Australian DNS resolver

Location: Sydney, Australia

Features

Free
No Censorship
No Logging (aggregate statistics like latency are gathered using munin, see server statistics)
DNSSEC validation
Build on open source technologies
DNS Rebind protection. See the config for the currently filtered IPs. As a consequence spam block lists (RBL) such as spamhaus.org will no longer work. Also note your public IP might still be vulnerable. [1] [2] [3] [4] [4 slides]
OpenNIC TLDs
Qname minimisation (RFC 7816)
Query pre-fetching using Unbound's algorithm
Available over the DNSCrypt protocol
Supports DNS-over-HTTPS (DoH) (RFC 8484) which is basically DNS over HTTP/2
Supports DNS-over-TLS (DoT) (RFC 7858)

Servers

dns.seby.io - Vultr

IPv4 address: 45.76.113.31

This server is also part of the NTP pool project

DNSCrypt

Provider Name: 2.dnscrypt-cert.dns.seby.io

DNSCrypt Ports: 443 (default), 5353, 8080

Public key: 0854:6878:8BA7:8A5E:A945:EA8F:4583:DD9C:803D:9670:3BCA:409E:EFFD:6AB8:5EB4:2C56

Stamp: sdns://AQcAAAAAAAAADDQ1Ljc2LjExMy4zMSAIVGh4i6eKXqlF6o9Fg92cgD2WcDvKQJ7v_Wq4XrQsVhsyLmRuc2NyeXB0LWNlcnQuZG5zLnNlYnkuaW8

Stamp was generated with https://dnscrypt.info/stamps

DNS-over-HTTPS (DoH)

HTTP/2 port: 8443

Hostname: doh.seby.io

Path: /dns-query

Stamp: sdns://AgcAAAAAAAAADDQ1Ljc2LjExMy4zMSA-GhoPbFPz6XpJLVcIS1uYBwWe4FerFQWHb9g_2j24OBBkb2guc2VieS5pbzo4NDQzCi9kbnMtcXVlcnk

Stamp was generated with https://dnscrypt.info/stamps. Command used to get the hash: env DEBUG=1 dnscrypt-proxy

TLS Setup: htbridge report

DNS-over-TLS (DoT)

TLS port: 853

Hostname: dot.seby.io

Out-of-Band public key pin: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=

Command used: kdig -d @45.76.113.31 +tls-ca +tls-host=dot.seby.io example.com

Stamp: sdns://AgcAAAAAAAAADDQ1Ljc2LjExMy4zMQAPZG90LnNlYnkuaW86ODUzAA

Stamp was generated with https://dnscrypt.info/stamps

TLS Setup: htbridge report

Unbound Example:

server:
  port: 53
forward-zone:
  name: "."
    forward-tls-upstream: yes
    forward-addr: 45.76.113.31@853

Stubby Example:

dns_transport_list: [GETDNS_TRANSPORT_TLS]
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
listen_addresses:
  - 127.0.0.1@53
upstream_recursive_servers:
  - address_data: 45.76.113.31
    tls_auth_name: "dot.seby.io"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=

The server configuration is freely available on github:

https://github.com/publicarray/dns-resolver-infra

If there are any problems please open an issue or send me a DM.

Notes:

No logging means that I don't log dns queries but certain statistics

such as the latency and query status are logged see

https://dns.seby.io/stats.html for pretty graphs

While the resolver is freely available abuse will not be tolerated.

To deal with abuse I may need to capture limited amount of traffic,

this will be discarded after the abuse is dealt with.

Public pgp key: https://keybase.io/publicarray/pgp_keys.asc?fingerprint=ac7b7a03d00d8236b8e6f9d180b9687901b6587c