dns.sorcerousmachine.com

OpenNIC Tier-2 DNS resolver, operated by Sorcerous Machine, LLC., from US.

Endpoints

This resolver speaks four DNS transports and validates DNSSEC against both the IANA root and the OpenNIC root.

Protocol	Endpoint	Notes
Do53	15.204.135.28:53 / [2604:2dc0:100:4c8::d]:53	Plain DNS over UDP and TCP. Use only on trusted networks.
DoT	dns.sorcerousmachine.com:853	DNS over TLS (RFC 7858). Encrypted; recommended.
DoH	https://dns.sorcerousmachine.com/dns-query	DNS over HTTPS (RFC 8484). Encrypted; works through restrictive firewalls.
DNSCrypt	15.204.135.28:8443 / [2604:2dc0:100:4c8::d]:8443	DNSCrypt v2 over UDP and TCP. See server stamps below.

DNSCrypt server stamps

Provider name: 2.dnscrypt-cert.dns.sorcerousmachine.com

sdns://AQcAAAAAAAAAEjE1LjIwNC4xMzUuMjg6ODQ0MyBMpSYYYGo1AnEYIVggIK6tOA-aNBsMnVpbm8QvfUn23ygyLmRuc2NyeXB0LWNlcnQuZG5zLnNvcmNlcm91c21hY2hpbmUuY29t sdns://AQcAAAAAAAAAG1syNjA0OjJkYzA6MTAwOjRjODo6ZF06ODQ0MyBMpSYYYGo1AnEYIVggIK6tOA-aNBsMnVpbm8QvfUn23ygyLmRuc2NyeXB0LWNlcnQuZG5zLnNvcmNlcm91c21hY2hpbmUuY29t

DoH server stamp

sdns://AgcAAAAAAAAAAAAYZG5zLnNvcmNlcm91c21hY2hpbmUuY29tCi9kbnMtcXVlcnkA

Operating posture

No logs. Query content, source addresses, and answers are never written to disk. Operational events (startup/shutdown, certificate renewal, package updates) go to syslog only and contain no client data.
No filtering. Queries return whatever the authoritative servers hand us. No NXDOMAIN substitution, ad blocking, or content policy is applied.
No upstream forwarding. Recursion is local. We slave OpenNIC zones from official Tier-1 nameservers and recurse for ICANN names directly.
DNSSEC validation. Both IANA and OpenNIC trust anchors are configured. Validation failures result in SERVFAIL, not silent acceptance.
Per-IP rate limiting. 50 queries per second, averaged, per source address. Enforced at the dnsdist layer.
No ANY queries. ANY requests are refused (RCODE 5) per RFC 8482 guidance, since they enable cheap reflection attacks.

About

This resolver is part of OpenNIC, a community-run alternative DNS root. OpenNIC operates its own top-level domains (.dyn, .libre, .geek, etc.) while continuing to resolve names under the IANA / ICANN root. Tier-2 resolvers like this one minimize load on OpenNIC's small infrastructure by pulling zone data via AXFR from Tier-1 nameservers.

To explore OpenNIC TLDs from a system pointed at this resolver, try dig grep.geek, dig opennic.glue, or dig sourceforge.libre.

Contact

Abuse: abuse@sorcerousmachine.com
Security disclosure: security@sorcerousmachine.com
Operator: https://sorcerousmachine.com