HarborFront

Level 46
Verified
Content Creator
Many DNS servers come with support for DNSSEC. However, they must pass the below 2 tests

1) DNSSEC Resolver Test

and

2) http://www.dnssec-failed.org/ (if you run this site it must show failure i.e. the site can't be reached)

I have been testing some DNS servers with DNSSEC and quite a number failed the 2 tests. I'm looking for one

1) which supports DNSSEC
2) with support for DNSCrypt (or DNS Over HTTPS or DNS Over TLS) and
3) NO logs

So far tested to pass are

1) Google DNS - logs
2) Lightning Wire Labs - not sure whether keeps logs
3) Quad9 - logs
4) CloudFlare - logs
5) CleanBrowsing - NO logs
6) Uncensored DNS (89.233.43.71) - NO logs

Edit - Added 4), 5) and 6)
 
Last edited:

TairikuOkami

Level 23
Verified
Content Creator
I have been testing some DNS servers with DNSSEC and quite a number failed the 2 tests.
Nice, so I guess Yandex does not support DNSSEC after all. Cleanbrowsing passed both test though.

3) Quad9 - logs
Funny, that SimpleDNSCrypt uses it as a backup DNS, since even according to its own filters, it logs, They should use cloudfire instead.
 
Last edited:

yitworths

Level 10
Verified
so I guess Yandex does not support DNSSEC after all
that's why dns script don't show it as DNSSEC supported, but some websites show it is DNSSEC supported.

Funny, that SimpleDNSCrypt uses it as a backup DNS, since even according to its own filters, it logs, They should use cloudfire instead.
I think,you can change it manually. but you've made a fair point regarding the default fallback resolver. They should use something which doesn't log. But that's their call to make.
 
  • Like
Reactions: TairikuOkami

Azure

Level 24
Verified
Content Creator
Could you test Heimdal dns? You will need to install a trial of Heimdal Pro.
 

HarborFront

Level 46
Verified
Content Creator
Nice, so I guess Yandex does not support DNSSEC after all. Cleanbrowsing passed both test though.


Funny, that SimpleDNSCrypt uses it as a backup DNS, since even according to its own filters, it logs, They should use cloudfire instead.
There's no mention on CleanBrowsing site that it supports DNSSEC. It supports only DNSCrypt/DNS Over TLS/DNS Over HTTPS.

CleanBrowsing DNS - Protecting our families and kids when visiting the web. Free Parental Control and Web filter.

You are right. It did pass both tests

BTW, does CleanBrowsing keeps logs?
 
Last edited:

HarborFront

Level 46
Verified
Content Creator
Just tested FF Quantum's DNS Over HTTPS

Although it showed connected to CloudFlare DNS but it flunk the 2 DNS tests in my post #21

Anyone can confirm this?

Thanks

BTW, I also tested TENTA DNS Over TLS using the ICANN DNS servers and it also flunk the tests
 
Last edited:

HarborFront

Level 46
Verified
Content Creator
Today, I've just tested some public dns for their susceptibility to Kaminsky-style spoofing & got some interesting results.Now,I would like to share those results to other members of MT & would like to get some analysis,comments or feedbacks. & if possible please tell what dns server you use & why?

The list of public dns servers which undergone test namely Google,Quad9,DNS.WATCH,Comodo Secure DNS,OpenDNS Home,Norton ConnectSafe,OpenNIC,FreeDNS,Alternate DNS,Yandex.DNS,Adguard dns beta,UncensoredDNS,Cloudfare.

Adguard DNS beta Alternate DNS Cloudfare Comodo Secure DNS DNS.WATCH FreeDNS Google Public DNS Norton ConnectSafe OpenDNS Home OpenNIC

Quad9 DNS UncensoredDNS Yandex.DNS

View attachment 189966
One question.

Did you test the primary or secondary DNS server or both?

Thanks
 

Kuttz

Level 12
Verified
Many DNS servers come with support for DNSSEC. However, they must pass the below 2 tests

1) DNSSEC Resolver Test

and

2) http://www.dnssec-failed.org/ (if you run this site it must show failure i.e. the site can't be reached)

I have been testing some DNS servers with DNSSEC and quite a number failed the 2 tests. I'm looking for one

1) which supports DNSSEC
2) with support for DNSCrypt (or DNS Over HTTPS or DNS Over TLS) and
3) NO logs

So far tested to pass are

1) Google DNS - logs
2) Lightning Wire Labs - not sure whether keeps logs
3) Quad9 - logs
4) CloudFlare - logs
5) CleanBrowsing - not sure whether keeps logs
6) Uncensored DNS (89.233.43.71) - NO logs

Edit - Added 4), 5) and 6)
My Quad9 DNS passed both tests (y)
Qu9.PNGQu9a.PNG
 
  • Like
Reactions: frogboy

HarborFront

Level 46
Verified
Content Creator
Last edited:
  • Like
Reactions: Kuttz

TairikuOkami

Level 23
Verified
Content Creator
BTW, does CleanBrowsing keeps logs?
According to SimpleDNS filters, no. But even its less strict version sometimes blocks legitimate pages, like file/image hosting.
When searching via DuckDuckGo, it does not display images, because it uses proxy, though Adult version should not block proxy.
 

Attachments

  • Like
Reactions: HarborFront

HarborFront

Level 46
Verified
Content Creator
According to SimpleDNS filters, no. But even its less strict version sometimes blocks legitimate pages, like file/image hosting.
When searching via DuckDuckGo, it does not display images, because it uses proxy, though Adult version should not block proxy.
Thanks

Since you are using Simple DNSCrypt can you help to check whether Lightning Wire Labs DNS keep logs?
 
Last edited: