Ask HN: Neutral DNS servers?

132 points by NotAWorkNick ↗ HN
Hi HN - Here’s a question that I hope will generate some useful comments, suggestions and links.

Background for question: I normally run an internal DNS resolver with an upstream pool of 10-15 providers. These are normally a mix of Global Anycast servers (Quad9 etc) with some OpenNIC, YandexDNS etc thrown in towards the end to cover the ‘chilling effects’ blackholes.

Currently Yandex DNS is pinging a timeout (either due to black-holing or DDOS’ing depending on where I connect To/From).

My question to HN is this – Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of Switzerland (WWII, Neutral to all parties) providers?

98 comments

[ 0.20 ms ] story [ 154 ms ] thread
You could just run a recursive resolver yourself by using the root hints. You don't need to delegate your DNS queries onto a third-party resolver like Quad9.

https://www.iana.org/domains/root/files

Thanks for that, appreciated. I'll be honest- I'm just a 'little guy' in the food chain so I always figured that doing something like that was for the ISP level folks <edit to clarify, I mean connecting to a Zone 1 Resolver. I wasn't aware that one could download the Root Hints File directly (Thanks!).

One quick question though - After taking a quick skim of it the list seems to be extremely 'Western-Centric' (reference link https://www.internic.net/domain/named.root)

The root servers are anycasted. Each one of those root server IPs corresponds to N physical servers at diverse networks / locations all over the world.
The canonical DNS system itself is extremely Western-Centric.
As are many Western inventions
DNS[0] is only a decentralized hierarchy with caching, a class of system which pre-dates the digital era as the de-facto means of political and military organization in any human society larger than a village or town. DNS as a directory system for IP is could itself be viewed as a direct philosophical descendant of military insignia (perhaps via the then-popular branch-tangent of the telephone book, itself ex-telegraph, and postal system) and these could all be in effect traced back to at least Roman society[1], I don't think arguing this is a "western" invention is very convincing or useful. Any ancient army or polity of any size would have had an equivalent, which would then include ancient Egypt, China[2], India, Mesopotamia[3], Mesoamerica, etc. Actually, come to think of it, the comparative study of ancient postal systems would be pretty interesting.[4]

[0] Original DNS RFC1035 https://datatracker.ietf.org/doc/html/rfc1035 (1987) [1] Somewhat cheekily as the inventor of DNS has a Greek surname. https://en.wikipedia.org/wiki/Paul_Mockapetris [2] 2000+ years ago and mature enough to have QoS+max-TTL/hop: http://libgen.rs/scimag/10.1163%2F9789004292123 (pp17-48) + where I write this. [3] Evidenced to 9th century BC https://www.ucl.ac.uk/sargon/essentials/governors/thekingsro... [4] Start by fixing https://en.wikipedia.org/wiki/Timeline_of_postal_history

By that same token the internet was invented by the first person to hand gesture to another one. You can’t dilute DNS down to a directory because there were/and are already other directory protocols.
Walking gets you from A to B just like a car, so actually the first bipeds really invented the automobile.
It's more like describing a walking robot as an original invention, which it is, but all they really did was ape apes.
> I don't think arguing this is a "western" invention is very convincing or useful. Any ancient army or polity of any size would have had an equivalent, which would then include ancient Egypt, China[2], India, Mesopotamia[3], Mesoamerica, etc.

And yet, none of these other regions and cultures actually did invent it, and thus it remains a Western invention.

Of course. However, my point was the originality and claim to authorship is low, because if you look at store and forward networks with centrally agreed node identification and local caching using that for routing purposes, humans have literally done it globally for 3000+ years... that's clear prior art.

It's like "technology" being used to describe a bash script, or "invention" used to describe a standard algorithm.

You've been nerdsniped my friend! bazinga
They are western centric, and unfortunately, in this current state of the web they're still essentially the authority on DNS.

Alternatively, you can maintain the NSes for all the TLDs you are particularly interested in, and alert yourself if they change to something you don't recognize.

Finally, keep in mind that whatever you do, you need to have multiple vantage points to the internet. There's not a lot stopping your ISP from not delivering you to the right host when you try to talk to it. E.g. your ISP can fake the DNS responses.

> They are western centric, and unfortunately, in this current state of the web they're still essentially the authority on DNS.

I‘m curious to see your evidence on that or which future state you would see as a more fortunate one.

Questioning why the distributed cluster runs on nodes 'a' and 'b' alone doesn't necessarily imply that nodes 'c', 'd' and 'e' are any better or worse, today or in future.
If I knew the answer to this I would be very rich and probably have my name on multiple textbooks of solving decentralized computing problems.
> I'm just a 'little guy' in the food chain so I always figured that doing something like that was for the ISP level folks

A lot of people are running recursive resolvers at home (like pi-hole stuff, or most people running some custom openwrt router/modem). I'm running one on my laptop (my resolver is localhost) and it works great.

> After taking a quick skim of it the list seems to be extremely 'Western-Centric'

It is, but that's what the internet is. But by running your own recursive resolver you can control your cache and a lot of the data doesn't change often. If you're extra paranoid you can cache the record data (or even archive the history) for ccTLD (or even all TLDs). For stuff (domains) you're interested in you can also hard-code or otherwise program "non-standard" ways to resolve the ips (by somehow populating a local database that overrides recursive resolution), like pi-hole/safebrowsing blocklists, stuff from institutions or CDNs you trust.

Although querying the root servers directly is always unencrypted right? So your ISP can see and might manipulate all queries at will?
In addition to the root hints, you should also download the DNSSEC anchor key (available on the same site as the root hints). That will let you detect manipulations of records that are DNSSEC-signed.

Otherwise, you could spin up your recursive resolver on your cloud, VPS, or other hosting provider of choice, and then use that.

Right, DNSSEC will solve the "manipulate" problem, but it won't solve the "see" problem. But whether that's a concern is up to you. You could run your resolver on a VPS and speak DoT / DoH to that, which shifts the leak from your ISP to your VPS provider.
It doesn't solve the "manipulate" problem we're talking about here, either: nothing about DNSSEC prevents a DNS server (or middlebox) from denying results to a disfavored domain; it only (situationally) prevents them from redirecting it somewhere else. (And, of course, it only works if you're running your own recursive server; it does nothing whatsoever in the 8.8.8.8-type use case).
> nothing about DNSSEC prevents a DNS server (or middlebox) from denying results to a disfavored domain

But at least it is detectable thanks to NSEC and NSEC3 records.

Kind of. An intermediary can drop packets and the client will never get the response.
It's detectable when the site that the DNS provider is censoring falls off the Internet!
In theory if you got a resolver which could disable UDP queries, it would then default to TCP, and the ISP couldn't manipulate those. Don't know if any resolver supports disabling UDP though.
Unbound as a client will fall back to TCP automatically if the UDP response is too big. I'm uncertain if there is widespread support for TCP servers though.
> would then default to TCP, and the ISP couldn't manipulate those

They can easily manipulate TCP as well. Unless you establish an authenticated session like TLS, TCP can be mitm-ed easily.

The way I handle this is to run unbound on a server in the public cloud and then tunnel over TLS from my local unbound to the cloud instance. My local clients query a PiHole, which forwards to unbound on localhost:15353, which forwards everything over TLS to the fully recursive instance of unbound in the cloud, which uses root.hints.
Still, your cloud vendor can see the requests.

But someone can see it, but you can rotate upstream resolvers to split requests if you have to.

How is the latency for such a setup? And how is the general browsing experience with said latency (I realize it also depends on which sites you frequently access)? I see some cloud providers/CDNs using a caching TTL as low as five minutes.
You spend most of the time waiting for the actual resolve to complete, not for the "transfer" time between you and VPS.

Source: I'm running Unbound on my notebook, I'm actually queried the stats for some heated discussion on reddit.

For example my current stats_noreset:

    histogram.000000.000512.to.000000.001024=17
    histogram.000000.001024.to.000000.002048=33
    histogram.000000.002048.to.000000.004096=251
    histogram.000000.004096.to.000000.008192=509
    histogram.000000.008192.to.000000.016384=1161
    histogram.000000.016384.to.000000.032768=1891
    histogram.000000.032768.to.000000.065536=2611
    histogram.000000.065536.to.000000.131072=3197
    histogram.000000.131072.to.000000.262144=2502
    histogram.000000.262144.to.000000.524288=1547
    histogram.000000.524288.to.000001.000000=857
    histogram.000001.000000.to.000002.000000=121
    histogram.000002.000000.to.000004.000000=70
    histogram.000004.000000.to.000008.000000=22
    histogram.000008.000000.to.000016.000000=441
    histogram.000016.000000.to.000032.000000=80
As you can see most of queries are completed in a way below 500ms. Adding another 20-40ms on top that doesn't change anything, because caching is a thing and with Unbound you can even ask to actually refresh the expiring records, so you would be served a fresh one from the cache every time, though I never bothered with it, it works fine even without it.
ControlD, DNS.sb and LibreDNS for instance. The latter two are open source.

I think non-disciminating DNS providers are rather the norm and not an exception though.

Really?

Then your experience differs greatly from mine (EU based). My usual mix of 'fastest anycast' upstreams’ are reliably black-holing a lot of .ru domains right now

(Rightly or wrongly is a ‘nother question for a ‘nother day).

P.S, YMMV and obviously does :)

Could you give a couple of examples of the black holing you've seen?
In slovenia, at least these two are blocked at the DNS level:

https://www.rt.com/

https://sputniknews.com/

Interestingly enough, the 'academic network' (arnes) that covers schools etc., and also some government entities is not blocking it, but atleast two out of the three largest commercial ISP are (can't test the third, since it's locked to their customers' IPs only).
Because the russian media mafia (tacc, rt, sputnik and the like, which are all either directly state-owned or via the state-owned tv novosti) are about to be banned in all EU countries where they are still available, and the ISPs might have banned them pro-actively.
Are you sure it's not Runet dropping traffic incoming?
I know this isn't quite what your asking for, but one idea is to set up a Pi-hole + unbound: https://docs.pi-hole.net/guides/dns/unbound/

Unbound is basically your own private DNS resolver and then Pi-hole lets you filter out whatever "junk" you don't want.

Unbound will also pre-fetch your most common lookups prior to the TTL expiring so it's probably even faster than querying a third-party resolver
I don't know if it's an obvious question or not, but how does performance compare with your own unbound vs quad1/8/9? I imagine it's slower in general?
I'm not personally running unbound, just a Pi-hole that up-stream's to my ISP's DNS, so I can't answer you from first-hand experience. But, according to drexlspivey, unbound will pre-fetch common queries, so it probably ends up being faster on average - https://news.ycombinator.com/item?id=30646020
I never measured anything, but i'm running a recursive resolver on my laptop since a couple years (knot resolver) and never had any performance problem.
for anyone running OpenWRT, unbound + adblock works well and is trivially configurable via the LUCI web interface.
Or you can just run unbound directly. I’ve been doing that for years, and let it directly resolve with the root DNS servers. Can’t get more neutral than that, I’d argue.
>My question to HN is this – Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of Switzerland (WWII, Neutral to all parties) providers?

Presumably the root and authoritative servers. Which is why I use a local recursive resolver rather than any upstream/third party resolvers.

You should try it. It's easy and fun!

huh. Why aren't you simply querying the roots and from there the SOA for any domain?
It is very easy to hijaack port 53 traffic, so you might not talk to DNS server you think you do.

Heck, I did that at home for Chromecast and other devices that hardcode their DNS.

Shameless self promotion: Try Control D - https://controld.com/free-dns

There are many different types of resolvers, blocking and unfiltered. We're adding global ECH support in the coming weeks. There is also a paid plan if you need more control.

If you already run your own DNS resolver, query the root servers directly. No need to trust DNS providers when you can do the same thing yourself.
based on the OP's description of yandex and what I presume to be their location it's not impossible that some time in the future unencrypted 53/udp traffic leaving and entering the country may be blocked or messed with
In that case maybe something like DNSCrypt[0] and a 3rd party provider makes sense. On top of the encrypted connection, DNSCrypt has the option to proxy queries to improve privacy.

This only helps if they're not doing any advanced blocking though. If I remember correctly, when Russia blocked Telegram, they were blocking their IPs, not just DNS queries. If the rumours of a "RuNet" are true, then they probably need something more advanced (eg: a VPN with traffic obfuscation, Tor, etc).

---

[0] https://github.com/DNSCrypt/dnscrypt-proxy

Personally, I use nextdns on a paid plan (£17/year). Full control, can change to no logs, or logs stored in Switzerland. They have a free plan too
I do this.

I have my own resolver on my own server running unbound and it gets service from my paid nextdns account.

Sort of like having a pihole but it is available from anywhere and I don’t have to run a rpi…

This setup is intriguing. I'm curious, is there any latency penalty going this way vs using your own pihole + 1.1.1.1 or 8.8.8.8 instead of nextdns?
(comment deleted)
so your unbound instance is doing caching, mixing and stipping edns before forwarding the queries to nextdns resolvers?
You might want to look up "geo-politically stable" web hosting. Aside from that, Epik.com has traditionally been quite supportive of free speech (even if it's Trump supporters).
Given you only mention censorship/chilling effect and not privacy - why isn't 8.8.8.8 sufficient? Have there been instances of domains it censored and stopped resolving that I'm not aware of?

I guess I'm confused on the benefit (theoretical or practical) one would get by using that variety of resolvers. Is it just to prevent theoretical censorship at the DNS level?

Same with 1.1.1.1 (the case where archive.is used to not work was archive.is's nameserver purposefully being configured to return bad results to 1.1.1.1)
My question exactly. In another comment here I asked for some examples for the claim that some .ru domains were being black holed.
Google DNS should at this point be considered harmful. Devs love to hardcode it in resolvd because 'user experience' but there's ample evidence its just analytics.

Quad 1 cloudflare is reliable doh but comes from a company with a history of bloviating nonsense about internet freedom only to eagerly capitulate to Twitter lynchmobs and blacklist a customer or ten.

https://dnscrypt.info/public-servers/ will give you a nice list of doh to try out. Ymmv however as many are sporadic.

I know what you're referring to (systemd-resolved "defaulting" to Google DNS). That "default" is a compile-time value, if you use something like gentoo you get to be in full control of what that default value is.
Can you point to the evidence that Google DNS is used for analytics?
Another person responded with info, but at this point, shouldn't we assume every single thing Google does, is for analytics?

At this point, the onus is to prove thing $x is not used for Google analytics.

Came here to say roughly the same thing. That it’s Google and they’re not charging you for it can at this point be considered suspicious, if not conclusive.
I think some of Google's efforts are genuinely for the public good, like Project Zero.
> Google does not use any personal information collected through the Public DNS service to target ads.

> We do not correlate or associate personal information in Google Public DNS logs with your information from use of any other Google service except for addressing security and abuse.

Yes they claim that they don’t use the personal information they collect to target ads.

It doesn’t mean they don’t use the other data for analytics. They could also anonymise the personal information first before using it to do analytics. Like “users who visit example.com also visit “store.example.net” is good information and they don’t need your personal information for that.

Why do they collect personal information? Why do they collect dns logs ?

The DNS (as it exists today) is supposed to be the equivalent of Switzerland. The internet community has said over and over again they're not interested in censoring the internet or removing any group of people from it.

It sounds like what you really want is your own recursive resolver.

Question after reading (very interesting) answers: what is the downsize using the root servers instead of the well-known ones? (1.1.1.1, 8.8.8.8, ...)

Is it the cache that improves resolution speed in a meaningful way?

They are used in different ways - search for recursive resolver vs caching public resolver.

Running your own recursive resolver will almost certainly be slower, on the order of 2x latency. I should test it...

Also, DNS-over-HTTP and DNS-over-TLS are not available with all DNS servers, but can be readily enabled to secure the last mile when the upstream public resolver supports it.

It's really not that hard to just run your own DNS server locally. Then you're not beholden to anyone. I recommend it.
I just do this to get a neutral DNSSEC supporting recursive DNS resolver:

apt install unbound

You could try using a DNS provider that's actually in Switzerland...

  103.196.38.3
  103.196.38.8
Globally anycasted plain vanilla name resolution. I don't publicize it because I don't have anything to gain from more users, but you are free to use them.
> I don't publicize it

but you did ... thx anyway :)

Note that even Switzerland could not stay neutral this time and enacted severe sanctions against Russia.

Maybe staying neutral has the higher cost to a free society (and thus „information wanting to be free“) in the long term?

1.1.1.1 1.0.0.1
squatting on someone elses couch is generally not considered 'making a home for oneself'