The following is our Recursive operator Privacy Statement in line with BCP232 (RFC8932) for the operation of the dnsovertls* privacy resolvers.


  1. Treatment of IP addresses. We treat IP addresses as personal data.
  2. Data collection and sharing.
    1. IP addresses. Our normal operations does not have any IP address information or other personal data logged to disk or transmitted out of the location in which the query was received. We may aggregate certain counters to larger network block levels for statistical collection purposes, but those counters do not maintain specific IP address data, nor is the format or model of data stored capable of being reverse-engineered to ascertain what specific IP addresses made what queries.
    2. Data collected in logs. We keep no logs of traffic received.
    3. Sharing of data. We share no data with any other parties.
  3. Exceptions. There are exceptions to this storage model: In the event of actions or observed behaviors that we deem malicious or anomalous, we may utilize more detailed logging to collect more specific IP address data in the process of normal network defense and mitigation. This collection will be onsite to the affected nameserver and will be limited to IP addresses that we determine are involved in the event.
  4. Associated entities. The servers are kindly hosted by Surfnet, but they are not involved in any way in the running of the nameservers. The Open Technology Fund provided initial funding to set up and maintain the servers during 2018.
  5. Correlation of Data. We run no other services that could provide data for correlation.
  6. Result filtering. We do not filter DNS responses.


  1. Deviations from Policy. None currently in place.
  2. Client-facing capabilities.
    1. We offer DNS over TLS as specified in RFC 7858. It is available on port 853 on all servers with the following attributes:
        1. SPKI pin: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
        2. DoT also available on port 443
        3. DNSSEC, EDNS0 Keepalive, EDNS0 Padding, out-of-order responses.
        1. SPKI pin: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
        2. DoT also available on port 443
        3. DNSSEC, EDNS0 Keepalive, EDNS0 Padding
        1. SPKI pin: NAXBESvpjZMnPWQcrxa2KFIkHV/pDEIjRkA3hLWogSg=
        2. DNSSEC, EDNS0 Padding
        1. SPKI pin: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8=
        2. DNSSEC, EDNS0 Keepalive, EDNS0 Padding, TLS 1.3
  3. Upstream capabilities.
    1. Our servers implement QNAME minimization.
    2. Our servers do not send ECS upstream.
  4. Support. Support contact for this service is available at
  5. Data Processing. We operate as the legal entity Sinodun Internet Technologies Ltd registered in the United Kingdom; as such, we operate under UK law. We perform no data processing since we do not retain any logs.