kescherDNS

History/Background 🔗

kescherDNS is a DNSSEC-validating DNS resolver for public use.

This service used to be inspired by Mozilla's push of DNS-over-HTTPS in their own browser, with them setting Cloudflare as the default provider in the settings. Cloudflare is a US-based provider of various internet services, most of which aim to make them a monopoly for accessing resources on the visible web (which they have since become for 20% of it). Another popular provider is Google, which, for obvious reasons, is also not a good choice due to privacy concerns. However, abandoning encrypted DNS connections just because of several providers of this service being bad is not exactly a great alternative. Therefore, originally, this service used to provide DNS-over-HTTPS and DNS-over-HTTPS only. As of 2022, we are also open to unencrypted connections, but with some limitations to prevent reflection-amplification attacks.

This DNS service has been set up specifically to be as privacy-friendly as possible. We don't permanently log queries or source IP addresses. However, we do keep of query counts per IP, per second, in memory, for automatic rate limiting/enforcing a TCP connection (reflection-amplification attack mitigation). We also have a cache for repeated DNS requests, in order to be nice to authoritative DNS servers around the world. We do not set or forward ECS (EDNS Client Subnet) information, except for the domains authoritatively hosted on the same servers (kescher.at). For these, logging is disabled entirely, and this info is only used for GeoIP purposes (so from the servers I own, you get the closest to you as determined by your IP or resolver IP).

The resolver, behind the scenes, actively probes all authoritative nameservers for DNS-over-TLS support. If a server does support DNS-over-TLS, communication will be done using DNS-over-TLS. This means that less of the queries sent to us end up leaking on an unencrypted connection.

Why not DNSCrypt instead of DNS-over-HTTPS? 🔗

DNSCrypt, unfortunately, runs on the same TCP port as HTTPS does: 443. This means it is very annoying to configure DNSCrypt on its proper port on a server that has any other services running. I could technically host a DNSCrypt service on another port, but I dislike running services on non-default ports. I have tried doing this with SSH before, which came with too many drawbacks for me to consider it viable.

Addresses 🔗

Currently, the following DNS services:

are offered at the following addresses/hostnames: Note that the hostname dns.kescher.at is usable for all hosts.

Use with Firefox 🔗

Firefox has a dedicated section for configuring DNS-over-HTTPS. This makes it very easy to configure it for use with kescherDNS.

The Firefox preferences, specifically the DNS over HTTPS section in the Privacy & Security settings category. It shows that dns.kescher.at is the active provider, with Increased Protection being the selected option.

Use with Chrome, and some other Chromium-based browsers 🔗

Note: This may not work on all Chromium-based browsers.
Chromium-based browsers should have a section that makes it easy to configure kescherDNS using DoH.

The Chrome security settings section, with all of the above set.

Use with Unbound 🔗

If you use Unbound as resolver, you can easily add kescherDNS with DoT. All you have to do is add this to your config:

forward-zone:
  name: "."
  forward-addr: 2a0a:4cc0:0:f31::1@853#kalos.kescher.at
  forward-addr: 89.58.18.85@853#kalos.kescher.at
  forward-addr: 2a03:4000:47:8b::1@853#unova.kescher.at
  forward-addr: 45.129.181.164@853#unova.kescher.at

🔗

You feel like being generous or want to support me on stuff like free software development and hosting mirrors? In that case, I accept: