This is a list of publicly available DNS servers suitable for use with IPFire. They are operated by many different organisations in many different countries. Please consider carefully which ones you would like to use.

DNS Servers that support UDP/TCP

Operator Address(es) Hostname
Anycast
Cloudflare 1.1.1.1 one.one.one.one
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001
Control D Free Uncensored 76.76.2.0 p0.freedns.controld.com
76.76.10.0
2606:1a40::
2606:1a40:1::
dns.sb 185.222.222.222 dot.sb
45.11.45.11
2a09::
2a11::
DNS0.EU Open 193.110.81.254 open.dns0.eu
185.253.5.254
2a0f:fc80::ffff
2a0f:fc81::ffff
Google Public Free DNS 8.8.8.8 dns.google
8.8.4.4
Germany (DE)
Lightning Wire Labs 81.3.27.54 recursor01.dns.ipfire.org
2001:678:b28::54
81.3.27.54 recursor01.dns.lightningwirelabs.com
2001:678:b28::54
DNS-GA 88.99.98.111 ``dns1.dns-ga.de
2a01:4f8:221:e54::2
217.160.166.161 dns2.dns-ga.de
2001:8d8:820:3a00::b:c47
138.201.81.119 dns3.dns-ga.de
2a01:4f8:172:1d2a::2
France (FR)
French Data Network (FDN) 80.67.169.12
80.67.169.40
2001:910:800::12
2001:910:800::40
LinuxPatch.com 45.80.1.6
2a0e:3780:1::3:38
United States (US)
Comcast / Xfinity 75.75.75.75
75.75.76.76
Verisign 64.6.64.6 rec1pubns1.ultradns.net
64.6.65.6 rec1pubns2.ultradns.net

DNS-over-TLS service

Operator Address(es) DNS over TLS Hostname
Anycast
Cloudflare 1.1.1.1 one.one.one.one
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001
Control D Free Uncensored 76.76.2.0 p0.freedns.controld.com
76.76.10.0
2606:1a40::
2606:1a40:1::
Freifunk München e.V. 5.1.66.255 anycast01.ffmuc.net
2001:678:e68:f000::
5.1.66.255 dot.ffmuc.net
2001:678:e68:f000::
dns.sb 185.222.222.222 dns.sb
45.11.45.11
2a09::
2a09::1
DNS0.EU Open 193.110.81.254 open.dns0.eu
185.253.5.254
2a0f:fc80::ffff
2a0f:fc81::ffff
Google Public Free DNS 8.8.8.8 dns.google
8.8.4.4
UncensoredDNS 91.239.100.100 anycast.uncensoreddns.org
2001:67c:28a4::
Austria (AT)
Foundation for Applied Privacy 146.255.56.98 dot1.applied-privacy.net
2a01:4f8:c0c:83ed::1
Canada (CA)
CMRG DNS 199.58.83.33 dns.cmrg.net
2001:470:1c:76d::53
Switzerland (CH)
Digitale Gesellschaft Schweiz 185.95.218.42 dns.digitale-gesellschaft.ch
185.95.218.43
2a05:fc84::42
2a05:fc84::43
Germany (DE)
Digitalcourage e.V. 5.9.164.112 dns3.digitalcourage.de
Lightning Wire Labs 81.3.27.54 recursor01.dns.ipfire.org
2001:678:b28::54
81.3.27.54 recursor01.dns.lightningwirelabs.com
2001:678:b28::54
DNS-GA 88.99.98.111 dot.dns-ga.de
2a01:4f8:221:e54::2
217.160.166.161
2001:8d8:820:3a00::b:c47
138.201.81.119
2a01:4f8:172:1d2a::2
Denmark (DK)
UncensoredDNS 89.233.43.71 unicast.uncensoreddns.org
2a01:3a0:53:53::
France (FR)
Neutopia 89.234.186.112 dns.neutopia.org
2a00:5884:8209::2
LinuxPatch.com 45.80.1.6 dns.linuxpatch.com
2a0e:3780:1::3:38
Luxembourg (LU)
Restena Foundation 158.64.1.29 kaitain.restena.lu
2001:a18:1::29
Netherlands (NL)
FlokiNET 185.246.188.51 nl.resolv.flokinet.net
2a06:1700:3:11::1
GetDNS 185.49.141.37 getdnsapi.net
2a04:b900:0:100::37
Romania (RO)
FlokiNET 185.247.225.17 ro.resolv.flokinet.net
2a06:1700:0:36::1

These providers are not recommended for use with IPFire because they do not support DNSSEC or tamper with DNS traffic in another way, such as filtering advertisement, malware or porn. While there is a legitimate use-case for the latter, such filtering breaks DNSSEC, being indistinguishable from an adversary from a technical point of view.

Operator IP Addresses Reason
Adfree.world 139.99.176.64 Domain Blacklist1
Cleanbrowsing 2a0d:2a00:1::2 / 185.228.168.9, 2a0d:2a00:2::2 / 185.228.169.9 Domain Blacklist2
DNS for Family 94.130.180.225 / 2a01:4f8:1c0c:40db::1, 78.47.64.161 / 2a01:4f8:1c17:4df8::1, dns-dot.dnsforfamily.com, https://dns-doh.dnsforfamily.com/dns-query Domain Blacklist3
Comodo Secure DNS 8.26.56.26, 8.20.247.20 Domain Blacklist4
dnsforge.de 176.9.93.198, 176.9.1.117, 2a01:4f8:151:34aa::198, 2a01:4f8:141:316d::117 Domain Blacklist5
Nuernberg Internet Exchange (N-IX) 194.8.57.12 Not resolving6
OpenDNS (Hosted Blacklists) 208.67.222.222, 208.67.220.220, 208.67.220.222, 208.67.222.220 Domain Blacklist7
Quad 9 9.9.9.9, 149.112.112.112, 9.9.9.10, 149.112.112.10 Domain Blacklist8
SWITCH 130.59.31.248 / 2001:620:0:ff::2, 130.59.31.251 / 2001:620:0:ff::3 Domain Blacklist9
Yandex.DNS 77.88.8.88, 77.88.8.2 Domain Blacklist10
SafeDNS 195.46.39.39, 195.46.39.40 Questionable regulations11
Level 3 / CentryLink / Verizon 4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6 No Website Information12
SkyDNS 193.58.251.251 All options filter the DNS response provided13
New Nations 5.45.96.220 Not resolving queries14
DNS0.EU 193.110.81.0, 185.253.5.0, 2a0f:fc80::, 2a0f:fc81:: / TLS Hostname dns0.eu Domain Blacklist15
DNS0.EU ZERO 193.110.81.9, 185.253.5.9, 2a0f:fc80::9, 2a0f:fc81::9 / TLS Hostname zero.dns0.eu Domain Blacklist16
DNS0.EU KIDS 193.110.81.1, 185.253.5.1, 2a0f:fc80::1, 2a0f:fc81::1 / TLS Hostname kids.dns0.eu Domain Blacklist17

About Server location

The location of the servers has been stated by using the IPFire Location database. However, it might be possible that the location is wrong (or has been changed meanwhile).

The servers that are marked with "Anycast" are using anycasts so that traffic will be routed to the nearest of the many instances that are there on the network. Thereof the exact location of the server(s) cannot be determined. Worse, different configurations of Anycast instances cannot be determined reliable.

Security and Privacy Considerations

A DNS server has a very powerful function in network topology. Please keep in mind that it might log your queries (which is a huge information leak).
Query logs might (not only) include:

  • Date, Time (ms)
  • IP Address
  • Domain requested
  • Subdomain requested
  • Type of query (A, AAAA, TXT, NS, ...)

Further, not all of the DNS servers listed above return correct answers in any case. Some of them return failures for harmful or malicious sites. Check the operators website for more information on this topic.

For security reasons, it is required to use DNS servers which support DNSSEC. For privacy and availability reasons, avoid using just one providers' DNS servers.


  1. Adore.world states "...simple public blacklist to block...". This is an indication of manipulating query responses: https://threadmarkcyber.au/home/?page_id=3 For following explanations note: This is non compliant to RFC 4033 (DNSSEC) which is due to the absence of a cryptographic prove of none existence for the blocked (missing) domains. 

  2. cleanbrowsing states "...Our security filter...". This implies the use of domain filtering/blacklisting and response manipulation: https://cleanbrowsing.org/help/docs/dnsovertls/ 

  3. DNS for Family states "...that filter websites for family use...", "...protection from malware and blocking ads...". This implies domain filtering and response manipulation: https://dnsforfamily.com/ 

  4. Comodo Secure DNS states "...domain filtering feature..." and is therefore capable of modifying query responses: https://securedns.dnsbycomodo.com/ 

  5. dnsforge.de states "... is a censorship-free, safe and redundant DNS resolver without logging but with advertisement blocking" (translated by a native speaker). This is a reason to assume they modify query responses: https://dnsforge.de/ 

  6. N-IX fails: dig dns-ga.de @194.8.57.12 returned status REFUSED. This probably means that the server does not answer recursive queries from the internet anymore. A delv dns-ga.de @194.8.57.12 with failed resolution approved of this theory. 

  7. Cisco states all paid plans and free plans have "built-in protection". See: https://www.opendns.com/home-internet-security/. Even though the mentioned IPs do not block adult content, domain filtering can not be ruled out. Automated data collection, collecting IPs, sharing information with business partners and more makes it a clear case: https://www.opendns.com/privacy-policy/ 

  8. Quad9 states "Quad9 blocks lookups of malicious host names from an up-to-the-minute list...". Therefore queries are analyzed and in some cases responses are modified. Further more, they provide services with either DNSSEC disabled or malware blocking: https://www.quad9.net/service/service-addresses-and-features 

  9. Switch states "The DNS resolver service blocks domain names listed...", "Switch DNS Firewall blocks access to infected or malicious websites and redirects users to a landing page". This is not acceptable: https://www.switch.ch/en/switch-public-dns 

  10. Yandex DNS states "...block adult-only and dangerous websites" (aka self-explanatory) : https://dns.yandex.com/. The mentioned IPs are from the "Safe" section. 

  11. SafeDNS is full of marketing. The Terms of Service mention an interesting point (11), by which queries must be analyzed automatically and/or modified/filtered: https://www.safedns.com/terms-of-service. "Features" also include AI and web (aka domain) filtering: https://www.safedns.com/features#id-dns-security

  12. Level 3 IP-Addresses are found online, but are not linked to any website that will provide information about logging, etc. Referred to in: https://www.publicdns.xyz/public/level3.html 

  13. SKYDNS All options provide some form of filtering. There is no option provided with no filtering. Referred to in: https://www.skydns.ru/en/ 

  14. New Nations fails: dig www.google.com @5.45.96.220 timed out and delv dns-ga.de NS @5.45.96.220 resolution failed: SERVFAIL. 

  15. DNS0.EU Seems to work without issues in regular web browsing but YMMV. https://www.dns0.eu states "Integrated protection against millions of malicious domains..." 

  16. DNS0.EU ZERO states "...hardened security for highly sensitive environments..." Filters malicious content, newly created domains, Top-level domains, DDNS domains ect. 

  17. DNS0.EU KIDS states "...filtering out content from the Internet that is not suitable for children, you can provide a safe online environment for kids..." Filters adult websites, ads and other content not suitable for children.