Having another public DNS resolver is a positive development. The more options we have, the less we rely on a few providers. This particular resolver, managed by the Wikimedia Foundation, adds to the diversity and resilience of the DNS ecosystem.
It's frustrating when people always suggest using 8.8.8.8 (Google) or other US-based resolvers like 1.1.1.1 or 9.9.9.9 (Quad9) whenever there's a DNS issue. While these resolvers are popular, sending all your DNS queries to the US raises privacy concerns. More importantly, relying on a few major players makes us vulnerable to policy changes, price hikes, or even censorship. To avoid these risks, we need a variety of DNS resolvers, which is why the launch of "Wikimedia DNS" is a welcome addition.
Wikimedia DNS comes with clear and detailed documentation, which we recommend checking out. Although the resolver is labeled as experimental and without guarantees, this is common across many DNS services if you read their terms of use. Another benefit of this resolver is its commitment to transparency and user privacy. Managed by a non-profit organization, Wikimedia DNS is more likely to prioritize user interests over commercial gain, which is a significant advantage compared to others.
Wikimedia DNS is accessible only via DoT (DNS over TLS) and DoH (DNS over HTTPS). This is a smart move, especially for a service aimed at bypassing censorship, as these protocols encrypt DNS queries and responses, making them harder to tamper with. If you try to use traditional plaintext UDP, you'll receive no response:
$ dig @185.71.138.138 ipregistry.co
;; communications error to 185.71.138.138#53: timed out
;; communications error to 185.71.138.138#53: timed out
;; communications error to 185.71.138.138#53: timed outHowever, when using DoT, the server responds as expected:
$ dig +tls @185.71.138.138 ipregistry.co
; <<>> DiG 9.18.28 <<>> +tls @185.71.138.138 ipregistry.co
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25241
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ipregistry.co. IN A
;; ANSWER SECTION:
ipregistry.co. 300 IN A 104.18.27.170
ipregistry.co. 300 IN A 104.18.26.170You can use Wikimedia DNS directly from systems that support DoT, like Android, or indirectly through a local resolver like Unbound, which can forward queries to Wikimedia DNS. Here's an example Unbound configuration:
forward-zone:
name: "."
# Wikimedia DNS. Authenticate the name in the certificate
# (issued by Let's Encrypt) so, on Debian/Ubuntu, include "tls-system-cert: yes" in the "server:" block.
forward-addr: 185.71.138.138#wikimedia-dns.org
forward-tls-upstream: yesWikimedia DNS also supports DNSSEC, ensuring the authenticity of the DNS responses. This level of security is essential for preventing attacks that could redirect you to malicious sites:
$ dig +tls +dnssec @185.71.138.138 ipregistry.co
; <<>> DiG 9.18.28 <<>> +tls +dnssec @185.71.138.138 ipregistry.co
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37624
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;ipregistry.co. IN A
;; ANSWER SECTION:
ipregistry.co. 300 IN A 104.18.27.170
ipregistry.co. 300 IN A 104.18.26.170
ipregistry.co. 300 IN RRSIG A 13 2 300 20240810225408 20240808205408 34505 ipregistry.co. wPLTb7WChrbzpJC4SfBYPRva/pDqsru1GupdeWO96HMAsS9PC9BOe6DJ seCXr8hMpay4ARO5CQm9RoaJbhOuuA==Finally, it's worth noting that Wikimedia DNS is anycasted across multiple global locations. This setup ensures low latency and high availability, no matter where you are. For example, whether you're in Europe or the Americas, you'll get short round-trip times, which wouldn't be possible if there were only one physical server. This makes Wikimedia DNS a reliable and robust choice for users worldwide.