=== DNS === Public DNS Resolvers ==================== View performance statistics for public DNS resolvers at DNSPerf. The statistics reported at DNSPerf tend to be very similar to the results I get using the namebench tool. You may also find it useful to look at NixNet's page about DNS. It lists their DNS resolvers along with useful general information. Under Linux there are a number of services that seem to like over-writing /etc/resolv.conf. Once you have edited /etc/resolv.conf to your liking you can prevent it from being over-written by setting the immutable bit. # chattr +i /etc/resolv.conf AdGuard 94.140.14.14 94.140.15.15 2a10:50c0::ad1:ff 2a10:50c0::ad2:ff https://dns.adguard.com/dns-query CloudFlare 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 https://cloudflare-dns.com/dns-query Dyn 216.146.35.35 216.146.36.36 FreeDNS.zone 172.104.237.57 (Frankfurt, Germany) 172.104.49.100 (Singapore) 37.235.1.174 (Vienna, Austria) 37.235.1.177 (Vienna, Austria) 45.33.97.5 (Atlanta, GA, USA) Google 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 https://dns.google/dns-query Hurricane Electric 74.82.42.42 2001:470:20::2 https://ordns.he.net/dns-query Namecheap SafeServe 198.54.117.10 198.54.117.11 NextDNS 45.90.28.219 45.90.30.219 OpenDNS 208.67.222.222 208.67.220.220 2620:0:ccc::2 2620:0:ccd::2 https://doh.opendns.com/dns-query OpenNIC Project Go to https://www.opennic.org to see which of their DNS resolvers are closest to you. OpenNIC servers periodically go down and occasionally just disappear. Servers that have worked for me (in North America) are: 192.3.165.37 172.98.193.42 Of course, keep in mind what I noted above, that OpenNIC servers periodically go down and occasionally just disappear. Yes, I thought that point needed to be repeated. Quad9 9.9.9.9 149.112.112.112 2620:fe::fe https://dns.quad9.net/dns-query Yandex Basic 77.88.8.8 77.88.8.1 2a02:6b8::feed:0ff 2a02:6b8:0:1::feed:0ff Yandex Safe 77.88.8.88 77.88.8.2 2a02:6b8::feed:bad 2a02:6b8:0:1::feed:bad I sometimes mix DNS resolvers from different providers: nameserver 45.33.97.5 # FreeDNS.zone nameserver 74.82.42.42 # Hurricane Electric DNS RECORDS =========== DNSSEC Enabling DNSSEC: Generate DNSSEC keys and DS records at your DNS host. Add the DS records at your domain registrar. Disabling DNSSEC: Remove the DS records at your domain registrar. Wait 24 hours for most domains, but 48 hours for domains registered through EU.org. Do a "dig ds" check for the DS TTL on whatever domain from which you are removing DNSSEC. Remove or disable DNSSEC at your DNS host. Examples of DS records: debian.org. 10762 IN DS 6487 8 2 A9528F2409C5F6A95AE6E0F8A6C5A223AC4EFD54B45884CB855F044E 82F7F4C6 yandex.com. 9595 IN DS 31456 5 1 593F529E8942948DE9D6646AC5F9E2208F49D606 *NOTE: At EU.org, you need to paste the complete DNS DS records one at a time. First: oldfolio.eu.org. 86400 IN DS 12658 13 1 F6DA0F5AE673070AD8BF615F9FB8089649AAB35B Then after that has been accepted: oldfolio.eu.org. 86400 IN DS 12658 13 2 391D8D873C923079B3873F02A36CBC6A454CD7BBFED8B1D391E5F2AE94D10CB9 DMARC Records _dmarc.domain.tld. IN TXT "v=DMARC1; p=none; rua=mailto:admin@domain.tld" DMARC action to take if either SPF or DKIM fail: p=none; - take no action p=quarantine; - mark message as spam p=reject; - reject message outright To send DMARC reports to an address outside the email sending domain, create a TXT record in the DNS of the receiving domain: email-sending-domain.tld._report._dmarc.receiving-domain.tld. IN TXT "v=DMARC1" Of course, you will still need to create the basic DMARC record in the DNS of the email sending domain: _dmarc.email-sending-domain.tld. IN TXT "v=DMARC1; p=none; rua=mailto:admin@report-receiving-domain.tld" MX Records Fastmail IN MX 10 in1-smtp.messagingengine.com. IN MX 20 in2-smtp.messagingengine.com. Gandi IN MX 10 spool.mail.gandi.net. IN MX 50 fb.mail.gandi.net. Google IN MX 1 aspmx.l.google.com. IN MX 5 alt1.aspmx.l.google.com. IN MX 5 alt2.aspmx.l.google.com. IN MX 10 alt3.aspmx.l.google.com. IN MX 10 alt4.aspmx.l.google.com. MXroute (Replace SERVER with the name of the server on which your account is hosted, e.g., longhorn.) IN MX 10 SERVER.mxrouting.net. IN MX 20 SERVER-relay.mxrouting.net. Runbox IN MX 10 mx.runbox.com. Yandex IN MX 10 mx.yandex.net. SPF Records v=spf1 -all # Do not accept mail from this domain v=spf1 include:server.com -all # Accept mail sent by server.com, but no one else v=spf1 a mx -all # Accept mail sent by the servers specified in the domain's A and MX records Fastmail include:spf.messagingengine.com Gandi include:_mailcust.gandi.net Google include:_spf.google.com MXroute: Any one of the following should work. According to Jarland, the last involves the fewest DNS lookups. include:mxlogin.com include:mxroute.com include:_s00002163.autospf.email Runbox include:spf.runbox.com Yandex include:_spf.yandex.net Multiple "include" example: domain.tld. IN TXT "v=spf1 include:_spf.yandex.net include:spf.messagingengine.com -all" Multiple servers: Accept mail from the server specified in the mail server's A record as well as from any server specified by the SPF record for Yandex. domain.tld. IN TXT "v=spf1 a:mail-server.domain.tld include:_spf.yandex.net ~all" Miscellaneous ============= Disable IPv6 in Firefox by changing network.dns.disableIPv6 from false to true in about:config. General note about serving web sites: If your server only has an IPv6 address, I have found two options for serving sites over IPv4: Use Cloudflare's DNS, and set Cloudflare to proxy. Add an A record for the Netiter proxy service.