WELCOME TO THE OLDFOLIO GOPHER SERVER! DNS NOTES Public DNS Resolvers View performance statistics for public DNS resolvers at DNSPerf. The statistics reported at DNSPerf tend to be very similar to the results I get using the namebench tool. DNSPerf: https://www.dnsperf.com/#!dns-resolvers CloudFlare 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 Dyn 216.146.35.35 216.146.36.36 FreeDNS.zone 172.104.237.57 (Frankfurt, Germany) 172.104.49.100 (Singapore) 37.235.1.174 (Vienna, Austria) 37.235.1.177 (Vienna, Austria) 45.33.97.5 (Atlanta, GA, USA) Google 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844 Hurricane Electric 74.82.42.42 2001:470:20::2 OpenDNS 208.67.222.222 208.67.220.220 2620:0:ccc::2 2620:0:ccd::2 OpenNIC Project Go to https://www.opennic.org to see which of their DNS resolvers are closest to you. OpenNIC servers periodically go down and occasionally just disappear. Servers that have worked for me (in North America) are: 66.187.76.168 50.116.17.96 192.52.166.110 158.69.239.167 Of course, keep in mind what I noted above, that OpenNIC servers periodically go down and occasionally just disappear. Yes, I thought that point needed to be repeated. Quad9 9.9.9.9 149.112.112.112 2620:fe::fe Yandex Basic 77.88.8.8 77.88.8.1 2a02:6b8::feed:0ff 2a02:6b8:0:1::feed:0ff Yandex Safe 77.88.8.88 77.88.8.2 2a02:6b8::feed:bad 2a02:6b8:0:1::feed:bad I sometimes mix DNS resolvers from different providers: nameserver 45.33.97.5 # FreeDNS.zone nameserver 74.82.42.42 # Hurricane Electric For more public DNS resolvers, see Public DNS. https://www.publicdns.xyz/ Free DNS Hosting 1984: Unlimited zones; cannot find limits on records per zone or lookups. Supports DNSSEC Cloudflare: Unlimited lookups; 3500 records per zone; cannot find limit on number of zones. Supports DNSSEC ClouDNS: 3 free zones; unlimited records and lookups; no control over TTL on free plans. Hurricane Electric: 50 free zones; cannot find limits on records per zone or lookups. Selectel: Unlimited zones; cannot find limits on records per zone or lookups. Veesp: DNS hosting is available free if you are paying for other services there. Vultr: DNS hosting is available free if you are paying for other services there. They allow vanity name servers pointed at their own name servers. Yandex: 50 free zones; cannot find limits on records per zone or lookups. No CAA records. (Although this service is aimed at people using Yandex to host their email, Yandex support explicitly states that you are free to host DNS without also hosting your email.) DNSSEC Enabling DNSSEC: * Generate DNSSEC keys and DS records at your DNS host. * Add the DS records at your domain registrar. Disabling DNSSEC: * Remove the DS records at your domain registrar. * Wait 24 hours for most domains, but 48 hours for domains registered through EU.org. Do a "dig ds" check for the DS TTL on whatever domain from which you are removing DNSSEC. * Remove or disable DNSSEC at your DNS host. Examples of DS records: debian.org. 10762 IN DS 6487 8 2 A9528F2409C5F6A95AE6E0F8A6C5A223AC4EFD54B45884CB855F044E 82F7F4C6 yandex.com. 9595 IN DS 31456 5 1 593F529E8942948DE9D6646AC5F9E2208F49D606 DMARC Records _dmarc.domain.tld. IN TXT "v=DMARC1; p=none; rua=mailto:admin@domain.tld" DMARC action to take if either SPF or DKIM fail: p=none; - take no action p=quarantine; - mark message as spam p=reject; - reject message outright To send DMARC reports to an address outside the email sending domain, create a TXT record in the DNS of the receiving domain: email-sending-domain.tld._report._dmarc.receiving-domain.tld. IN TXT "v=DMARC1" Of course, you will still need to create the basic DMARC record in the DNS of the email sending domain: _dmarc.email-sending-domain.tld. IN TXT "v=DMARC1; p=none; rua=mailto:admin@report-receiving-domain.tld" MX Records Fastmail IN MX 10 in1-smtp.messagingengine.com. IN MX 20 in2-smtp.messagingengine.com. Gandi IN MX 10 spool.mail.gandi.net. IN MX 50 fb.mail.gandi.net. Google IN MX 1 aspmx.l.google.com. IN MX 5 alt1.aspmx.l.google.com. IN MX 5 alt2.aspmx.l.google.com. IN MX 10 alt3.aspmx.l.google.com. IN MX 10 alt4.aspmx.l.google.com. Runbox IN MX 10 mx.runbox.com. Yandex IN MX 10 mx.yandex.net. SPF Records v=spf1 -all # Do not accept mail from this domain v=spf1 include:server.com -all # Accept mail sent by server.com, but no one else v=spf1 a mx -all # Accept mail sent by the servers specified in the domain's A and MX records Fastmail include:spf.messagingengine.com Gandi include:_mailcust.gandi.net Google include:_spf.google.com Runbox include:spf.runbox.com Yandex include:_spf.yandex.net Multiple "include" example: domain.tld. IN TXT "v=spf1 include:_spf.yandex.net include:spf.messagingengine.com -all" Multiple servers: Accept mail from the server specified in the mail server's A record as well as from any server specified by the SPF record for Yandex. domain.tld. IN TXT "v=spf1 a:mail-server.domain.tld include:_spf.yandex.net ~all" MISCELLANEOUS Disable IPv6 in Firefox by changing network.dns.disableIPv6 from false to true in about:config. ============================ The End ============================