Usually indicates that it's a legal address and nothing more. Plenty of companies offer a registered address B2B service that enables a company to use them as their registered address.
Like the FBI spy planes registered to 13 companies... I don't imagine it is much of a stretch to register under a foreign company instead.
Also not saying I believe it is an NSA operation - just providing an example of another 3-letter agency registering fake companies in an attempt to mask their operations.
Using 8.8.8.8 gives google even more insight into your internet habits, even if you're using e.g. firefox on a webpage that includes no google assets at all (no web fonts, no google analytics etc), google will still know you've been there. Whether that matters to you or not depends on you.
It is not no. chillydawg made the mistake of conflating the two things. Running a, "real, public DNS server" is not required in order to do DNS lookups without using somebody elses recursive resolver.
> We don't correlate or combine information from our temporary or permanent logs with any personal information that you have provided Google for other services.
That doesn't mean much. They could still correlate and combine information with any anonymized (or rather, what they consider anonymized) personal info. The fact that they even mention that they have permanent logs is quite unsettling.
I would think they'd just dump the data from all of their services into your advertising profile. They won't store your name and such, but they have to have a way of linking this anonymous profile to your google account or something. I doubt that google simply deletes all advertising profile data if you just happen to clear your cookies.
I have no idea what goes on in google. That said, even if they don't correlate with "personal information that you have provided," you as an IP address are still identifiable as that IP address, and correlatable with yourself, for as long as that IP lasts for you.
Which means Google could cause ads to follow you around, for example. Again, I don't know what all they actually do or don't do with their DNS logs, but the quoted "promise" doesn't promise anonymity, just separation of you as a known Google user from you as a semi-anonymous but specific DNS user.
I'm reminded of the early days of the Snowden revelations, when the NSA was saying "it's just metadata."
per their faq they support DNSSEC but it does not say anything about DNSCrypt. Their argument for use is that they are not tracking your every move like the folks at google.
http://www.freenom.world/en/faq.html
It's funny, I was thinking precisely of China when I saw the numbers, due to the use of 8s (considered lucky). And here you are, saying the number 4 (considered unlucky) is actually used in China?
The phone number 114 in China is just like the 411 in the US, it is a directory service, so that's why China uses 114 for the DNS servers.
On that note, the Chinese DNS would not resolve google or facebook properly due to the Great Firewall of China, I wonder if Freenom can resolve those domains within China without any proxy solutions.
I have no way of doing this currently, the point is just that without some form of verification, I can't be sure that this is any better than what I'm using now.
With many other providers I can make deductions about likely threat scenarios. For example I know about both my ISP and about Google that it is in their best interest to serve me correct DNS entries: they have no obvious motive to do otherwise. On the other hand I can be fairly certain that my DNS queries will be fed into Google's database if I use their DNS: they have an obvious motive, have the capability and no obvious disincentive. Etc.
With some new, unknown service with unknown associations I can't reason much about the threat model.
ISPs don't care much about correctness at all if it impacts performance on their side in any way. That's why many people can't actually change their DNS even if they want to (unless you run a local resolver)[1].
Many ISPs abuse DNS to serve ads. One method is to rewrite all NXDOMAIN responses to an ad server. Another involves injecting ads into HTTP responses by hijacking DNS.
Although your points about capability and motive are valid, I don't think that Google does feed DNS queries into a database. Given all the evil DNS servers out there, I think that it is in Google's best interest to provide a clean alternative and contribute to better internet infrastructure.
Unless your using DNSCrypt or DNS over TLS (not much support, so you probably aren't), you're pretty much guaranteed to be sending queries in the clear. In fact if your using UDP, default in most cases, and not TCP, it's simple for anyone to respond to your queries (such as your ISP) and block the request to google.
Many people don't have meaningful choices of ISPs, and some ISPs only run a couple resolver clusters far away from customers, are just plain bad at running them, or are playing DNS MITM games.
Because local ISPs are terrible at running DNS. They're slow, usually vulnerable, poorly scaled, and not very redundant. I've seen a lot of ISPs in the US have "outages" that are merely "our DNS servers are down, so everyone thinks the internet is down".
Averages over 10 pings / digs. The google query time had two outliers at ~49 ms. If I discount those, it's about 21 ms. But I don't see why I'd discount them.
It'd be interesting to know what their business model is. Traffic isn't free and neither are world-wide servers. They are not run by ads, they are not a paid service, so how do they cover their expenses?
As wila pointed out in this thread, Freenom has been connected to cybersquatting [1].
Operating a widely used DNS server might allow them to register commonly mistyped domains (?). Not sure whether this is indeed sensible.
Personally I'm a fan of running unbound locally. DNSSEC verification on the same machine is pretty nice, but you lose the benefits of sharing the cache with many others.
Google has the advantage to anycast their DNS server IP addresses. Use a ping service that will ping an IP from around the globe and you'll see that 8.8.8.8 has sub 20ms RTT time for pings reguardless of country. So you will likely always hit the closest Google datacenter when using 8.8.8.8.
80.80.80.80 seems to be served out of a single datacenter. Based on ping times I'm seeing, it looks like they are hosted in Amsterdam. So it will be slow for most of Asia and the Americas.
For this same reason you'll also get better results from CDN services with Google DNS. 8.8.8.8 will lookup a geo record from (almost) your actual location. 80.80.80.80 will look it up from the USA.
Any CDNs that are using geo-dns will be way slower than they should be outside the US as you'll have been given a US IP to load the content from.
That's not some advantage randomly conferred onto Google, though. That's how you build a fast, global DNS service. Freenom is as fast as their servers allow in north western Europe (assuming they are indeed hosted in Amsterdam), but it's just not fast in the rest of the world.
I've always wondered though if you could make a better, more anonymous naming service entirely. I believe GNU has one, I think IPFS has another.
These are, after all, just giving a more human understandable way of proving addressing information. On Unix and Unix-like systems there is a resolver, and I would be fascinated to know how hard it would be to literally swap out or choose an entirely new name-to-IP address resolution mechanism at runtime.
Elaborate? I have dozens of freenom domains (not just .tk, but also the other free TLDs like .ga et al.). I don't use them for critical (or commercial) services, but I've never had any issues - they are free after all.
DotTK and now Freenom have been great enablers for many smaller hobby sites. Get free webspace from bplaced, domain from freenom and CDN from CloudFlare and you have a pretty decent, ad-free infrastructure for a quick-and-dirty web project. A scratchpad solution basically.
Anyhow, that doesn't change the fact that the above DNS is still way too slow to be useful in the first place, at least from here.
I get the impression he's upset they took a freemium model and wants them to literally give him domains for free. Common sense would tell you that's unsustainable.
There's a free tier and a paid tier. The free tier has 2GB of space, limited number of FTP accounts and limited PHP functions (file sockets, cURL are disabled). You can basically run a Wordpress instance, but not a complex application. The bandwidth is also shared. These limits don't exist in the paid tiers.
But if you really just want to publish a smaller PHP app (they give you a MySQL DB, too), this is perfect. Combined with CloudFlare, the performance is more than good enough.
Edit: Another major factor is their scope. They are only somewhat internationalized, the english translation is more than lacking. Plus they have only 50k users (you have to login to the admin panel every 3 months or your account will be frozen, then slowly removed).
Edit 2: Their FAQ btw. explicitly states that you are allowed to create multiple accounts. I have had two accounts for a little over 3 years now, and they are working great. Their nameservers can be a tad slow if you add an external domain, but at least that's a free feature.
The mention of bplaced brought me waaay back. I used them for free hosting before I had a proper server of my own.
Unless they've changed, it's 000webhost but better: less known, faster, and no accounts getting cancelled without reason. No catch. Just like HN is free (and free of ads, despite how much traffic it must generate), this webhosting is free.
> DotTK and now Freenom have been great enablers for many smaller hobby sites. Get free webspace from bplaced, domain from freenom and CDN from CloudFlare and you have a pretty decent, ad-free infrastructure for a quick-and-dirty web project. A scratchpad solution basically.
Agreed. But never use free .tk domains for anything serious. DotTK is notoriously for deleting domains registered for free from a user's account without any notification to the user as soon as the domain gets some amount of traffic according to many reports online.
Don't get me wrong, it's a nice island, but they just aren't answering my mail.
I suppose most of you have noticed, by now, the fifteen-second ads that present you with beautiful women and fish when you surf to tailsteak.tk. Those are not my ads. I do not obtain revenue from them. Tokelau's domain name referral service just started putting them up there without so much as a by-your-leave. I have contacted their tech support and enquired if, perhaps, they might consider removing them for customers willing to pay a certain amount. They have not responded.
Of course, I have had access to tailsteak.com for some time now. So henceforth, I will be directing my viewers there. It's the same site, the same host, and, in truth, the .tk address has been sending you there for months. But now it's official. Note the change in title graphic:
Indeed. And when you can get a domain you actually own for 99 cents (sometimes free, with offers) and a VPS for a few dollars per year, why bother with free domains or free hosting anyway.
Does it support those geoip(?) things? Like I know that Netflix uses "DNS" to provide you with the closest netflix streaming server. So if the DNS server is located in NYC, but I am in SF, then it won't work.
I am not sure what the term for this is, but Google DNS supports it.
$ host cdn.pdcast.net 8.8.8.8
Using domain server:
Name: 8.8.8.8
cdn.pdcast.net is an alias for pdcast-1e5f.kxcdn.com.
pdcast-1e5f.kxcdn.com is an alias for p-uklo00.kxcdn.com.
p-uklo00.kxcdn.com has address 188.227.185.218
$ host cdn.pdcast.net 80.80.80.80
Using domain server:
Name: 80.80.80.80
cdn.pdcast.net is an alias for pdcast-1e5f.kxcdn.com.
pdcast-1e5f.kxcdn.com is an alias for p-usat00.kxcdn.com.
p-usat00.kxcdn.com has address 64.38.250.98
My closest server being the "uklo" (London, UK) as reported by 8.8.8.8.
Using 80.80.80.80 means I'd be loading content from Atlanta(?), USA.
The Linux equivalent of nslookup yeah. I believe nslookup has the same basic syntax for querying a specific server so you'd replace "host" with "nslookup"
I would encourage fairly tech-savvy users to set up their own DNS resolvers - fast, more private and a way of bypassing your ISPs censorship.
Just make sure to configure ACLs so recursive queries are limited to you and not part of a botnet. Also BIND9 might not be a good idea for a low-maintenance solution.
That's not how Google GGC and their LB works, the authoritative NSes looks at the IP of the querying resolver and hands out a response depending on that
Well if you use a generic DNS server you won't get DNS answers that are geoip based because you will hit the cache of that DNS server and since they don't query google servers with your ISP IP you will get a generic endpoint.
I don't think that's such a big deal. Many, many years ago I setup a BIND9 caching forward nameserver. It caches all of those things for me, so there was very little in the way of any slowdown.
During my training, at one point, I helped in a BIND4-to-BIND9-migration. I learned more about DNS than I ever wanted to know (and then even more to avoid having to learn Rexx). (I have forgotten most of it since.)
I set up a DNS server for my LAN to see if I had understood what I had read.
Haven't looked back since. The main advantage, initially, was performance, but it has other advantages, too.
Although, now that you mention it, I kind of do use BIND9. It hasn't been that much work over the years, really. I am open to alternatives, but so far, I have not found a solution that would be easier to maintain and serve both as a recursive resolver and as an authoritative nameserver for my local zone. (I do admit that I did not look very hard, because the current situation with BIND works for me.)
PowerDNS is nice. Basic setup is as simple as BIND9's, and their backend system is very flexible, so if you encounter yourself in need of something uncommon, you can probably still have it easily (using "pipe" backend and a bit of scripting language of your choice).
I don't think I want to use a DNS server from a company that revoked a domain name from me for inactivity, which is now being used to push pornography.
Also, I love how in their promotional video on the website they say using their DNS service will make your internet usage "anonymous". Lol.
146 comments
[ 5.7 ms ] story [ 260 ms ] thread> Freenom is a registered trademark of OpenTLD B.V. [...] a Netherlands company.
(And so on recursively up the ownership chain...)
From that same address suddenly a whole list of companies pops up.
Euro ventures b.v., carwrap, dreamteam internet project management, transventure, verotel, safety future ...
Seems a bit like a spiderweb :D
Transventure appears to be the company offering co-work spaces. Guess that explains why there are so many companies on that address.
The suspension from ICANN for cyber squatting appears to be more worrying though for a company offering DNS services.
http://domainincite.com/18797-freenom-suspended-for-cybersqu...
edit: They are also the company behind the .tk domain.
http://www.dot.tk/en/index.html?lang=en
Also not saying I believe it is an NSA operation - just providing an example of another 3-letter agency registering fake companies in an attempt to mask their operations.
There's some degree of Chinese involvement in this through CNNIC (China Internet Network Information Center)...
Nice try NSA
208.67.222.222
Although they've been bought by Cisco recently.
You could also just run your own local caching resolver that hits the real root nameservers for lookup.
Doesn't sound like a full time job to me.
https://developers.google.com/speed/public-dns/privacy
Remember when they said they don't combine data from different properties?
I would think they'd just dump the data from all of their services into your advertising profile. They won't store your name and such, but they have to have a way of linking this anonymous profile to your google account or something. I doubt that google simply deletes all advertising profile data if you just happen to clear your cookies.
Which means Google could cause ads to follow you around, for example. Again, I don't know what all they actually do or don't do with their DNS logs, but the quoted "promise" doesn't promise anonymity, just separation of you as a known Google user from you as a semi-anonymous but specific DNS user.
I'm reminded of the early days of the Snowden revelations, when the NSA was saying "it's just metadata."
> Yes. Freenom World's DNS resolvers can handle DNSSEC requests as any other resolver.
114.114.114.114 = 52ms
80.80.80.80 = 240ms
8.8.8.8 = 416ms
Just sayin'...
On that note, the Chinese DNS would not resolve google or facebook properly due to the Great Firewall of China, I wonder if Freenom can resolve those domains within China without any proxy solutions.
With some new, unknown service with unknown associations I can't reason much about the threat model.
[1] - https://news.ycombinator.com/item?id=13037858
Although your points about capability and motive are valid, I don't think that Google does feed DNS queries into a database. Given all the evil DNS servers out there, I think that it is in Google's best interest to provide a clean alternative and contribute to better internet infrastructure.
https://developers.google.com/speed/public-dns/privacy
This is common enough: http://www.ckollars.org/dns-intercepting.html
Freenom: 140ms
Google: 2ms
Level3: 1ms
For a handful that do exist it seems like they're almost exactly 10 times slower than Google. ~20ms (Google) vs ~200.
As far as I know Time Warner Cable/Spectrum still does this?
Pings:
Actual resolve times: (dig @8.8.8.8 example.com): Averages over 10 pings / digs. The google query time had two outliers at ~49 ms. If I discount those, it's about 21 ms. But I don't see why I'd discount them.8.8.8.8 ~4ms 80.80.80.80 ~95ms
google: 15.377/20.966/40.077/9.587 ms
freenom: 192.673/222.957/287.720/41.386 ms
https://code.google.com/archive/p/namebench/downloads
[1] http://domainincite.com/18797-freenom-suspended-for-cybersqu...
80.80.80.80 is always 12ms. Appears to be in Amsterdam.
8.8.8.8 is between 13-60ms, usually 12-25ms. Somewhere in Sweden.
80.80.80.80 seems to be served out of a single datacenter. Based on ping times I'm seeing, it looks like they are hosted in Amsterdam. So it will be slow for most of Asia and the Americas.
From multiple test locations I am seeing lots of network tromboning. Queries from the US going to Europe and vice versa.
Any CDNs that are using geo-dns will be way slower than they should be outside the US as you'll have been given a US IP to load the content from.
These are, after all, just giving a more human understandable way of proving addressing information. On Unix and Unix-like systems there is a resolver, and I would be fascinated to know how hard it would be to literally swap out or choose an entirely new name-to-IP address resolution mechanism at runtime.
No, thanks.
http://www.freenom.com/en/aboutfreenom.html
DotTK and now Freenom have been great enablers for many smaller hobby sites. Get free webspace from bplaced, domain from freenom and CDN from CloudFlare and you have a pretty decent, ad-free infrastructure for a quick-and-dirty web project. A scratchpad solution basically.
Anyhow, that doesn't change the fact that the above DNS is still way too slow to be useful in the first place, at least from here.
But if you really just want to publish a smaller PHP app (they give you a MySQL DB, too), this is perfect. Combined with CloudFlare, the performance is more than good enough.
Edit: Another major factor is their scope. They are only somewhat internationalized, the english translation is more than lacking. Plus they have only 50k users (you have to login to the admin panel every 3 months or your account will be frozen, then slowly removed).
Edit 2: Their FAQ btw. explicitly states that you are allowed to create multiple accounts. I have had two accounts for a little over 3 years now, and they are working great. Their nameservers can be a tad slow if you add an external domain, but at least that's a free feature.
Unless they've changed, it's 000webhost but better: less known, faster, and no accounts getting cancelled without reason. No catch. Just like HN is free (and free of ads, despite how much traffic it must generate), this webhosting is free.
Agreed. But never use free .tk domains for anything serious. DotTK is notoriously for deleting domains registered for free from a user's account without any notification to the user as soon as the domain gets some amount of traffic according to many reports online.
http://tailsteak.com/archive.php?num=388
“tailsteak.com
Alright, so I'm finally fed up with Tokelau.
Don't get me wrong, it's a nice island, but they just aren't answering my mail.
I suppose most of you have noticed, by now, the fifteen-second ads that present you with beautiful women and fish when you surf to tailsteak.tk. Those are not my ads. I do not obtain revenue from them. Tokelau's domain name referral service just started putting them up there without so much as a by-your-leave. I have contacted their tech support and enquired if, perhaps, they might consider removing them for customers willing to pay a certain amount. They have not responded.
Of course, I have had access to tailsteak.com for some time now. So henceforth, I will be directing my viewers there. It's the same site, the same host, and, in truth, the .tk address has been sending you there for months. But now it's official. Note the change in title graphic:
tailsteak.com”
I am not sure what the term for this is, but Google DNS supports it.
Using 80.80.80.80 means I'd be loading content from Atlanta(?), USA.
What's the tool you used for this? Nslookup?
But I have MonkeyBrains as an ISP, i'm getting 10msec from their DNS resolver.
Just make sure to configure ACLs so recursive queries are limited to you and not part of a botnet. Also BIND9 might not be a good idea for a low-maintenance solution.
Haven't looked back since. The main advantage, initially, was performance, but it has other advantages, too.
Although, now that you mention it, I kind of do use BIND9. It hasn't been that much work over the years, really. I am open to alternatives, but so far, I have not found a solution that would be easier to maintain and serve both as a recursive resolver and as an authoritative nameserver for my local zone. (I do admit that I did not look very hard, because the current situation with BIND works for me.)
https://gist.github.com/xxdesmus/336af4b717fdb719f20e9ef284c...
Also, I love how in their promotional video on the website they say using their DNS service will make your internet usage "anonymous". Lol.