Australian DNS resolver

Location: Sydney, Australia

Features

• Privacy Focused
• No Censorship
• No Logging
• DNSSEC validation
• Build on open source technologies
• DNS Rebind protection. See the config for the currently filtered IPs. As a consequence spam block lists (RBL) such as spamhaus.org will no longer work. Also note your public IP might still be vulnerable. [1] [2] [3] [4] [4 slides]
• OpenNIC TLDs
• Qname minimisation (RFC 7816)
• Query pre-fetching using Unbound's algorithm
• Available over the DNSCrypt protocol
• Supports DNS-over-HTTPS (DoH) (RFC 8484) which is basically DNS over HTTP/2
• Supports DNS-over-TLS (DoT) (RFC 7858)

Servers

dns.seby.io - Vultr

dns.seby.io - Vultr

IPv4 address: 45.76.113.31

This server is also part of the NTP pool project

DNSCrypt

Provider Name: 2.dnscrypt-cert.dns.seby.io

DNSCrypt Ports: 443 (default), 5353, 8080

Public key: 0854:6878:8BA7:8A5E:A945:EA8F:4583:DD9C:803D:9670:3BCA:409E:EFFD:6AB8:5EB4:2C56

Stamp: sdns://AQcAAAAAAAAADDQ1Ljc2LjExMy4zMSAIVGh4i6eKXqlF6o9Fg92cgD2WcDvKQJ7v_Wq4XrQsVhsyLmRuc2NyeXB0LWNlcnQuZG5zLnNlYnkuaW8

Stamp was generated with https://dnscrypt.info/stamps

DNS-over-HTTPS (DoH)

HTTP/2 port: 8443

Hostname: doh.seby.io

Path: /dns-query

Stamp: sdns://AgcAAAAAAAAADDQ1Ljc2LjExMy4zMSA-GhoPbFPz6XpJLVcIS1uYBwWe4FerFQWHb9g_2j24OBBkb2guc2VieS5pbzo4NDQzCi9kbnMtcXVlcnk

Stamp was generated with https://dnscrypt.info/stamps. Command used to get the hash: dnscrypt-proxy -show-certs

TLS Setup: htbridge report

DNS-over-TLS (DoT)

TLS port: 853

Hostname: dot.seby.io

Out-of-Band public key pin: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=

Command used: kdig -d @45.76.113.31 +tls-ca +tls-host=dot.seby.io example.com

TLS Setup: htbridge report

dns.seby.io - OVH

dns.seby.io - OVH

IPv4 address: 139.99.222.72

DNSCrypt

Provider Name: 2.dnscrypt-cert.dns.seby.io

DNSCrypt Ports: 8443

Public key: 0B05:684F:0D0B:E1D8:1A97:92C2:D456:D952:D1ED:2D1F:EB56:E57A:AD59:F13B:DE5E:E065

Stamp: sdns://AQcAAAAAAAAAEjEzOS45OS4yMjIuNzI6ODQ0MyALBWhPDQvh2BqXksLUVtlS0e0tH-tW5XqtWfE73l7gZRsyLmRuc2NyeXB0LWNlcnQuZG5zLnNlYnkuaW8

Stamp was generated with https://dnscrypt.info/stamps

DNS-over-HTTPS (DoH)

HTTP/2 port: 443

Hostname: doh-2.seby.io

Path: /dns-query

Stamp: sdns://AgcAAAAAAAAADTEzOS45OS4yMjIuNzIgPhoaD2xT8-l6SS1XCEtbmAcFnuBXqxUFh2_YP9o9uDgRZG9oLTIuc2VieS5pbzo0NDMKL2Rucy1xdWVyeQ

Stamp was generated with https://dnscrypt.info/stamps. Command used to get the hash: dnscrypt-proxy -show-certs

TLS Setup: htbridge report, SSL Labs report

DNS-over-TLS (DoT)

TLS port: 853

Hostname: dot.seby.io

Out-of-Band public key pin: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=

Command used: kdig -d @139.99.222.72 +tls-ca +tls-host=dot.seby.io example.com

TLS Setup: htbridge report

---

Unbound Example:

server:
  port: 53
forward-zone:
  name: "."
    forward-tls-upstream: yes
    forward-addr: 45.76.113.31@853
    forward-addr: 139.99.222.72@853

Stubby Example:

dns_transport_list: [GETDNS_TRANSPORT_TLS]
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
listen_addresses:
  - 127.0.0.1@53
upstream_recursive_servers:
  - address_data: 45.76.113.31
    tls_auth_name: "dot.seby.io"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=

The server configuration is freely available on github:

https://github.com/publicarray/dns-resolver-infra

If there are any problems please open an issue or send me a DM.

Notes:

While the resolver is freely available abuse will not be tolerated.

To deal with abuse I may need to capture limited amount of traffic,

this will be discarded after the abuse is dealt with.

Public pgp key: https://keybase.io/publicarray/pgp_keys.asc?fingerprint=ac7b7a03d00d8236b8e6f9d180b9687901b6587c