A Survey of Public DNS over HTTPS Servers

3 Replies

In FDNS project we maintain a long list of non-logging and uncensored DoH servers. We call it The Little People Network since these are mostly non-corporate servers.

With new servers coming and going, we developed several testing tools to keep the list up to date. In this blog I will introduce one of them, and run it over this large DoH network. The information can help the user choose a DoH service based on multiple criteria: speed, bandwidth, TLS version etc. It can also help a server administrator optimize the service or debug various problems that might arise during operation.

Highlights

  • Don’t worry about speed, you have a bandwidth problem
  • HTTP headers, network traces, inactivity timer
  • H2O good, nginx bad
  • The Commercials are coming

CIRA

I get a heavy download going on my home network, in an attempt to simulate some normal network conditions. Then, I start testing CIRA Canadian Shield DoH service:

$ fdns --test-server=cira --details

   Tags: non-profit, Ontario, Quebec, BritishColumbia, EastAmerica, WestAmerica
   URL: https://private.canadianshield.cira.ca/dns-query
   Bootstrap IP address: 149.112.121.10
   Port: 443
   TLSv1.3, ALPN h2, SNI no

   HTTP Header:
-----------------------------
|  :status:  200
|  content-type:   application/dns-message
|  content-length:   165
-----------------------------
   SSL/TLS connection: 452.23 ms

   Network Trace:
-----> rx 268 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA  (end stream)

   DoH query average: 59.35 ms
   Header uncompressed | compressed | ratio:  71 | 3 | 23.67:1
   DoH/Do53 bandwidth ratio: 1.41
   Keepalive: 7 seconds

We print some geotags from our database and some connection information (TLSv1.3 etc). As we connect, we send 6 queries for  example.com  domain, calculating the average response time. Notice the huge connect time (452.23 ms) and the small average response (59.35 ms).

Finally, we compare the bandwidth required by this service with the bandwidth required by a regular unencrypted DNS service (Do53) running on the same server. For this we look at the original HTTP2 header (71 bytes), trimmed down by HPACK compression to only 3 bytes. The header is sent out with DNS data in a single TCP/IP packet. Simple byte counting and some basic arithmetics tell us DoH uses 41% more bandwidth than a regular unencrypted DNS service (DoH/Do53 ratio of 1.41).

Bandwidth

Here is an interesting use case. I start streaming a movie as I already have the download going. This pretty much fills up my Internet pipe. Then, I run the CIRA test again:

$ fdns --test-server=cira

   Tags: non-profit, Ontario, Quebec, BritishColumbia, EastAmerica, WestAmerica
   SSL/TLS connection: 7089.60 ms
   DoH query average: 1490.41 ms
   DoH/Do53 bandwidth ratio: 1.41
   Keepalive: 7 seconds

The connection time and the response average went through the roof! Not a problem for a test like this, but in the real world DoH client drops SSL and starts sending DNS requests in clear. This is called the fallback mode. As soon as you fill up your Internet pipe, the fallback mode kicks in, leaking unencrypted DNS traffic. In a normal day, out of a block of 3000 DNS queries I usually get about 30 or so sent in clear.

Re-establishing a DoH connection is very expensive and highly influenced by the network load. You will definitely notice a 7089.60 ms delay during your browsing, but more likely your browser will get bored waiting and go straight to fallback.

User inactivity is another problem. DoH servers detect it, and close the SSL connection after a certain time. To keep it open, Firefox sends a short keepalive message every 60 seconds. As long as the keepalive time is shorter than server’s inactivity timer, everything is fine.

A lot of servers are running inactivity timers smaller than 60 seconds. By the time Firefox sends the keepalive, the connection is already gone. One such server is CIRA, with an inactivity timer of 10 seconds. In FDNS we configure the keepalive for each specific server (7 seconds in CIRA’s case).

Let’s take a look at some of the more established DoH players.

Cloudflare

It was long rumored that Cloudflare hides a top secret HTML link in its military-grade encrypted headers. Here it is:

$ fdns --test-server=cloudflare --details

   Tags: anycast, EastAmerica, WestAmerica, AsiaPacific, Europe
   URL: https://cloudflare-dns.com/dns-query
   Bootstrap IP address: 1.1.1.1
   Port: 443
   TLSv1.3, ALPN h2, SNI no

   HTTP Header:
-----------------------------
|  (HPACK dynamic table size: 4096)
|  :status:  200
|  date:   Wed, 19 Aug 2020 11:19:48 GMT
|  content-type:   application/dns-message
|  content-length:   88
|  access-control-allow-origin:   *
|  cf-request-id:  04a80b66440000ebf856928200000001
|  expect-ct:  max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
|  server:   cloudflare
|  cf-ray:  5c537b506bd6ebf8-BOS
-----------------------------
   SSL/TLS connection: 329.63 ms

   Network Trace:
-----> rx 232 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA
-----> rx 55 bytes: IP + TCP + TLS + H2-DATA  (end stream)

   DoH query average: 60.13 ms
   Header uncompressed | compressed | ratio:  332 | 53 | 6.26:1
   DoH/Do53 bandwidth ratio: 2.19
   Keepalive: 350 to 390 seconds

Large header of 332 bytes, compressed down to 53 bytes, a far cry from CIRA’s 3 bytes. Most information is not required, and it only increases the already large DoH packets. Particularly date field is problematic because it changes all the time and will compress poorly.

On the network trace we notice a second DoH packet. You can set the end of stream flag in the previous packet and get rid of this one. Together with the large header, this results in a lackluster DoH/Do53 ratio of 2.19. It means it requires more than double the bandwidth a regular DNS service would need, and sometimes will translate into a glorious fallback mode experience for the user.

Huge inactivity timer: 400 seconds! In FDNS we run our keepalive in the 350-390 seconds range. No drops to fallback are expected due to inactivity. Moving on.

Quad9

Not to be outdone, Quad9 hides not one, but two military-grade encrypted links:

$ fdns --test-server=quad9 --details

   Tags: anycast, security, EastAmerica, WestAmerica, AsiaPacific, Europe
   URL: https://dns.quad9.net/dns-query
   Bootstrap IP address: 9.9.9.9
   Port: 5053
   TLSv1.2, ALPN h2, SNI no

   HTTP Header:
-----------------------------
|  (HPACK dynamic table size: 4096)
|  :status:  200
|  access-control-allow-headers:  Content-Type
|  access-control-allow-methods:  GET, HEAD, OPTIONS, POST
|  access-control-allow-origin:   *
|  access-control-max-age:  3600
|  cache-control:   private, max-age=21349
|  content-type:   application/dns-message
|  date:   Wed, 19 Aug 2020 11:22:06 GMT
|  expires:   Wed, 19 Aug 2020 17:17:55 GMT
|  last-modified:   Wed, 19 Aug 2020 11:22:06 GMT
|  server:   doh-server/2.0.1.q9.6 (+https://github.com/m13253/dns-over-https)
|  server-id:  res100.lga
|  vary:   Accept
|  x-powered-by:  doh-server/2.0.1.q9.6 (+https://github.com/m13253/dns-over-https)
|  content-length:   126
-----------------------------
   SSL/TLS connection: 354.27 ms

   Network Trace:
-----> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
-----> rx 73 bytes: IP + TCP + TLS + H2-HEADERS
-----> rx 207 bytes: IP + TCP + TLS + H2-DATA  (end stream)

   DoH query average: 61.85 ms
   Header uncompressed | compressed | ratio:  576 | 42 | 13.71:1
   DoH/Do53 bandwidth ratio: 2.77
   Keepalive: 550 to 590 seconds

access-control-* are Cross Origin Resource Sharing headers, a mechanism to let a site request resources from a different site. It applies only to browsers, you can remove them for DoH.

Down in the network trace, the IP/TCP/TLS overhead starts building up, drowning everything else. What you want is a single packet going out, with HTTP header, DNS data, and end of stream flag, something like this:

-----> rx 268 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA  (end stream)

Inactivity timer beyond 10 minutes. EXCELLENT!

Google

We don’t list Google in FDNS, but it is worth taking a look. I’ll save you the trouble of reading the header – all nursery rhymes and jingle bells – and jump directly to the network trace:

$ fdns --test-server=https://dns.google/dns-query --details
[...]
   SSL/TLS connection: 384.01 ms
   Network Trace:
-----> rx 65 bytes: IP + TCP + TLS + H2-PING 
<----- tx 65 bytes: IP + TCP + TLS + H2-PING  (end stream)
-----> rx 118 bytes: IP + TCP + TLS + H2-HEADERS 
-----> rx 148 bytes: IP + TCP + TLS + H2-DATA 
-----> rx 55 bytes: IP + TCP + TLS + H2-DATA  (end stream)

   DoH query average: 78.52 ms
   Header uncompressed | compressed | ratio:  534 | 50 | 10.68:1
   DoH/Do53 bandwidth ratio: 2.99
   Keepalive: 190 to 230 seconds

We are already at three times (2.99) the regular DNS bandwidth, mainly because the large number of independent TCP/IP packets. Why would you ping the user? That’s another full round trip, pushing the query average to 78.52 ms.

Note: I’m not really set up to measure speed with this tool – 6 requests for  example.com,  hopefully the first one caches the response on the server side. The most I can hope to measure is the entry leg into DoH network.

Very good inactivity timer (around 4 minutes).

Adguard

Say hello to Adguard, a major non-logging/non-censoring anycast network:

$ fdns --test-server=adguard --details

   Tags: anycast, adblocker, EastAmerica, WestAmerica, AsiaPacific, Europe
   URL: https://dns.adguard.com/dns-query
   Bootstrap IP address: 176.103.130.130
   Port: 443
   TLSv1.3, ALPN h2, SNI no

   HTTP Header:
-----------------------------
|  (HPACK dynamic table size: 0)
|  :status:  200
|  server:   nginx
|  date:   Wed, 19 Aug 2020 11:19:06 GMT
|  content-type:   application/dns-message
|  content-length:   115
|  cache-control:  max-age=3600.000000
-----------------------------
   SSL/TLS connection: 353.23 ms

   Network Trace:
-----> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
-----> rx 299 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA  (end stream)

   DoH query average: 57.93 ms
   Header uncompressed | compressed | ratio:  156 | 79 | 1.97:1
   DoH/Do53 bandwidth ratio: 2.51
   Keepalive: 140 to 170 seconds

Small header, decent network trace, but very bad header compression ratio of 1.97:1. Apparently HTTP2 header compression is broken in nginx. We see this on all nginx setups. That’s about half the DoH servers on the planet.

Note: the problem also affects the regular website traffic. The impact in this case is minimal, as headers amount to less than 1% of the total web traffic.

Very good inactivity timer, around 3 minutes.

Test Results

Let me say upfront that all servers better than Cloudflare are fantastic, while the rest are awesome. The servers are ranked by bandwidth, small is better. Click  ▷ Details  for more information, including the URL you can use to configure your DoH client.

I added to the lineup several commercial servers for comparison. These are big corporations, some of them well known for their abysmal privacy record. We don’t necessarily recommend them.

  1. cira
    Tags: non-profit, Ontario, Quebec, BritishColumbia, EastAmerica, WestAmerica
    URL: https://private.canadianshield.cira.ca/dns-query
    Bootstrap IP address: 149.112.121.10
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 268 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 71 | 3 | 23.67:1

    DoH/Do53 1.41, keepalive 7 seconds

  2. cox (commercial)
    URL: https://dohdot.coxlab.net/dns-query
    Bootstrap IP address: 174.68.248.77
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 181 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 70 | 3 | 23.33:1

    DoH/Do53 1.53, keepalive 7 seconds

  3. uncensoreddns
    Tags: Denmark, Europe
    URL: https://anycast.censurfridns.dk/dns-query
    Bootstrap IP address: 91.239.100.100
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 318 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 156 | 22 | 7.09:1

    DoH/Do53 1.59, keepalive 20 to 25 seconds , server h2o/dnsdist

  4. comcast (commercial)
    URL: https://doh.xfinity.com/dns-query
    Bootstrap IP address: 75.75.77.99
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 65 bytes: IP + TCP + TLS + H2-HEADERS
    —–> rx 253 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 71 | 8 | 8.88:1

    DoH/Do53 1.67, keepalive 550 to 590 seconds

  5. bt (commercial)
    URL: https://doh.bt.com/dns-query
    Bootstrap IP address: 81.130.111.250, 81.130.111.251
    Port: 443
    TLSv1.2, ALPN h2, SNI no
    —–> rx 169 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 126 | 12 | 10.50:1

    DoH/Do53 1.81, keepalive 20 to 25 seconds , server h2o/dnsdist

  6. hurricane-electric (commercial)
    URL: https://ordns.he.net/dns-query
    Bootstrap IP address: 74.82.42.42
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 169 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 126 | 12 | 10.50:1

    DoH/Do53 1.81, keepalive 140 to 170 seconds , server h2o/dnsdist

  7. dt (commercial)
    URL: https://dns.t53.de/dns-query
    Bootstrap IP address: 80.156.145.201
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 169 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 118 | 16 | 7.38:1

    DoH/Do53 1.84, keepalive 20 to 25 seconds , server DoH

  8. ibuki
    Tags: California, WestAmerica
    URL: https://ibuki.cgnat.net/dns-query
    Bootstrap IP address: 35.198.2.76
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 169 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 126 | 16 | 7.88:1

    DoH/Do53 1.85, keepalive 20 to 25 seconds , server h2o/dnsdist

  9. powerdns
    Tags: Netherlands, Europe
    URL: https://doh.powerdns.org/dns-query
    Bootstrap IP address: 136.144.215.158
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 169 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 126 | 16 | 7.88:1

    DoH/Do53 1.85, keepalive 20 to 25 seconds , server h2o/dnsdist

  10. telefonica (commercial)
    URL: https://doh-beta.e-paths.com/
    Bootstrap IP address: 34.255.130.171
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 169 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 126 | 16 | 7.88:1

    DoH/Do53 1.85, keepalive 20 to 25 seconds , server h2o/dnsdist

  11. a-and-a
    Tags: UK, Europe
    URL: https://dns.aa.net.uk/dns-query
    Bootstrap IP address: 217.169.20.23
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 169 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 135 | 16 | 8.44:1

    DoH/Do53 1.86, keepalive 20 to 25 seconds , server Andrews

  12. appliedprivacy
    Tags: non-profit, Austria, Europe
    URL: https://doh.applied-privacy.net/query
    Bootstrap IP address: 146.255.56.98
    Port: 443
    TLSv1.3, ALPN h2, SNI yes
    —–> rx 171 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 151 | 15 | 10.07:1

    DoH/Do53 1.86, keepalive 20 to 25 seconds , server dnsdist

  13. faelix-ch
    Tags: Switzerland, Europe
    URL: https://rdns.faelix.net/
    Bootstrap IP address: 185.134.197.54
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 171 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 155 | 15 | 10.33:1

    DoH/Do53 1.86, keepalive 20 to 25 seconds , server h2o/dnsdist

  14. ryan-palmer
    Tags: UK, Europe
    URL: https://ns1.ryan-palmer.com/dns-query
    Bootstrap IP address: 68.183.253.200
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 171 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 155 | 15 | 10.33:1

    DoH/Do53 1.86, keepalive 20 to 25 seconds , server h2o/dnsdist

  15. commons-host
    Tags: geocast, EastAmerica, WestAmerica, AsiaPacific, Europe
    URL: https://commons.host/
    Bootstrap IP address: 172.104.13.242
    Port: 443
    TLSv1.3, ALPN h2, SNI yes
    —–> rx 172 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA
    —–> rx 55 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 224 | 14 | 16.00:1

    DoH/Do53 1.87, keepalive 250 to 290 seconds , server commonshost

  16. dnslify
    Tags: EastAmerica, WestAmerica, NY, California
    URL: https://doh.dnslify.com/dns-query
    Bootstrap IP address: 185.235.81.1
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 171 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 170 | 17 | 10.00:1

    DoH/Do53 1.92, keepalive 20 to 25 seconds , server h2o/dnsdist

  17. faelix-uk
    Tags: UK, Europe
    URL: https://rdns.faelix.net/
    Bootstrap IP address: 46.227.200.54
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 211 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 155 | 21 | 7.38:1

    DoH/Do53 1.92, keepalive 20 to 25 seconds , server h2o/dnsdist

  18. switch
    Tags: non-profit, Switzerland, Europe
    URL: https://dns.switch.ch/dns-query
    Bootstrap IP address: 130.59.31.248
    Port: 443
    TLSv1.2, ALPN h2, SNI no
    —–> rx 211 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 155 | 21 | 7.38:1

    DoH/Do53 1.92, keepalive 20 to 25 seconds , server h2o/dnsdist

  19. dnshome
    Tags: Germany, Europe
    URL: https://dns.dnshome.de/dns-query
    Bootstrap IP address: 185.233.106.232
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 171 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 129 | 23 | 5.61:1

    DoH/Do53 1.93, keepalive 20 to 25 seconds , server h2o/dnsdist

  20. unbound project (GitHub)
    URL: https://127.0.0.1/dns-query
    Bootstrap IP address: 127.0.0.1
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 64 bytes: IP + TCP + TLS + H2-HEADERS
    —–> rx 148 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 70 | 7 | 10.00:1

    DoH/Do53 2.05, keepalive 20 to 25 seconds , server unbound

  21. arapurayil
    Tags: India, AsiaPacific
    URL: https://dns.arapurayil.com/dns-query
    Bootstrap IP address: 3.7.156.128
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 210 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 250 | 27 | 9.26:1

    DoH/Do53 2.09, keepalive 10 to 15 seconds , server DNS

  22. cloudflare

    Tags: anycast, EastAmerica, WestAmerica, AsiaPacific, Europe
    URL: https://cloudflare-dns.com/dns-query
    Bootstrap IP address: 1.1.1.1
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 232 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA
    —–> rx 55 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 332 | 53 | 6.26:1

    DoH/Do53 2.19, keepalive 350 to 390 seconds , server cloudflare

  23. dnscrypt-ca
    Tags: Quebec, EastAmerica
    URL: https://dns1.dnscrypt.ca:453/dns-query
    Bootstrap IP address: 167.114.220.125
    Port: 453
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 60 bytes: IP + TCP + TLS + H2-HEADERS
    —–> rx 193 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 107 | 7 | 15.29:1

    DoH/Do53 2.27, keepalive 550 to 590 seconds

  24. rumpelsepp
    Tags: Germany, Europe
    URL: https://rumpelsepp.org/dns-query
    Bootstrap IP address: 116.203.179.248
    Port: 443
    TLSv1.3, ALPN h2, SNI yes
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 64 bytes: IP + TCP + TLS + H2-HEADERS
    —–> rx 214 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 184 | 18 | 10.22:1

    DoH/Do53 2.28, keepalive 550 to 590 seconds , server Caddy

  25. bortzmeyer
    Tags: France, Europe
    URL: https://doh.bortzmeyer.fr/
    Bootstrap IP address: 193.70.85.11
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 184 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 221 | 13 | 17.00:1

    DoH/Do53 2.42, keepalive 20 to 25 seconds , server h2o/dnsdist

  26. tiarap
    Tags: geocast, EastAmerica, WestAmerica, AsiaPacific, Europe
    URL: https://doh.tiarap.org/dns-query
    Bootstrap IP address: 104.27.150.170, 172.67.182.106, 104.27.151.170
    Port: 443
    TLSv1.3, ALPN h2, SNI yes
    —–> rx 291 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA
    —–> rx 55 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 647 | 108 | 5.99:1

    DoH/Do53 2.46, keepalive 350 to 390 seconds , server cloudflare

  27. adguard
    Tags: anycast, adblocker, EastAmerica, WestAmerica, AsiaPacific, Europe
    URL: https://dns.adguard.com/dns-query
    Bootstrap IP address: 176.103.130.130
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 299 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 156 | 79 | 1.97:1

    DoH/Do53 2.51, keepalive 140 to 170 seconds , server nginx

  28. adhole
    Tags: UK, Europe, adblocker
    URL: https://uk.adhole.org/dns-query
    Bootstrap IP address: 5.253.114.91
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 63 bytes: IP + TCP + TLS + H2-HEADERS
    —–> rx 161 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 157 | 13 | 12.08:1

    DoH/Do53 2.60, keepalive 550 to 590 seconds , server AdGuard

  29. brahmaworld
    Tags: Germany, Europe, adblocker
    URL: https://dns.brahma.world/dns-query
    Bootstrap IP address: 94.237.80.211
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 63 bytes: IP + TCP + TLS + H2-HEADERS
    —–> rx 161 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 157 | 13 | 12.08:1

    DoH/Do53 2.60, keepalive 550 to 590 seconds , server AdGuard

  30. commsone
    Tags: Moscow, Russia, Europe, adblocker
    URL: https://dns.comss.one/dns-query
    Bootstrap IP address: 92.38.152.163
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 63 bytes: IP + TCP + TLS + H2-HEADERS
    —–> rx 161 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 157 | 13 | 12.08:1

    DoH/Do53 2.60, keepalive 550 to 590 seconds , server AdGuard

  31. bravedns
    Tags: geocast, EastAmerica, WestAmerica, AsiaPacific, Europe
    URL: https://free.bravedns.com/dns-query
    Bootstrap IP address: 104.26.7.92, 172.67.70.173, 104.26.6.92
    Port: 443
    TLSv1.3, ALPN h2, SNI yes
    —–> rx 239 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA
    —–> rx 55 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 726 | 78 | 9.31:1

    DoH/Do53 2.68, keepalive 350 to 390 seconds , server cloudflare

  32. nextdns
    Tags: anycast, EastAmerica, WestAmerica, AsiaPacific, Europe
    URL: https://trr.dns.nextdns.io/
    Bootstrap IP address: 45.90.30.0
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 61 bytes: IP + TCP + TLS + H2-HEADERS
    —–> rx 148 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 178 | 8 | 22.25:1

    DoH/Do53 2.73, keepalive 20 to 25 seconds

  33. usableprivacy
    Tags: Austria, Europe, adblocker
    URL: https://adfree.usableprivacy.net/
    Bootstrap IP address: 149.154.153.153
    Port: 443
    TLSv1.3, ALPN h2, SNI yes
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 61 bytes: IP + TCP + TLS + H2-HEADERS
    —–> rx 148 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 126 | 12 | 10.50:1

    DoH/Do53 2.73, keepalive 140 to 170 seconds , server h2o/dnsdist

  34. at&t (commercial)
    URL: https://dohtrial.att.net/dns-query
    Bootstrap IP address: 40.76.112.230, 13.89.120.251
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 228 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 127 | 58 | 2.19:1

    DoH/Do53 2.74, keepalive 30 to 50 seconds , server nginx/1.18.0

  35. ffmuc
    Tags: Germany, Europe
    URL: https://doh.ffmuc.net/dns-query
    Bootstrap IP address: 195.30.94.28
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 249 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA
    —–> rx 55 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 149 | 75 | 1.99:1

    DoH/Do53 2.74, keepalive 140 to 170 seconds , server nginx

  36. iriseden
    Tags: France, Europe, OpenNIC
    URL: https://ns1.iriseden.fr/dns-query
    Bootstrap IP address: 62.210.177.189
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 834 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 500 | 343 | 1.46:1

    DoH/Do53 2.75, keepalive 140 to 170 seconds , server nginx/1.14.2

  37. dns-sb
    Tags: geocast, Estonia, Germany, Europe
    URL: https://doh.dns.sb/dns-query
    Bootstrap IP address: 104.18.48.136, 172.67.192.75, 104.18.49.136
    Port: 443
    TLSv1.3, ALPN h2, SNI yes
    —–> rx 438 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA
    —–> rx 55 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 1101 | 122 | 9.02:1

    DoH/Do53 2.77, keepalive 250 to 290 seconds , server cloudflare

  38. quad9
    Tags: anycast, security, EastAmerica, WestAmerica, AsiaPacific, Europe
    URL: https://dns.quad9.net/dns-query
    Bootstrap IP address: 9.9.9.9
    Port: 5053
    TLSv1.2, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 73 bytes: IP + TCP + TLS + H2-HEADERS
    —–> rx 207 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 576 | 42 | 13.71:1

    DoH/Do53 2.77, keepalive 550 to 590 seconds , server doh-server/2.0.1.q9.6

  39. defaultroutes
    Tags: Germany, Europe
    URL: https://doh.defaultroutes.de/dns-query
    Bootstrap IP address: 5.45.107.88
    Port: 443
    TLSv1.3, ALPN h2, SNI yes
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 175 bytes: IP + TCP + TLS + H2-HEADERS
    —–> rx 207 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 410 | 78 | 5.26:1

    DoH/Do53 2.86, keepalive 250 to 290 seconds , server DNS-over-HTTPS/1.3.11

  40. pi-dns
    Tags: geocast, EastAmerica, WestAmerica, AsiaPacific, Europe
    URL: https://doh.pi-dns.com/dns-query
    Bootstrap IP address: 104.27.162.107, 104.27.163.107, 172.67.199.230
    Port: 443
    TLSv1.3, ALPN h2, SNI yes
    —–> rx 481 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA
    —–> rx 55 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 1071 | 126 | 8.50:1

    DoH/Do53 2.86, keepalive 350 to 390 seconds , server cloudflare

  41. opendns (commercial)
    URL: https://doh.opendns.com/dns-query
    Bootstrap IP address: 146.112.41.2
    Port: 443
    TLSv1.2, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 247 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 147 | 73 | 2.01:1

    DoH/Do53 2.92, keepalive 140 to 170 seconds , server nginx

  42. google (commercial)

    URL: https://dns.google/dns-query
    Bootstrap IP address: 8.8.4.4, 8.8.8.8
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 65 bytes: IP + TCP + TLS + H2-PING
    <—– tx 65 bytes: IP + TCP + TLS + H2-PING (end stream)
    —–> rx 118 bytes: IP + TCP + TLS + H2-HEADERS
    —–> rx 148 bytes: IP + TCP + TLS + H2-DATA
    —–> rx 55 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 534 | 50 | 10.68:1

    DoH/Do53 2.99, keepalive 190 to 230 seconds , server HTTP

  43. wil.cloud
    Tags: Czechia, Europe, OpenNIC
    URL: https://dns-2.wil.cloud/dns-query
    Bootstrap IP address: 51.254.25.115
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 955 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 636 | 444 | 1.43:1

    DoH/Do53 3.12, keepalive 140 to 170 seconds , server nginx/1.18.0

  44. aaflalo
    Tags: NY, EastAmerica, adblocker
    URL: https://dns-nyc.aaflalo.me/dns-query
    Bootstrap IP address: 168.235.81.167
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 347 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 531 | 145 | 3.66:1

    DoH/Do53 3.13, keepalive 80 to 110 seconds , server nginx/1.18.0

  45. cznic
    Tags: Czechia, Europe
    URL: https://odvr.nic.cz/doh
    Bootstrap IP address: 185.43.135.1
    Port: 443
    TLSv1.2, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 61 bytes: IP + TCP + TLS + H2-HEADERS
    —–> rx 148 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 130 | 7 | 18.57:1

    DoH/Do53 3.23, keepalive 7 seconds

  46. cleanbrowsing
    Tags: anycast, security, EastAmerica, WestAmerica, AsiaPacific, Europe
    URL: https://doh.cleanbrowsing.org/doh/security-filter
    Bootstrap IP address: 185.228.168.168
    Port: 443
    TLSv1.2, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 286 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 190 | 106 | 1.79:1

    DoH/Do53 3.30, keepalive 140 to 170 seconds , server nginx

  47. ibksturm
    Tags: Switzerland, Europe, OpenNIC
    URL: https://ibksturm.synology.me/dns-query
    Bootstrap IP address: 85.5.93.230
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 372 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA
    —–> rx 55 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 285 | 178 | 1.60:1

    DoH/Do53 3.66, keepalive 550 to 590 seconds , server nginx/1.18.0

  48. seby
    Tags: Australia, AsiaPacific, OpenNIC
    URL: https://dns.seby.io/dns-query
    Bootstrap IP address: 45.76.113.31
    Port: 8443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 76 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE + H2-WINDOW-UPDATE
    —–> rx 593 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 444 | 304 | 1.46:1

    DoH/Do53 3.68, keepalive 20 to 25 seconds

  49. iij (commercial)
    URL: https://public.dns.iij.jp/dns-query
    Bootstrap IP address: 103.2.57.6, 103.2.57.5
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 483 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 359 | 232 | 1.55:1

    DoH/Do53 3.80, keepalive 140 to 170 seconds , server nginx

  50. digital-society
    Tags: non-profit, Switzerland, Europe
    URL: https://dns.digitale-gesellschaft.ch/dns-query
    Bootstrap IP address: 185.95.218.42
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 594 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA
    —–> rx 55 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 464 | 314 | 1.48:1

    DoH/Do53 3.90, keepalive 140 to 170 seconds , server nginx/1.14.0

  51. libredns
    Tags: Germany, Europe, OpenNIC
    URL: https://doh.libredns.gr/dns-query
    Bootstrap IP address: 116.202.176.26
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 363 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 272 | 170 | 1.60:1

    DoH/Do53 4.03, keepalive 140 to 170 seconds , server nginx/1.14.0

  52. twnic
    Tags: Taiwan, AsiaPacific
    URL: https://dns.twnic.tw/dns-query
    Bootstrap IP address: 210.17.9.228
    Port: 443
    TLSv1.2, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 642 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 499 | 343 | 1.45:1

    DoH/Do53 4.25, keepalive 80 to 110 seconds , server nginx/1.12.2

  53. boothlabs
    Tags: Quebec, EastAmerica, OpenNIC
    URL: https://doh.boothlabs.me/dns-query
    Bootstrap IP address: 158.69.53.73
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 76 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE + H2-WINDOW-UPDATE
    —–> rx 759 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 552 | 431 | 1.28:1

    DoH/Do53 4.33, keepalive 550 to 590 seconds , server DNS-over-HTTPS/2.1.2

  54. declouds
    Tags: adblocker, Germany, Europe
    URL: https://dns.decloudus.com/dns-query
    Bootstrap IP address: 176.9.199.158
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 448 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 342 | 230 | 1.49:1

    DoH/Do53 4.38, keepalive 140 to 170 seconds , server nginx

  55. alekberg-es
    Tags: Spain, Europe
    URL: https://dnses.alekberg.net/dns-query
    Bootstrap IP address: 185.253.154.66
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 630 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 500 | 344 | 1.45:1

    DoH/Do53 4.48, keepalive 140 to 170 seconds , server nginx/1.14.2

  56. oszx
    Tags: UK, Europe, adblocker
    URL: https://dns.oszx.co/dns-query
    Bootstrap IP address: 51.38.83.141
    Port: 443
    TLSv1.3, ALPN h2, SNI yes
    —–> rx 700 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 579 | 402 | 1.44:1

    DoH/Do53 4.55, keepalive 140 to 170 seconds , server nginx

  57. 42l
    Tags: non-profit, France, Europe
    URL: https://doh.42l.fr/dns-query
    Bootstrap IP address: 185.216.27.142
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 749 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA
    —–> rx 55 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 640 | 437 | 1.46:1

    DoH/Do53 4.60, keepalive 140 to 170 seconds , server nginx

  58. lelux
    Tags: Netherlands, Europe
    URL: https://resolver-eu.lelux.fi/dns-query
    Bootstrap IP address: 51.158.147.50
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 76 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE + H2-WINDOW-UPDATE
    —–> rx 730 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 565 | 447 | 1.26:1

    DoH/Do53 4.60, keepalive 30 to 50 seconds , server nginx

  59. blahdns-fi
    Tags: Finland, Europe, adblocker
    URL: https://doh-fi.blahdns.com/dns-query
    Bootstrap IP address: 95.216.212.177
    Port: 443
    TLSv1.3, ALPN h2, SNI yes
    —–> rx 76 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE + H2-WINDOW-UPDATE
    —–> rx 767 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 589 | 449 | 1.31:1

    DoH/Do53 4.63, keepalive 30 to 50 seconds

  60. alekberg-se
    Tags: Sweden, Europe
    URL: https://dnsse.alekberg.net/dns-query
    Bootstrap IP address: 45.153.187.96
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 502 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA
    —–> rx 55 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 413 | 286 | 1.44:1

    DoH/Do53 4.65, keepalive 20 to 25 seconds , server nginx/1.19.1

  61. hostux
    Tags: Luxembourg, Europe
    URL: https://dns.hostux.net/dns-query
    Bootstrap IP address: 185.26.126.37
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 669 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 545 | 376 | 1.45:1

    DoH/Do53 4.73, keepalive 140 to 170 seconds , server nginx/1.14.2

  62. fossdaily
    Tags: Australia, AsiaPacific, adblocker
    URL: https://dns.fossdaily.xyz/dns-query
    Bootstrap IP address: 172.105.171.229
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 756 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 623 | 438 | 1.42:1

    DoH/Do53 4.95, keepalive 140 to 170 seconds , server nginx

  63. tin-fan
    Tags: Germany, Europe, OpenNIC
    URL: https://ns01.dns.tin-fan.com/dns-query
    Bootstrap IP address: 95.217.16.205
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 777 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 649 | 455 | 1.43:1

    DoH/Do53 5.08, keepalive 140 to 170 seconds , server nginx/1.14.2

  64. containerpi
    Tags: Japan, AsiaPacific
    URL: https://dns.containerpi.com/dns-query
    Bootstrap IP address: 45.77.180.10
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 743 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 622 | 437 | 1.42:1

    DoH/Do53 5.09, keepalive 140 to 170 seconds , server nginx

  65. pi-dns-eastus
    Tags: NY, EastAmerica, adblocker
    URL: https://doh.eastus.pi-dns.com/dns-query
    Bootstrap IP address: 185.213.26.187
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 742 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 623 | 437 | 1.43:1

    DoH/Do53 5.21, keepalive 140 to 170 seconds , server nginx

  66. snopyta
    Tags: non-profit, Finland, Europe
    URL: https://fi.doh.dns.snopyta.org/dns-query
    Bootstrap IP address: 95.216.229.153
    Port: 443
    TLSv1.3, ALPN h2, SNI yes
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 750 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 635 | 444 | 1.43:1

    DoH/Do53 5.26, keepalive 140 to 170 seconds , server nginx

  67. flatuslifir
    Tags: Iceland, Europe
    URL: https://dns.flatuslifir.is/dns-query
    Bootstrap IP address: 46.239.223.80
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 762 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 645 | 454 | 1.42:1

    DoH/Do53 5.34, keepalive 140 to 170 seconds , server nginx

  68. li
    Tags: UK, Europe
    URL: https://doh.li/dns-query
    Bootstrap IP address: 46.101.66.244
    Port: 443
    TLSv1.2, ALPN not negotiated – assuming http/1.1, SNI no
    —–> rx 916 bytes: IP + TCP + TLS + HTTP/1.1
    Header size: 589 bytes

    DoH/Do53 5.55, keepalive 30 to 50 seconds

  69. eth-services
    Tags: Germany, Europe, OpenNIC
    URL: https://opennic1.eth-services.de:853/
    Bootstrap IP address: 94.247.43.254
    Port: 853
    TLSv1.3, ALPN not negotiated – assuming http/1.1
    —–> rx 948 bytes: IP + TCP + TLS + HTTP/1.1
    Header size: 616 bytes

    DoH/Do53 5.75, keepalive 30 to 50 seconds

  70. nixnet-ny
    Tags: NY, EastAmerica
    URL: https://uncensored.ny1.dns.nixnet.xyz/dns-query
    Bootstrap IP address: 199.195.251.84
    Port: 443
    TLSv1.3, ALPN not negotiated – assuming http/1.1
    —–> rx 901 bytes: IP + TCP + TLS + HTTP/1.1
    Header size: 588 bytes

    DoH/Do53 5.85, keepalive 30 to 50 seconds

  71. dnsforge
    Tags: Germany, Europe, adblocker
    URL: https://dnsforge.de/dns-query
    Bootstrap IP address: 176.9.93.198
    Port: 443
    TLSv1.3, ALPN h2, SNI no
    —–> rx 60 bytes: IP + TCP + TLS + H2-WINDOW-UPDATE
    —–> rx 713 bytes: IP + TCP + TLS + H2-HEADERS + H2-DATA
    —–> rx 55 bytes: IP + TCP + TLS + H2-DATA (end stream)
    Header uncompressed | compressed | ratio: 656 | 462 | 1.42:1

    DoH/Do53 6.23, keepalive 140 to 170 seconds , server nginx

last update Oct 17, 2020

Here’s the deal:

  • Anybody cleaning up the header moves above Cloudflare.
  • If nginx brings in a fix for header compression, everybody moves above Google. Now, that would be hilarious!

But the biggest problem is the inactivity timer. If you can, increase it beyond the 60 seconds Firefox keepalive. This could mean more RAM on your server – about 200KB for each open SSL connection.

Epilog

I hope what I wrote here makes sense, sorry for the overly technical presentation. My intention was to highlight some of the current implementation problems, and how they affect users and server administrators. DoH is an emerging technology, it will take some time to settle down.

Drop us a line on GitHub if you need help using this tool. If you are more interested in a full Linux workstation DoH/DoT proxy, type  sudo fdns --daemonize  in a terminal and send your DNS traffic to loopback address 127.1.1.1. Testing completed!

3 thoughts on “A Survey of Public DNS over HTTPS Servers

  1. Pingback: Well, many of these are themselves operated by #surveillance compan… | Dr. Roy Schestowitz (罗伊)

  2. Pingback: A Survey of Public DNS over HTTPS Servers | OSINT

  3. Pingback: Firejail Tips and Tricks | Firejail

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.