Wikimedia DNS/Instructions

Translate this page

The instructions for configuring Wikimedia DNS depend on the type of protocol being used (DoH vs DoT) and thus relatedly, whether you want to use encrypted DNS from a browser or from an operating system. In the instructions below, we will try to cover the major browser and operating systems, though note that the basic common instructions (hostname and IP) remain the same, irrespective of the type of client/software used.

Configuring Wikimedia DNS

The basic instructions that have to be configured in any client for it to reach Wikimedia DNS (you only need one configuration option below):

IPv4: 185.71.138.138
IPv6: 2001:67c:930::1
DNS over HTTPS: https://wikimedia-dns.org/dns-query

DNS over TLS: wikimedia-dns.org

Note that unencrypted DNS over port 53 (UDP or TCP) is not supported by Wikimedia DNS. If you configure your client to use Wikimedia DNS over port 53, DNS resolutions will fail.

DNS over HTTPS (DoH)

Mozilla Firefox

Before Firefox 114

Go to Tools > Settings, or type about:preferences in the address bar and press Enter.
Make sure the General tab is selected on the right and then type in Find in Settings (on the right), Network Settings, or simply scroll to the bottom of the page. Click on the Settings button next to it.
Under Enable DNS over HTTPS, make sure it is selected and enter as the provider:
https://wikimedia-dns.org/dns-query

Firefox 114+

In the menu click on Settings, or type about:preferences in the address bar and press Enter.
Make sure the Privacy & Security tab is selected on the left and then type in Find in Settings (on the right), DNS over HTTPS, or simply scroll to the bottom of the page on the section DNS over HTTPS.
Select Increased Protection or Max Protection, and enter this custom provider:
https://wikimedia-dns.org/dns-query

Note that Firefox supports different levels of protection under the DoH service; you can find the documentation for that on the official Firefox website. We recommend setting Max Protection here so that your DNS queries always go over Wikimedia DNS and not your local DNS resolver.

Google Chrome

Go to Settings/Security by going to Settings and typing Security in the search bar and selecting the Security option (with the shield icon), or entering chrome://settings/security in the address bar.
Scroll down to Advanced > Use secure DNS > With Custom, and enter:
https://wikimedia-dns.org/dns-query

DNS over TLS (DoT)

Android

The instructions below have been copied from https://developers.google.com/speed/public-dns/docs/using#android.

On your Android 9 or later:

Go to Settings > Network and Internet > Advanced > Private DNS. The actual names of the settings can vary slightly based on Android version and vendor customizations.
Select Private DNS provider hostname.
Enter wikimedia-dns.org (don't add https!) as the hostname of the DNS provider.
Press Save.

Unbound

In your unbound.conf, add a forward zone to forward all traffic over TLS:

forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 185.71.138.138#wikimedia-dns.org

Additionally, you may need to set the tls-cert-bundle in the server section; on Debian:

server:
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

systemd-resolved

In your /etc/systemd/resolved.conf

[Resolve]
DNS=185.71.138.138#wikimedia-dns.org
DNSOverTLS=yes

And then run systemctl restart systemd-resolved. You can verify this has taken effect by running the following:

$ resolvectl dns Global: 185.71.138.138#wikimedia-dns.org

...

Then make your system use systemd-resolved to resolve names:

sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Confirm if you are using Wikimedia DNS

Once you have configured Wikimedia DNS for DoH or DoT, please visit from your browser:

https://check.wikimedia-dns.org

to confirm if you have correctly configured your stub/browser to use Wikimedia DNS for your DNS lookups.

To perform this check from the command line instead,

curl https://check-${RANDOM}.check.wikimedia-dns.org/check