
  • 208.67.222.123
  • 208.67.220.123
CleanBrowsing free and paid filtering, also on 5353/udp and 5353/tcp, DoH, DoT, dnscrypt on 8443/tcp Security Filter (malicious sites):
  • 185.228.168.9
  • 185.228.169.9
  • 2A0D:2A00:1::2
  • 2A0D:2A00:2::2
Adult Filter (blocks security (above) plus adult, pornographic and explict): Family Filter (blocks adult (above) plus proxy/vpn and mixed content): TLS:
  • CN=cleanbrowsing.org
Cloudflare
announcement
  free, limited logging, DoH, DoT
Comodo Secure DNS free filtering
  • 8.26.56.26
  • 8.20.247.20
Commons Host free DoH only DoH:
DNS-OARC ODVR free validating
  • 184.105.193.73
  • 184.105.193.74
  • 2620:FF:C000:0:1::64:20
  • 2620:FF:C000:0:1::64:21
DNS.WATCH free no logging, validating
  • 84.200.69.80
  • 84.200.70.40
  • 2001:1608:10:25::1C04:B12F
  • 2001:1608:10:25::9249:D69B
Dyn Internet Guide free filtering, correcting
  • 216.146.35.35
  • 216.146.36.36
FreeDNS free no logging
  • 37.235.1.174
  • 37.235.1.177
Google Public DNS free validating, DoH
flush a cached entry using their flush cache tool
Norton ConnectSafe free filtering, validating, shutting down november 15th 2018 Security filtering only:
  • 199.85.126.10
  • 199.85.127.10
Security + Pornography:
  • 199.85.126.20
  • 199.85.127.20
Security + Pornography + Other:
  • 199.85.126.30
  • 199.85.127.30
Neustar DNS Advantage free correcting, filtering, validating Reliability & Performance 1:
  • 156.154.70.1
  • 156.154.71.1
  • 2610:A1:1018::1
  • 2610:A1:1019::1
Reliability & Performance 2 (no correcting):
  • 156.154.70.5
  • 156.154.71.5
  • 2610:A1:1018::5
  • 2610:A1:1019::5
Threat Protection (Malware, Ransomware, Spyware & Phishing):
  • 156.154.70.2
  • 156.154.71.2
  • 2610:A1:1018::2
  • 2610:A1:1019::2
Family Secure (Threat + Gambling, Pornography, Violence & Hate/Discrimination):
  • 156.154.70.3
  • 156.154.71.3
  • 2610:A1:1018::3
  • 2610:A1:1019::3
Business Secure (Family + Gaming, Adult, Drugs, Alcohol & Anonymous Proxies):
  • 156.154.70.4
  • 156.154.71.4
  • 2610:A1:1018::4
  • 2610:A1:1019::4
Quad9 free "Secure": filtering, logs only geoloc, does not send ecs, validating, DoT
"Unsecured": unfiltered, logs only geoloc, sends ecs, DoT
"Secure":
  • 9.9.9.9
  • 149.112.112.112
  • 2620:FE::FE
  • 2620:FE::9
"Unsecured":
  • 9.9.9.10
  • 149.112.112.10
  • 2620:FE::10
  • 2620:FE::FE:10
TLS:
  • CN=dns.quad9.net
SafeDNS paid with free trial  
  • 195.46.39.39
  • 195.46.39.40
SecureDNS free validating, no logging, personally supported, DoH, DoT, dnscrypt on 5353/tcp, NameCoin & OpenNIC namespaces
  • 146.185.167.43
  • 2A03:B0C0:0:1010::E9A:3001

TLS: CN=securedns.eu/SAN=*.securedns.eu
SPKI Pin: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
DoH URL: https://doh.securedns.eu/dns-query
DoT Host: dot.securedns.eu
Verisign Public DNS free validating
  • 64.6.64.6
  • 64.6.65.6
  • 2620:74:1B::1:1
  • 2620:74:1C::2:2
Yandex.DNS free and paid filtering, unfiltered Basic (unfiltered):
  • 77.88.8.8
  • 77.88.8.1
  • 2A02:6B8::FEED:0FF
  • 2A02:6B8:0:1::FEED:0FF
Safe (Secure + "infected sites, fraudulent sites, and bots"):
  • 77.88.8.88
  • 77.88.8.2
  • 2A02:6B8::FEED:BAD
  • 2A02:6B8:0:1::FEED:BAD
Family (Safe + "adult sites and adult advertising"):
  • 77.88.8.7
  • 77.88.8.3
  • 2A02:6B8::FEED:A11
  • 2A02:6B8:0:1::FEED:A11

   Reading material

Resource Summary
RFC 1034 Domain names - concepts and facilities
RFC 1035 Domain names - implementation and specification
IANA DNS Parameters Compilation of DNS parameters with RFC references
IANA Protocol Registries Compilation of protocol registries, including among other things additional DNS and DNSSEC parameter compilations
Almost all DNS related RFCs Search rfc-editor.org for dns
Some DNS related RFCs Search rfc-editor.org for domain
An up to date list of Domain Name System RFCs Maintained by Frederic Cambus
Relevant Domain Name System RFCs Maintained by bert hubert
IANA Domain Name Services IANA maintains and operates several key aspects of the DNS
Blogged DNS links listing Compilation of blogged DNS links from Jan-Piet Mens
Alternative DNS Servers (Free) Book written by Jan-Piet Mens

   Why does this site exist?

The topic of #dns on freenode was growing too long, so here is all that info, and more.

This page is also hosted via GitHub with its source code available. Pull requests are welcome!

 

from http://dns-channel.github.io/#recsrv

-----

Known DNS Providers

 

AdGuard users can configure any DNS server to be used instead of the system default provided by the router or ISP. In this article you will find a list of popular DNS providers.

  

AdGuard DNS 

AdGuard DNS is an alternative solution for ad blocking, privacy protection, and parental control. It provides the number of necessary protection features against online ads, trackers, and phishing, no matter what platform and device you use.

Default 

These servers provide blocking ads, tracking and phishing

Protocol Address  
DNS, IPv4 176.103.130.130 and 176.103.130.131 Add to AdGuard
DNS, IPv6 2a00:5a60::ad1:0ff and 2a00:5a60::ad2:0ff Add to AdGuard
DNSCrypt, IPv4 Provider: 2.dnscrypt.default.ns1.adguard.com IP: 176.103.130.130:5443 Add to AdGuard
DNSCrypt, IPv6 Provider: 2.dnscrypt.default.ns2.adguard.com IP: [2a00:5a60::ad2:0ff]:5443 Add to AdGuard
DNS-over-HTTPS https://dns.adguard.com/dns-query Add to AdGuard
DNS-over-TLS tls://dns.adguard.com Add to AdGuard

Family Protection 

These servers provide the Default features + Blocking adult websites + Safe search

Protocol Address  
DNS, IPv4 176.103.130.132 and 176.103.130.134 Add to AdGuard
DNS, IPv6 2a00:5a60::bad1:0ff and 2a00:5a60::bad2:0ff Add to AdGuard
DNSCrypt, IPv4 Provider: 2.dnscrypt.family.ns1.adguard.com IP: 176.103.130.132:5443 Add to AdGuard
DNSCrypt, IPv6 Provider: 2.dnscrypt.family.ns2.adguard.com IP: [2a00:5a60::bad2:0ff]:5443 Add to AdGuard
DNS-over-HTTPS https://dns-family.adguard.com/dns-query Add to AdGuard
DNS-over-TLS tls://dns-family.adguard.com Add to AdGuard

  

Yandex DNS 

Yandex.DNS is a free recursive DNS service. Yandex.DNS' servers are located in Russia, CIS countries, and Western Europe. Users' requests are processed by the nearest data center which provides high connection speeds.

Basic 

In "Basic" mode, there is no traffic filtering

Protocol Address  
DNS, IPv4 77.88.8.8 and 77.88.8.1 Add to AdGuard
DNS, IPv6 2a02:6b8::feed:0ff and 2a02:6b8:0:1::feed:0ff Add to AdGuard
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.browser.yandex.net IP: 77.88.8.78:15353 Add to AdGuard

Safe 

In "Safe" mode, protection from infected and fraudulent sites is provided

Protocol Address  
DNS, IPv4 77.88.8.88 and 77.88.8.2 Add to AdGuard
DNS, IPv6 2a02:6b8::feed:bad and 2a02:6b8:0:1::feed:bad Add to AdGuard

Family 

In "Family" mode, protection from infected, fraudulent and adult sites is provided

Protocol Address  
DNS, IPv4 77.88.8.3 and 77.88.8.7 Add to AdGuard
DNS, IPv6 2a02:6b8::feed:a11 and 2a02:6b8:0:1::feed:a11 Add to AdGuard

  

CleanBrowsing 

Cleanbrowsing is a DNS service which provides customizable filtering. This service offers a safe way to browse the web without inappropriate content.

Family Filter 

Blocks access to all adult, pornographic and explicit sites, including proxy & VPN domains and mixed content sites

Protocol Address  
DNS, IPv4 185.228.168.168 and 185.228.169.168 Add to AdGuard
DNS, IPv6 2a0d:2a00:1::1 and 2a0d:2a00:2::1 Add to AdGuard
DNSCrypt, IPv4 Provider: cleanbrowsing.org IP: 185.228.168.168:8443 Add to AdGuard
DNSCrypt, IPv6 Provider: cleanbrowsing.org IP: [2a0d:2a00:1::]:8443 Add to AdGuard
DNS-over-HTTPS https://doh.cleanbrowsing.org/doh/family-filter/ Add to AdGuard

Adult Filter 

Less restrictive than the Family filter, it only blocks access to adult content and malicious and phishing domains

Protocol Address  
DNS, IPv4 185.228.168.10 and 185.228.169.10 Add to AdGuard
DNS, IPv6 2a0d:2a00:1:: and 2a0d:2a00:2:: Add to AdGuard
DNSCrypt, IPv4 Provider: cleanbrowsing.org IP: 185.228.168.10:8443 Add to AdGuard
DNSCrypt, IPv6 Provider: cleanbrowsing.org IP: [2a0d:2a00:1::1]:8443 Add to AdGuard
DNS-over-HTTPS https://doh.cleanbrowsing.org/doh/adult-filter/ Add to AdGuard

Security Filter 

Blocks phishing, spam and malicious domains

Protocol Address  
DNS, IPv4 185.228.168.9 and 185.228.169.9 Add to AdGuard
DNS, IPv6 2a0d:2a00:1::2 and 2a0d:2a00:2::2 Add to AdGuard
DNS-over-HTTPS https://doh.cleanbrowsing.org/doh/security-filter/ Add to AdGuard

  

Neustar Recursive DNS 

Neustar Recursive DNS is a free cloud-based recursive DNS service that delivers fast and reliable access to sites and online applications with built-in security and threat intelligence.

Reliability & Performance 1 

These servers provide reliable and fast DNS lookups without blocking any specific categories

Protocol Address  
DNS, IPv4 156.154.70.1 and 156.154.71.1 Add to AdGuard
DNS, IPv6 2610:a1:1018::1 and 2610:a1:1019::1 Add to AdGuard

Reliability & Performance 2* 

These servers provide reliable and fast DNS lookups without blocking any specific categories and also prevent redirecting NXDomain (Non-existent Domain) responses to a landing page

Protocol Address  
DNS, IPv4 156.154.70.5 and 156.154.71.5 Add to AdGuard
DNS, IPv6 2610:a1:1018::5 and 2610:a1:1019::5 Add to AdGuard

Threat Protection 

These servers provide protection against malicious domains and also include "Reliability & Performance" features

Protocol Address  
DNS, IPv4 156.154.70.2 and 156.154.71.2 Add to AdGuard
DNS, IPv6 2610:a1:1018::2 and 2610:a1:1019::2 Add to AdGuard

Family Secure 

These servers provide blocking access to mature content and also include "Reliability & Performance" + "Threat Protection" features

Protocol Address  
DNS, IPv4 156.154.70.3 and 156.154.71.3 Add to AdGuard
DNS, IPv6 2610:a1:1018::3 and 2610:a1:1019::3 Add to AdGuard

Business Secure 

These servers provide blocking unwanted and time-wasting content and also include "Reliability & Performance" + "Threat Protection" + "Family Secure" features

Protocol Address  
DNS, IPv4 156.154.70.4 and 156.154.71.4 Add to AdGuard
DNS, IPv6 2610:a1:1018::4 and 2610:a1:1019::4 Add to AdGuard

  

Cisco OpenDNS 

Cisco OpenDNS is a service which extends the DNS by incorporating features such as content filtering and phishing protection with a zero downtime.

Standard 

DNS servers with custom filtering that protects your device from malware

Protocol Address  
DNS, IPv4 208.67.222.222 and 208.67.220.220 Add to AdGuard
DNS, IPv6 2620:119:35::35 and 2620:119:53::53 Add to AdGuard
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.opendns.com IP: 208.67.220.220 Add to AdGuard
DNSCrypt, IPv6 Provider: 2.dnscrypt-cert.opendns.com IP: [2620:0:ccc::2] Add to AdGuard

FamilyShield 

OpenDNS servers that provide adult content blocking

Protocol Address  
DNS, IPv4 208.67.222.123 and 208.67.220.123 Add to AdGuard
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.opendns.com IP: 208.67.220.123 Add to AdGuard

  

Google DNS 

Google DNS is a free, global DNS resolution service that you can use as an alternative to your current DNS provider.

Protocol Address  
DNS, IPv4 8.8.8.8 and 8.8.4.4 Add to AdGuard
DNS, IPv6 2001:4860:4860::8888 and 2001:4860:4860::8844 Add to AdGuard
DNS-over-HTTPS https://dns.google.com/experimental Add to AdGuard
DNS-over-TLS tls://dns.google Add to AdGuard

  

Cloudflare DNS 

Cloudflare DNS is a free and fast DNS service which functions as a recursive name server providing domain name resolution for any host on the Internet.

Protocol Address  
DNS, IPv4 1.1.1.1 and 1.0.0.1 Add to AdGuard
DNS, IPv6 2606:4700:4700::1111 and 2606:4700:4700::1001 Add to AdGuard
DNS-over-HTTPS, IPv4 https://dns.cloudflare.com/dns-query Add to AdGuard
DNS-over-HTTPS, IPv6 https://dns.cloudflare.com/dns-query Add to AdGuard
DNS-over-TLS tls://1.1.1.1 Add to AdGuard

  

Quad9 DNS 

Quad9 DNS is a free, recursive, anycast DNS platform that provides high-performance, privacy, and security protection from phishing and spyware. Quad9 servers don't provide a censoring component.

Standard 

Regular and DNS-over-TLS servers which provide protection from phishing and spyware

Protocol Address  
DNS, IPv4 9.9.9.9 and 149.112.112.112 Add to AdGuard
DNS-over-TLS tls://dns.quad9.net Add to AdGuard

Encrypted DNSSec/no-log/filter 

Protocol Address  
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.quad9.net IP: 9.9.9.9:8443 Add to AdGuard
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.quad9.net IP: 149.112.112.9:8443 Add to AdGuard
DNSCrypt, IPv6 Provider: 2.dnscrypt-cert.quad9.net IP: [2620:fe::9]:8443 Add to AdGuard
DNSCrypt, IPv6 Provider: 2.dnscrypt-cert.quad9.net IP: [2620:fe::fe:9]:8443 Add to AdGuard
DNS-over-HTTPS, IPv4 dns9.quad9.net:443/dns-query Add to AdGuard
DNS-over-HTTPS, IPv4 dns9.quad9.net:443/dns-query Add to AdGuard
DNS-over-HTTPS, IPv6 dns9.quad9.net:443/dns-query Add to AdGuard
DNS-over-HTTPS, IPv6 dns9.quad9.net:443/dns-query Add to AdGuard

Encrypted no-DNSSec/no-log/no-filter 

Protocol Address  
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.quad9.net IP: 9.9.9.10:8443 Add to AdGuard
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.quad9.net IP: 149.112.112.10:8443 Add to AdGuard
DNSCrypt, IPv6 Provider: 2.dnscrypt-cert.quad9.net IP: [2620:fe::9]:8443 Add to AdGuard
DNSCrypt, IPv6 Provider: 2.dnscrypt-cert.quad9.net IP: [2620:fe::fe:9]:8443 Add to AdGuard
DNS-over-HTTPS, IPv4 dns9.quad9.net:443/dns-query Add to AdGuard
DNS-over-HTTPS, IPv4 dns9.quad9.net:443/dns-query Add to AdGuard
DNS-over-HTTPS, IPv6 dns9.quad9.net:443/dns-query Add to AdGuard
DNS-over-HTTPS, IPv6 dns9.quad9.net:443/dns-query Add to AdGuard

  

Verisign Public DNS 

Verisign Public DNS is a free DNS service that offers improved DNS stability and security over other alternatives. Verisign respects users' privacy: it doesn't sell public DNS data to third parties and redirect users' queries to serve them any ads.

Protocol Address  
DNS, IPv4 64.6.64.6 or 64.6.65.6 Add to AdGuard
DNS, IPv6 2620:74:1b::1:1 or 2620:74:1c::2:2 Add to AdGuard

  

DNS.WATCH 

DNS.WATCH is a fast and free server without logging with a privacy protection feature.

Protocol Address  
DNS, IPv4 84.200.69.80 and 84.200.70.40 Add to AdGuard
DNS, IPv6 2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b Add to AdGuard

  

Comodo Secure DNS 

Comodo Secure DNS is a domain name resolution service that resolves your DNS requests through worldwide network of DNS servers. Removes excessive ads and protects from phishing and spyware.

Protocol Address  
DNS, IPv4 8.26.56.26 and 8.20.247.20 Add to AdGuard
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.shield-2.dnsbycomodo.com IP: 8.20.247.2 Add to AdGuard

  

Dyn DNS 

Dyn DNS is a free alternative DNS service by Dyn

Protocol Address  
DNS, IPv4 216.146.35.35 and 216.146.35.36 Add to AdGuard

  

OpenNIC DNS 

OpenNIC DNS is a free alternative DNS service by OpenNIC Project

Protocol Address  
DNS, IPv4 185.121.177.177 and 169.239.202.202 Add to AdGuard
DNS, IPv6 2a05:dfc7:5::53 and 2a05:dfc7:5353::53 Add to AdGuard

  

Quad101 

Quad101 is a free alternative DNS service without logging by TWNIC (Taiwan Network Information Center)

Protocol Address  
DNS, IPv4 101.101.101.101 and 101.102.103.104 Add to AdGuard
DNS, IPv6 2001:de4::101 and 2001:de4::102 Add to AdGuard

  

Freenom World 

Freenom World is a free anonymous DNS resolver by Freenom World

Protocol Address  
DNS, IPv4 80.80.80.80 and 80.80.81.81 Add to AdGuard

  

Fortinet Secure 

Fortinet Secure is a free alternative DNS service by FortiGuard

Protocol Address  
DNS, IPv4 208.91.112.220 and 80.85.69.54 Add to AdGuard

  

Safe DNS 

Safe DNS is a global anycast network which consists of servers located throughout the world — both Americas, Europe, Africa, Australia, and the Far East to ensure a fast and reliable DNS resolving from any point worldwide.

Protocol Address  
DNS, IPv4 195.46.39.39 and 195.46.39.40 Add to AdGuard

  

Strongarm DNS 

Strongarm DNS is a DNS service by Strongarm that prevents people from interacting with malicious content

Protocol Address  
DNS, IPv4 54.174.40.213 and 52.3.100.184 Add to AdGuard

  

SafeSurfer DNS 

SafeSurfer DNS is a DNS service by SafeSurfer that protects your device from harmful content

Protocol Address  
DNS, IPv4 104.155.237.225 and 104.197.28.121 Add to AdGuard

  

Captnemo DNS 

Captnemo DNS is a server running out of a Digital Ocean droplet in BLR1 region. Maintained by Abhay Rana aka Nemo.

Protocol Address  
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.captnemo.in IP: 139.59.48.222:4434 Add to AdGuard

  

fvz DNS 

fvz DNS is a Fusl's public primary OpenNIC Tier2 Anycast DNS Resolver

Protocol Address  
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.dnsrec.meo.ws IP: 185.121.177.177:5353 Add to AdGuard
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.dnsrec.meo.ws IP: 169.239.202.202:5353 Add to AdGuard

  

Nawala Childprotection DNS 

Nawala Childprotection DNS is an anycast Internet filtering system that protects children from inappropriate websites and abusive contents.

Protocol Address  
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.nawala.id IP: 180.131.144.144 Add to AdGuard

  

securedns.eu: DNS-over-TLS, DNS-over-HTTPS and DNSCrypt Provider 

securedns.eu DNS-over-TLS, DNS-over-HTTPS and DNSCrypt Provider

Protocol Address  
DNS-over-TLS Hostname: dot.securedns.eu IP: 146.185.167.43:853 and IPv6: [2a03:b0c0:0:1010::e9a:3001]:853 Add to AdGuard
DNS-over-HTTPS, IPv4 Hostname: https://doh.securedns.eu/dns-query IP: 146.185.167.43:443 Add to AdGuard
DNS-over-HTTPS, IPv6 Hostanme: https://doh.securedns.eu/dns-query IPv6: [2a03:b0c0:0:1010::e9a:3001]:443 Add to AdGuard
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.securedns.eu IP: 146.185.167.43:5353 Add to AdGuard
DNSCrypt, IPv6 Provider: 2.dnscrypt-cert.securedns.eu IP: [2a03:b0c0:0:1010::e9a:3001]:5353 Add to AdGuard

  

blahdns (germany) 

blahdns (germany) A small hobby ads block dns project with DNS-over-TLS, DNS-over-HTTPS and DNSCrypt support.

Protocol Address  
DNS-over-TLS, IPv4 Hostname: dot-de.blahdns.com IP: 159.69.198.101 Add to AdGuard
DNS-over-HTTPS, IPv4 Hostname: https://doh-de.blahdns.com/dns-query IP: 159.69.198.101 Add to AdGuard
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.blahdns.com IP: 159.69.198.101:8443 Add to AdGuard

  

ibksturm 

ibksturm DNS-over-TLS, DNS-over-HTTPS and DNSCrypt Testing server by ibksturm. OPENNIC, DNSSEC, No Filter, No Logging

Protocol Address  
DNS-over-TLS, IPv4 Hostname: ibksturm.synology.me IP: 178.82.102.190 Add to AdGuard
DNS-over-HTTPS, IPv4 Hostname: https://ibksturm.synology.me/dns-query IP: 178.82.102.190 Add to AdGuard
DNSCrypt, IPv4 Provider: 2.dnscrypt-cert.ibksturm IP: 178.82.102.190 Add to AdGuard

  

DNS-over-TLS Servers by switch.ch 

DNS-over-TLS Provider by switch.ch swiss DNS-over-TLS and Plain DNS Server.

Protocol Address  
DNS, IPv4 Provider: dns.switch.ch IP: 130.59.31.248 Add to AdGuard
DNS, IPv6 Provider: dns.switch.ch IPv6: 2001:620:0:ff::2 Add to AdGuard
DNS-over-TLS Hostname: dns.switch.ch IP: 130.59.31.248 and IPv6: 2001:620:0:ff::2 Add to AdGuard

  

DNS-over-TLS Servers by dnsprivacy.org 

DNS-over-TLS Provider by dnsprivacy.org List of PUblic DNS-over-TLS Testing Servers.

Protocol Address  
DNS-over-TLS Provider: Surfnet Hostname dnsovertls.sinodun.com IP: 145.100.185.15and IPv6: 2001:610:1:40ba:145:100:185:15 Add to AdGuard
DNS-over-TLS Provider: Surfnet Hostname dnsovertls1.sinodun.com IP: 145.100.185.16and IPv6: 2001:610:1:40ba:145:100:185:16 Add to AdGuard
DNS-over-TLS Hostname: getdnsapi.net IP: 185.49.141.37 and IPv6: 2a04:b900:0:100::37 Add to AdGuard
DNS-over-TLS Provider: UncensoredDNS Hostname unicast.censurfridns.dk IP: 89.233.43.71 and IPv6: 2a01:3a0:53:53::0 Add to AdGuard
DNS-over-TLS Provider: Fondation RESTENA Hostname kaitain.restena.lu IP: 158.64.1.29and IPv6: 2001:a18:1::29 Add to AdGuard
DNS-over-TLS Provider: dkg Hostname dns.cmrg.net IP: 199.58.81.218and IPv6: 2001:470:1c:76d::53 Add to AdGuard
DNS-over-TLS, IPv4 Hostname: dns.larsdebruin.net IP: 51.15.70.167 Add to AdGuard
DNS-over-TLS Hostname dns-tls.bitwiseshift.net IP: 81.187.221.24 and IPv6: 2001:8b0:24:24::24 Add to AdGuard
DNS-over-TLS Hostname ns1.dnsprivacy.at IP: 94.130.110.185 and IPv6: 2a01:4f8:c0c:3c03::2 Add to AdGuard
DNS-over-TLS Hostname ns2.dnsprivacy.at IP: 94.130.110.178 and IPv6: 2a01:4f8:c0c:3bfc::2 Add to AdGuard
DNS-over-TLS, IPv4 Hostname: dns.bitgeek.in IP: 139.59.51.46 Add to AdGuard
DNS-over-TLS Hostname dns.neutopia.org IP: 89.234.186.112 and IPv6: 2a00:5884:8209::2 Add to AdGuard