146 comments

[ 5.7 ms ] story [ 260 ms ] thread
Nice try NSA
From T&C:

> Freenom is a registered trademark of OpenTLD B.V. [...] a Netherlands company.

OK, I'll bite... Who owns OpenTLD BV?

(And so on recursively up the ownership chain...)

If you do a whois on the IP, you'll get an address in Amsterdam.

From that same address suddenly a whole list of companies pops up.

Euro ventures b.v., carwrap, dreamteam internet project management, transventure, verotel, safety future ...

Seems a bit like a spiderweb :D

Usually indicates that it's a legal address and nothing more. Plenty of companies offer a registered address B2B service that enables a company to use them as their registered address.
Yeah, I think you are right, sorry about that.

Transventure appears to be the company offering co-work spaces. Guess that explains why there are so many companies on that address.

The suspension from ICANN for cyber squatting appears to be more worrying though for a company offering DNS services.

I'm not saying I believe this is an NSA operation, but it's certainly not beyond governments' capabilities to secretly register foreign companies.
Like the FBI spy planes registered to 13 companies... I don't imagine it is much of a stretch to register under a foreign company instead.

Also not saying I believe it is an NSA operation - just providing an example of another 3-letter agency registering fake companies in an attempt to mask their operations.

> From T&C: >> Freenom is a registered trademark of OpenTLD B.V. [...] a Netherlands company.

Nice try NSA

Why would the NSA need to own a DNS server to get DNS information from everyone?
Do they support DNSCrypt? If not, what would be the main draw to use this over, say, 8.8.8.8?
Using 8.8.8.8 gives google even more insight into your internet habits, even if you're using e.g. firefox on a webpage that includes no google assets at all (no web fonts, no google analytics etc), google will still know you've been there. Whether that matters to you or not depends on you.
what's a good alternative?
OpenDNS supports DNSCrypt.

208.67.222.222

Although they've been bought by Cisco recently.

You could also just run your own local caching resolver that hits the real root nameservers for lookup.

Running a real, public DNS server is a highly skilled, full time job. I wouldn't touch it with a barge pole and I (roughly) know how to do it.
Not public, probably just a local server for personal use.
It doesn't have to be public.
Running "apt-get install unbound" on your laptop/desktop gives you a local caching recursive resolver which performs dnssec validation.

Doesn't sound like a full time job to me.

But then, unbound is not a "real, public DNS server".
It is not no. chillydawg made the mistake of conflating the two things. Running a, "real, public DNS server" is not required in order to do DNS lookups without using somebody elses recursive resolver.
> We don't correlate or combine information from our temporary or permanent logs with any personal information that you have provided Google for other services.

https://developers.google.com/speed/public-dns/privacy

Yet.

Remember when they said they don't combine data from different properties?

Yeah; and they don't share anything with intelligence agencies either.
That doesn't mean much. They could still correlate and combine information with any anonymized (or rather, what they consider anonymized) personal info. The fact that they even mention that they have permanent logs is quite unsettling.

I would think they'd just dump the data from all of their services into your advertising profile. They won't store your name and such, but they have to have a way of linking this anonymous profile to your google account or something. I doubt that google simply deletes all advertising profile data if you just happen to clear your cookies.

I have no idea what goes on in google. That said, even if they don't correlate with "personal information that you have provided," you as an IP address are still identifiable as that IP address, and correlatable with yourself, for as long as that IP lasts for you.

Which means Google could cause ads to follow you around, for example. Again, I don't know what all they actually do or don't do with their DNS logs, but the quoted "promise" doesn't promise anonymity, just separation of you as a known Google user from you as a semi-anonymous but specific DNS user.

I'm reminded of the early days of the Snowden revelations, when the NSA was saying "it's just metadata."

They do not log the user's IP address. It says so on the page I linked.
In mainland China try 114.114.114.114 + 114.114.115.115...

114.114.114.114 = 52ms

80.80.80.80 = 240ms

8.8.8.8 = 416ms

Just sayin'...

It's funny, I was thinking precisely of China when I saw the numbers, due to the use of 8s (considered lucky). And here you are, saying the number 4 (considered unlucky) is actually used in China?
The phone number 114 in China is just like the 411 in the US, it is a directory service, so that's why China uses 114 for the DNS servers.

On that note, the Chinese DNS would not resolve google or facebook properly due to the Great Firewall of China, I wonder if Freenom can resolve those domains within China without any proxy solutions.

How can we be sure that their claims are true?
How can you be sure your own DNS resolver is doing what they are saying?
I have no way of doing this currently, the point is just that without some form of verification, I can't be sure that this is any better than what I'm using now.
So I should just send you all my DNS queries because you said so? Ur, I'd rather not, thanks.
Aren't you doing exactly that with another recursive resolver?
I personally trust Google with my DNS queries a bit more than some guy on HN.
Maybe he's running his own non-recursive DNS server..
With many other providers I can make deductions about likely threat scenarios. For example I know about both my ISP and about Google that it is in their best interest to serve me correct DNS entries: they have no obvious motive to do otherwise. On the other hand I can be fairly certain that my DNS queries will be fed into Google's database if I use their DNS: they have an obvious motive, have the capability and no obvious disincentive. Etc.

With some new, unknown service with unknown associations I can't reason much about the threat model.

ISPs don't care much about correctness at all if it impacts performance on their side in any way. That's why many people can't actually change their DNS even if they want to (unless you run a local resolver)[1].

[1] - https://news.ycombinator.com/item?id=13037858

Many ISPs abuse DNS to serve ads. One method is to rewrite all NXDOMAIN responses to an ad server. Another involves injecting ads into HTTP responses by hijacking DNS.

Although your points about capability and motive are valid, I don't think that Google does feed DNS queries into a database. Given all the evil DNS servers out there, I think that it is in Google's best interest to provide a clean alternative and contribute to better internet infrastructure.

Unless your using DNSCrypt or DNS over TLS (not much support, so you probably aren't), you're pretty much guaranteed to be sending queries in the clear. In fact if your using UDP, default in most cases, and not TCP, it's simple for anyone to respond to your queries (such as your ISP) and block the request to google.

This is common enough: http://www.ckollars.org/dns-intercepting.html

(comment deleted)
Writing "fast" and "anonymous" on a product doesn't magically make it fast or anonymous. Why would I trust this service ?
Well the first attribute can at least be measured independently.
Numbers from South America:

    Freenom: ~260msec
    Google: ~70msec
    Local ISP: ~6msec
I hope they are more anonymous than they are fast...
Numbers from South-East US:

  Freenom: ~9ms
  Google: ~9ms (actually 0.5 ms quicker)
  Local ISP: ~33ms
From France (free) :

    Freenom: ~60ms
    Google: ~3ms
    Local ISP: ~1ms
Try with a domain that doesn't exist. The response time topped 10 seconds for me on the first one I tried.

For a handful that do exist it seems like they're almost exactly 10 times slower than Google. ~20ms (Google) vs ~200.

It still baffles me why would someone use Google DNS over local ISPs and 8.8.8.8 being advertised anywhere make me cringe.
Because while I have a great and fast internet connection, my ISP's DNS is notoriously slow with constant outages.
Many people don't have meaningful choices of ISPs, and some ISPs only run a couple resolver clusters far away from customers, are just plain bad at running them, or are playing DNS MITM games.
Because local ISPs are terrible at running DNS. They're slow, usually vulnerable, poorly scaled, and not very redundant. I've seen a lot of ISPs in the US have "outages" that are merely "our DNS servers are down, so everyone thinks the internet is down".
Google's cache is more likely to already be populated with the answer than any ISP other than the huge ones.
ISPs in some countries are forced by the government to block certain websites, which they typically implement with domain name blocking.
From the Netherlands:

Pings:

    Freenom: rtt min/avg/max/mdev = 17.509/20.928/26.588/3.520 ms
    Google: rtt min/avg/max/mdev = 18.013/21.057/24.841/2.500 ms
Actual resolve times: (dig @8.8.8.8 example.com):

    Freenom: ;; Query time: 19 msec (avg)
    Google: ;; Query time: 31 (21) msec (avg)
Averages over 10 pings / digs. The google query time had two outliers at ~49 ms. If I discount those, it's about 21 ms. But I don't see why I'd discount them.
From Germany:

    Freenom: ~34ms
    Google: ~8ms
    Local ISP: ~11ms
From anywhere:

  Local cache on 127.0.0.1: ~0msec
  Local nameserver on 127.0.0.1: ~0msec
  /etc/hosts: ~0msec
Latency from my London flat:

8.8.8.8 ~4ms 80.80.80.80 ~95ms

(comment deleted)
Europe/Serbia:

     Freenom: 74ms
     Google: 72ms
     Telecom Serbia: 168ms
It's funny my ISP's DNS servers are so much slower.
from seattle:

google: 15.377/20.966/40.077/9.587 ms

freenom: 192.673/222.957/287.720/41.386 ms

It'd be interesting to know what their business model is. Traffic isn't free and neither are world-wide servers. They are not run by ads, they are not a paid service, so how do they cover their expenses?
(comment deleted)
Personally I'm a fan of running unbound locally. DNSSEC verification on the same machine is pretty nice, but you lose the benefits of sharing the cache with many others.
Round trip time for me to 80.80.80.80 is double what it is to 8.8.8.8. So I'm not convinced on the "fast" claim.
Same here. 118ms vs 29ms (average round trip time).
same for me: dig "Query time" almost double for 80.80.80.80 (vs. 8.8.8.8)
From Denmark, 80.80.80.80 is actually slightly faster than 8.8.8.8, but the difference is tiny.

80.80.80.80 is always 12ms. Appears to be in Amsterdam.

8.8.8.8 is between 13-60ms, usually 12-25ms. Somewhere in Sweden.

Google has the advantage to anycast their DNS server IP addresses. Use a ping service that will ping an IP from around the globe and you'll see that 8.8.8.8 has sub 20ms RTT time for pings reguardless of country. So you will likely always hit the closest Google datacenter when using 8.8.8.8.

80.80.80.80 seems to be served out of a single datacenter. Based on ping times I'm seeing, it looks like they are hosted in Amsterdam. So it will be slow for most of Asia and the Americas.

I'm getting <1ms from a server in Amsterdam, some hundreds (3-5) of ms from the UK, with some even timing out.
The website says they are using anycast as well.
It looks like they are technically anycasting, but doing it totally wrong.

From multiple test locations I am seeing lots of network tromboning. Queries from the US going to Europe and vice versa.

For this same reason you'll also get better results from CDN services with Google DNS. 8.8.8.8 will lookup a geo record from (almost) your actual location. 80.80.80.80 will look it up from the USA.

Any CDNs that are using geo-dns will be way slower than they should be outside the US as you'll have been given a US IP to load the content from.

Google actually implements a workaround to this issue.its called EDNS client subnet. Freenom does not.
Ah nice, I'll have to remember that one.
Modern CDNs don't use DNS based routing. If a CDN is doing that then they're not really focused on being fast or reliable.
That's not some advantage randomly conferred onto Google, though. That's how you build a fast, global DNS service. Freenom is as fast as their servers allow in north western Europe (assuming they are indeed hosted in Amsterdam), but it's just not fast in the rest of the world.
I've always wondered though if you could make a better, more anonymous naming service entirely. I believe GNU has one, I think IPFS has another.

These are, after all, just giving a more human understandable way of proving addressing information. On Unix and Unix-like systems there is a resolver, and I would be fascinated to know how hard it would be to literally swap out or choose an entirely new name-to-IP address resolution mechanism at runtime.

RTT is >5x higher for me. (~140ms vs ~25ms) I'm in Minneapolis, and the traceroute to 80.80.80.80 ends in Prague.
That's surprising: With that IP address, you'd expect it to be ten times as slow.
Freenom appears to be the company managing the (in)famous "free" ccTLD .tk

No, thanks.

http://www.freenom.com/en/aboutfreenom.html

Elaborate? I have dozens of freenom domains (not just .tk, but also the other free TLDs like .ga et al.). I don't use them for critical (or commercial) services, but I've never had any issues - they are free after all.

DotTK and now Freenom have been great enablers for many smaller hobby sites. Get free webspace from bplaced, domain from freenom and CDN from CloudFlare and you have a pretty decent, ad-free infrastructure for a quick-and-dirty web project. A scratchpad solution basically.

Anyhow, that doesn't change the fact that the above DNS is still way too slow to be useful in the first place, at least from here.

I get the impression he's upset they took a freemium model and wants them to literally give him domains for free. Common sense would tell you that's unsustainable.
Never heard of bplaced before. What's the catch? How are they able to offer free hosting?
There's a free tier and a paid tier. The free tier has 2GB of space, limited number of FTP accounts and limited PHP functions (file sockets, cURL are disabled). You can basically run a Wordpress instance, but not a complex application. The bandwidth is also shared. These limits don't exist in the paid tiers.

But if you really just want to publish a smaller PHP app (they give you a MySQL DB, too), this is perfect. Combined with CloudFlare, the performance is more than good enough.

Edit: Another major factor is their scope. They are only somewhat internationalized, the english translation is more than lacking. Plus they have only 50k users (you have to login to the admin panel every 3 months or your account will be frozen, then slowly removed).

Edit 2: Their FAQ btw. explicitly states that you are allowed to create multiple accounts. I have had two accounts for a little over 3 years now, and they are working great. Their nameservers can be a tad slow if you add an external domain, but at least that's a free feature.

The mention of bplaced brought me waaay back. I used them for free hosting before I had a proper server of my own.

Unless they've changed, it's 000webhost but better: less known, faster, and no accounts getting cancelled without reason. No catch. Just like HN is free (and free of ads, despite how much traffic it must generate), this webhosting is free.

> DotTK and now Freenom have been great enablers for many smaller hobby sites. Get free webspace from bplaced, domain from freenom and CDN from CloudFlare and you have a pretty decent, ad-free infrastructure for a quick-and-dirty web project. A scratchpad solution basically.

Agreed. But never use free .tk domains for anything serious. DotTK is notoriously for deleting domains registered for free from a user's account without any notification to the user as soon as the domain gets some amount of traffic according to many reports online.

I know of exactly one site which had a .tk TLD. Here’s why they switched to a .com:

http://tailsteak.com/archive.php?num=388

tailsteak.com

Alright, so I'm finally fed up with Tokelau.

Don't get me wrong, it's a nice island, but they just aren't answering my mail.

I suppose most of you have noticed, by now, the fifteen-second ads that present you with beautiful women and fish when you surf to tailsteak.tk. Those are not my ads. I do not obtain revenue from them. Tokelau's domain name referral service just started putting them up there without so much as a by-your-leave. I have contacted their tech support and enquired if, perhaps, they might consider removing them for customers willing to pay a certain amount. They have not responded.

Of course, I have had access to tailsteak.com for some time now. So henceforth, I will be directing my viewers there. It's the same site, the same host, and, in truth, the .tk address has been sending you there for months. But now it's official. Note the change in title graphic:

tailsteak.com

Indeed. And when you can get a domain you actually own for 99 cents (sometimes free, with offers) and a VPS for a few dollars per year, why bother with free domains or free hosting anyway.
There is no such thing as anonymous DNS resolution unless we use Tor to perform resolution for all applications.
some sort of blockchain based dns would be killer
Does it support those geoip(?) things? Like I know that Netflix uses "DNS" to provide you with the closest netflix streaming server. So if the DNS server is located in NYC, but I am in SF, then it won't work.

I am not sure what the term for this is, but Google DNS supports it.

Doesn't look like it with a cursory test

  $ host cdn.pdcast.net 8.8.8.8
  Using domain server:
  Name: 8.8.8.8

  cdn.pdcast.net is an alias for pdcast-1e5f.kxcdn.com.
  pdcast-1e5f.kxcdn.com is an alias for p-uklo00.kxcdn.com.
  p-uklo00.kxcdn.com has address 188.227.185.218

  $ host cdn.pdcast.net 80.80.80.80
  Using domain server:
  Name: 80.80.80.80

  cdn.pdcast.net is an alias for pdcast-1e5f.kxcdn.com.
  pdcast-1e5f.kxcdn.com is an alias for p-usat00.kxcdn.com.
  p-usat00.kxcdn.com has address 64.38.250.98
My closest server being the "uklo" (London, UK) as reported by 8.8.8.8.

Using 80.80.80.80 means I'd be loading content from Atlanta(?), USA.

Thanks. Yeah. I'd not use it then.

What's the tool you used for this? Nslookup?

The Linux equivalent of nslookup yeah. I believe nslookup has the same basic syntax for querying a specific server so you'd replace "host" with "nslookup"

  nslookup cdn.pdcast.net 80.80.80.80
They could get rid of google-analytics on their site to make it even more anonymous.
It's not very encouraging that they don't have reverse DNS for their own IPs
I would encourage fairly tech-savvy users to set up their own DNS resolvers - fast, more private and a way of bypassing your ISPs censorship.

Just make sure to configure ACLs so recursive queries are limited to you and not part of a botnet. Also BIND9 might not be a good idea for a low-maintenance solution.

It's a bad idea for performance, because your ISP has caches for Google, Netflix ect .. so you probably won't get them.
That's not how Google GGC and their LB works, the authoritative NSes looks at the IP of the querying resolver and hands out a response depending on that
Well if you use a generic DNS server you won't get DNS answers that are geoip based because you will hit the cache of that DNS server and since they don't query google servers with your ISP IP you will get a generic endpoint.
Freenom appears to not send part of the IP upstream...
I don't think that's such a big deal. Many, many years ago I setup a BIND9 caching forward nameserver. It caches all of those things for me, so there was very little in the way of any slowdown.
During my training, at one point, I helped in a BIND4-to-BIND9-migration. I learned more about DNS than I ever wanted to know (and then even more to avoid having to learn Rexx). (I have forgotten most of it since.) I set up a DNS server for my LAN to see if I had understood what I had read.

Haven't looked back since. The main advantage, initially, was performance, but it has other advantages, too.

Although, now that you mention it, I kind of do use BIND9. It hasn't been that much work over the years, really. I am open to alternatives, but so far, I have not found a solution that would be easier to maintain and serve both as a recursive resolver and as an authoritative nameserver for my local zone. (I do admit that I did not look very hard, because the current situation with BIND works for me.)

PowerDNS is nice. Basic setup is as simple as BIND9's, and their backend system is very flexible, so if you encounter yourself in need of something uncommon, you can probably still have it easily (using "pipe" backend and a bit of scripting language of your choice).
Thanks! I'll take a look at it!
What's most important is "trustworthy". The last thing I want is gmail.com to be resolved to another server.
From Singapore

  ~188ms -> dig yahoo.com @80.80.80.80
  ~3ms -> dig yahoo.com @8.8.8.8
  ~2ms -> dig yahoo.com @(ISP's DNS)

MTR to Google DNS

  $ mtr -wrc10 8.8.8.8
  Start: Fri Jan 13 22:22:56 2017
  HOST: -                            Loss%   Snt   Last   Avg  Best  Wrst StDev
    1.|-- My PublicIP gateway           0.0%    10    1.9  11.3   1.3  22.5   6.5
    2.|-- Singapore1.vqbn.com           0.0%    10    1.3   4.0   0.9  28.3   8.5
    3.|-- 132.147.112.194               0.0%    10    2.6   1.6   1.0   3.3   0.7
    4.|-- 108.170.240.173               0.0%    10    1.7   1.8   1.6   2.3   0.0
    5.|-- 209.85.243.215                0.0%    10    1.5   1.8   1.5   2.0   0.0
    6.|-- 216.239.48.73                 0.0%    10    2.0   2.0   1.8   2.2   0.0
    7.|-- ???                          100.0    10    0.0   0.0   0.0   0.0   0.0

MTR to Freenom DNS

    $ mtr -wrc10 80.80.80.80
    Start: Fri Jan 13 22:37:58 2017
    HOST: -                                 Loss%   Snt   Last   Avg  Best  Wrst StDev
      1.|-- My PublicIP gateway                0.0%    10    0.9   8.2   0.8  56.9  17.8
      2.|-- amsterdam1.vqbn.com                0.0%    10  187.3 187.2 186.9 187.8   0.0
      3.|-- br1.ams-ix.dc2.ams.denit.net       0.0%    10  198.7 191.9 187.7 199.2   4.6
      4.|-- 62-148-189-36-hosted-by.denit.net  0.0%    10  187.9 189.6 187.9 199.2   3.5
      5.|-- 80.80.80.80                        0.0%    10  187.9 188.1 187.9 188.5   0.0
I don't think I want to use a DNS server from a company that revoked a domain name from me for inactivity, which is now being used to push pornography.

Also, I love how in their promotional video on the website they say using their DNS service will make your internet usage "anonymous". Lol.