Ask HN: Neutral DNS servers?
Hi HN - Here’s a question that I hope will generate some useful comments, suggestions and links.
Background for question: I normally run an internal DNS resolver with an upstream pool of 10-15 providers. These are normally a mix of Global Anycast servers (Quad9 etc) with some OpenNIC, YandexDNS etc thrown in towards the end to cover the ‘chilling effects’ blackholes.
Currently Yandex DNS is pinging a timeout (either due to black-holing or DDOS’ing depending on where I connect To/From).
My question to HN is this – Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of Switzerland (WWII, Neutral to all parties) providers?
98 comments
[ 0.20 ms ] story [ 154 ms ] threadhttps://www.iana.org/domains/root/files
One quick question though - After taking a quick skim of it the list seems to be extremely 'Western-Centric' (reference link https://www.internic.net/domain/named.root)
[0] Original DNS RFC1035 https://datatracker.ietf.org/doc/html/rfc1035 (1987) [1] Somewhat cheekily as the inventor of DNS has a Greek surname. https://en.wikipedia.org/wiki/Paul_Mockapetris [2] 2000+ years ago and mature enough to have QoS+max-TTL/hop: http://libgen.rs/scimag/10.1163%2F9789004292123 (pp17-48) + where I write this. [3] Evidenced to 9th century BC https://www.ucl.ac.uk/sargon/essentials/governors/thekingsro... [4] Start by fixing https://en.wikipedia.org/wiki/Timeline_of_postal_history
And yet, none of these other regions and cultures actually did invent it, and thus it remains a Western invention.
It's like "technology" being used to describe a bash script, or "invention" used to describe a standard algorithm.
Alternatively, you can maintain the NSes for all the TLDs you are particularly interested in, and alert yourself if they change to something you don't recognize.
Finally, keep in mind that whatever you do, you need to have multiple vantage points to the internet. There's not a lot stopping your ISP from not delivering you to the right host when you try to talk to it. E.g. your ISP can fake the DNS responses.
I‘m curious to see your evidence on that or which future state you would see as a more fortunate one.
A lot of people are running recursive resolvers at home (like pi-hole stuff, or most people running some custom openwrt router/modem). I'm running one on my laptop (my resolver is localhost) and it works great.
> After taking a quick skim of it the list seems to be extremely 'Western-Centric'
It is, but that's what the internet is. But by running your own recursive resolver you can control your cache and a lot of the data doesn't change often. If you're extra paranoid you can cache the record data (or even archive the history) for ccTLD (or even all TLDs). For stuff (domains) you're interested in you can also hard-code or otherwise program "non-standard" ways to resolve the ips (by somehow populating a local database that overrides recursive resolution), like pi-hole/safebrowsing blocklists, stuff from institutions or CDNs you trust.
Otherwise, you could spin up your recursive resolver on your cloud, VPS, or other hosting provider of choice, and then use that.
But at least it is detectable thanks to NSEC and NSEC3 records.
They can easily manipulate TCP as well. Unless you establish an authenticated session like TLS, TCP can be mitm-ed easily.
But someone can see it, but you can rotate upstream resolvers to split requests if you have to.
Source: I'm running Unbound on my notebook, I'm actually queried the stats for some heated discussion on reddit.
For example my current stats_noreset:
As you can see most of queries are completed in a way below 500ms. Adding another 20-40ms on top that doesn't change anything, because caching is a thing and with Unbound you can even ask to actually refresh the expiring records, so you would be served a fresh one from the cache every time, though I never bothered with it, it works fine even without it.I think non-disciminating DNS providers are rather the norm and not an exception though.
Then your experience differs greatly from mine (EU based). My usual mix of 'fastest anycast' upstreams’ are reliably black-holing a lot of .ru domains right now
(Rightly or wrongly is a ‘nother question for a ‘nother day).
P.S, YMMV and obviously does :)
https://www.rt.com/
https://sputniknews.com/
Unbound is basically your own private DNS resolver and then Pi-hole lets you filter out whatever "junk" you don't want.
https://github.com/AdguardTeam/AdGuardHome
Presumably the root and authoritative servers. Which is why I use a local recursive resolver rather than any upstream/third party resolvers.
You should try it. It's easy and fun!
Heck, I did that at home for Chromecast and other devices that hardcode their DNS.
There are many different types of resolvers, blocking and unfiltered. We're adding global ECH support in the coming weeks. There is also a paid plan if you need more control.
This only helps if they're not doing any advanced blocking though. If I remember correctly, when Russia blocked Telegram, they were blocking their IPs, not just DNS queries. If the rumours of a "RuNet" are true, then they probably need something more advanced (eg: a VPN with traffic obfuscation, Tor, etc).
---
[0] https://github.com/DNSCrypt/dnscrypt-proxy
I have my own resolver on my own server running unbound and it gets service from my paid nextdns account.
Sort of like having a pihole but it is available from anywhere and I don’t have to run a rpi…
I guess I'm confused on the benefit (theoretical or practical) one would get by using that variety of resolvers. Is it just to prevent theoretical censorship at the DNS level?
Quad 1 cloudflare is reliable doh but comes from a company with a history of bloviating nonsense about internet freedom only to eagerly capitulate to Twitter lynchmobs and blacklist a customer or ten.
https://dnscrypt.info/public-servers/ will give you a nice list of doh to try out. Ymmv however as many are sporadic.
Google stated that for the purposes of performance and security, the querying IP address will be deleted after 24–48 hours, but Internet service provider (ISP) and location information are stored permanently on their servers.
At this point, the onus is to prove thing $x is not used for Google analytics.
> We do not correlate or associate personal information in Google Public DNS logs with your information from use of any other Google service except for addressing security and abuse.
It doesn’t mean they don’t use the other data for analytics. They could also anonymise the personal information first before using it to do analytics. Like “users who visit example.com also visit “store.example.net” is good information and they don’t need your personal information for that.
Why do they collect personal information? Why do they collect dns logs ?
That's exactly why Quad9 changed it's HQ to Switzerland:
https://www.switch.ch/news/quad9-moves-to-Switzerland/
It sounds like what you really want is your own recursive resolver.
Is it the cache that improves resolution speed in a meaningful way?
Running your own recursive resolver will almost certainly be slower, on the order of 2x latency. I should test it...
Also, DNS-over-HTTP and DNS-over-TLS are not available with all DNS servers, but can be readily enabled to secure the last mile when the upstream public resolver supports it.
apt install unbound
[0] https://github.com/DNSCrypt/dnscrypt-proxy
but you did ... thx anyway :)
Maybe staying neutral has the higher cost to a free society (and thus „information wanting to be free“) in the long term?