186 comments

[ 3.2 ms ] story [ 122 ms ] thread
(comment deleted)
"dns0.eu is a French non‑profit organization founded in 2022 by Romain Cointepas and Olivier Poitrey — co-founders of NextDNS."
okay now it actually sounds way more interesting. Because NextDNS is by far my most beloved DNS resolver
Pity they couldn't get a cool IP address like Cloudflare and Google. Since without some source of DNS you can't reach dns0.eu it's good to have something memorable like 1.1.1.1 or 8.8.8.8
yeah I think that's really a big shortcoming. It probably comes down to funding, but it results in a big usability issue. I'll never remember those IPs, and when I can so easily remember 1.1.1.1 and 8.8.8.8, it's obvious what I'm always going to choose.
No IPv6 either
They have, but they listed them only in the Others and Linux tab for some reasons 2a0f:fc80:: 2a0f:fc81::
Use 1.1.1.1 to get the networking working, find DNS0.eu and change the DNS again :)
It's kind of ironic that their main IPv4 addresses are x.x.x.0, while their "ZERO" filtering version uses x.x.x.9.
So the end of NextDNS ?
NextDNS lets me pick what to block, I can't configure DNS0 except for the few variants that require me to change the DNS address completely.

Also: I can't pay for DNS0, so how can I trust they stay up when I'm not their customer?

How can you trust they stay up when you are their customer and pay them?
Because I give them money to keep the lights on?

That way they don't need to rely on grants or investors who usually need hockey stick growth and make the business do stupid things.

This is why I used to pay for pinboard (before the admin disappeared again) and still pay for Newsblur.

DNS resolvers aren't that expensive to run. Besides, one of the founders of dns0.eu has already scaled and sold a venture-backed startup (DailyMotion: https://archive.is/4pN5e), and currently employed as Director at Netflix. Pretty sure they can keep paying for dns0.eu servers for multiple decades. The only problem is maintenance, which is automatable to a large extent.
How can you trust any company you pay to stay up even if you are their customer? I've used discontinued products before. Paid subscriptions to companies that merge with others and the service no longer really exists.
The chances of a company that runs on mystical grants vs one that runs with actual customer money just suddenly going under are different.

It's like Google's stuff. It's free, but you're not the customer, you're the product.

NextDNS founders launched this…
> 193.110.81.0

Ah yes, easy to remember /s

Not everyone has the resources of a Google to acquire lucky IP addresses.
Well you'd think the EU would have more resources than a single company.
Most of those single digit addresses are in the hands of US corporations. Like 4.4.4.4 is Level 3.
2.0.0.0/16 and 2.2.0.0/16 are owned by Orange, a European company. I'm sure they'd be willing to lease 2.2.2.0/24 and 2.0.0.0/24 for a nominal fee

5.4.0.0/14 (so 5.5.5.5) is Telefonica Germany. Same thing there.

Mercedes owns 53.0.0.0/8 which feels like a nice number for DNS too.

Telefonica and Orange are hardly companies that would just let you lease "valuable" ipv4 addresses without having to pay a hefty sum.
If you only lease something the owner can at any time take your business and efforts from you.
It's not the IP that's the problem.

It's the "anycast" mapping of the IP to geographically and network diverse hosts to connect the user to the "closest" (for some value of latency that stays within the data governance jurisdiction).

To do this, you basically have to own a large enough IP block that backbones will deal with it, and route map it.

https://en.wikipedia.org/wiki/Anycast

(comment deleted)
This is not "the EU", just an EU NGO offering up the service.
This is not something from the EU as the organization, but from a French non-profit.
So in short, they're completely noncredible. I'm not sure who in the right mind would trust a random small company with their DNS.
They're not random, they're a French non-profit (created by cofounders of nextdns, btw). Why wouldn't people trust them? In my country most people use a DNS hosted by their ISP, and there are a lot of small ISPs all around. I suspect it's similar everywhere. How is it different?

And anyway, I trust a random French small company more than I trust Google.

Well yes exactly, the only reason you'd switch to a trusted service over a default is to hopefully shield from DNS poisoning and other shenanigans. It would need to be a proven trustworthy service, and just about anyone with a few hours of spare time and literally no cash can open a French NGO, they've got the lowest barrier for entry of any EU country. Just slapping on a nextdns logo doesn't mean shit. It's completely pointless unless it's an EU official government service financed directly by our tax dollars.

Google has a reputation to uphold, so while you can be certain they'll be datamining the shit out of your requests they are also unlikely to be direct malicious actors.

If you have no working DNS, it's hard to google stuff...

There are two types of people - those that just want dns to work at all so they can get stuff done, and those who have working dns but want to 'upgrade' for privacy/filtering reasons.

Why do you need to remember the dns server address? I just type it in once.
Once on every device, VM, container, VPS, etc. That's a lot of times.
I feel your pain but if you really have so many machines you probably automate their configuration.
Or, setup everything to use a resolver on your router, configure your router once. So when you want to change in the future, only one place.
That's what things like Ansible and VM base images are for.
My devices get their dns servers via DHCP. So I enter it only once on the DHCP server.

If you’re running so many devices, you probably want to use your own DNS server too (for internal name resolution), so you can also set the upstream just there.

212.142.28.66 is an IP address of a DNS server that has been stuck in my mind for 25 years now. That said the time where anyone would regularly configure DNS settings is long gone I imagine.
You lived in a pre-smartphone era, which has made the rest of us dumb...
The era of easy to remember DNS server addresses is coming to a close anyway, due to IPv6.

Cloudflare’s are 2606:4700:4700:1001:: and 2606:4700:4700:1111::

I’ve been deploying IPv6 recently and these addresses haven’t burnt into my brains yet, so I occasionally have to do `dig AAAA one.one.one.one` still.

Coming soon: my public IPv6 dns at dead:beef::
Mine will be b00b:: once IANA assigns me b00b::/16
My phone number is a little longer and yet I remember it, along with my own public IP address as well as my physical one. It depends how much you need to use it, of course.
I rarely phone myself. When my number changes, it takes me about a year before I can remember the new one. Numbers I actually call are much easier to memorize.
This is founded by co-founders of NextDNS. But why? How is it different?
Because NextDNS is a for-profit company they probably can't get funding from the EU for these silly EU vanity projects so easily.
How is this a "silly EU vanity project"?
There is an EU fund for silly projects like Gaia-X which are mostly about vanity rather than actually producing anything useful. I am suggesting they've formed a non-profit to try and benefit from this fund.
Yeah I don't see what's silly about providing a resolver with the features being offered, no matter the "EU" branding or official project funding. Right off the bat I'm willing to bet these guys are more genuine and honest about privacy/integrity than e.g. Google.
There is nothing silly about the product specifically. It's useful. However they already built it: https://nextdns.io/

What I am calling silly is not dns0. It's the way the EU is funding technology projects.

> It's the way the EU is funding technology projects.

I personally think that's a good thing, to provide funding and opportunity for gratis service projects with less risk of deviating in the way things often do in commercial context where revenue is the top priority.

DNS is not a "vanity project", it's a massive issue in terms of internet governance. We've known this since the '90s, which is why the EU is starting its own service (that is not this one). I doubt this project got any EU funding, or is likely to ever get any EU money at all; in fact, it looks like a last-gasp attempt from a private DNS company to remain relevant.
DNS4EU is yet another EU vanity / pork barrel project. DNS resolvers are commercial failures as you point out and DNS4EU is going to do nothing to change that.
The EU Commission has a DNS project that they tendered to various private companies. They want the majority of EU internet through something they can directly regulate and control EU internet users.

DNS is a very cheap service to run so I wonder if the founders intended to get a first mover advantage and to be subsumed into the project

For one, on NextDNS I can configure exactly what I want to block (i.e. enable arbitrary combinations of ad filter lists, whitelist domains etc.). This introduces complexity (IPv6 DNS addresses, binding your external IPv4 to a specific configuration etc.)

With DNS0 I just get an IPv4 address that blocks X, Y and Z.

So NextDNS is sort of the power user version of DNS0.

No IPv6 in 2023, is this a joke?
They do have a IPv6 address under Linux & Others if that's what you mean
They are listed under Linux:

   [Resolve]
   DNS=193.110.81.0#dns0.eu
   DNS=2a0f:fc80::#dns0.eu
   DNS=185.253.5.0#dns0.eu
   DNS=2a0f:fc81::#dns0.eu
   DNSOverTLS=yes
From the "other" tab:

> DNS53 (IPv6)

> 2a0f:fc80::

> 2a0f:fc81::

(comment deleted)
There's IPv6, but I see it's not suggested by default except for Linux configuration and on the Others tab.
Is this actually affiliated with the EU, other than just being hosted in the EU?
Not affiliated with EU at all. Their branding and wording makes it look like they are until you scroll to the bottom and read the About.

Admittedly I don't live in the EU so to some of you folks the non-affiliation may seem obvious.

> Their branding and wording makes it look like they are

Because the website is blue and mentions "European Union"?

It doesn't say anywhere that it's a official EU project, nor does it contain some of the famous "banners" that EU projects usually have in the footer to show their grants/funding, nor is it on a official EU domain.

Clearly a not-EU project from first glance.

I don't live in the EU (nor the Americas for that matter) so I'm speaking from first impressions of browsing the site.
I live in the EU and I agree with your first impression. They definitely tried to pass as a typical EU website.
It seems like they went through enough trouble to ensure that the page is translated into the official languages of the EU which is usually only something you see on EU websites. For that reason, it does appear official'ish at first glance.
Maybe something is wrong in my browser, but changing the language just changes the tagline at the top, the rest of the body remains untranslated (English), except for French (founders are French) which translates the entire page.
Actually my impression is that they have done a good job of targeting the EU market and its languages without suggesting that they have any official connection to the EU. There's neither a flag nor a logo and the background blue is, to my eye at least, not the azure of the EU flag.

(Although curiously they call their background colour bg-european-blue in their CSS.)

Well... I understand what you mean but they only have "European" in their title. Europe != European Union.
Sure, but “European public…” definitely sounds like it’s a service offered by some pan-European government body. In hindsight I understand this isn’t how it was intended.
> Admittedly I don't live in the EU so to some of you folks the non-affiliation may seem obvious.

The webpage is too nice looking and lacking the 30 poorly resized 80x80 EU institution logos. So yeah, not affiliated ;P

On the other hand, it doesn’t handle internationalization very well; something I find the EUI websites do properly.
(comment deleted)
As far as I see it is just yet another private organization that aims at watching what the population visits on the internet.
Also operated by a non-profit and also in Europe (albeit in Switzerland that isn't part of EU).
I wish they'd put more resolvers around the globe. I have 10ms ping to the nearest Cloudflare colocation, but around 100ms to quad9. It makes browsing the web so much slower.
90 ms. So much.
Keep your sarcasm to yourself. Multiply 90ms by sometimes dozens of domains modern websites like to load from. Occasionally ISP reroutes me to another Cloudflare colocation and ping to 1.1.1.1 rises to 20-25 ms. It's easily noticeable. I like to play the guessing game, and almost always "win".
Can you please tell them that? I feel you, 100ms ARE recognizable if you have otherwise a fast net, it like snap to clap.
From Romania, I've been getting random delays/timeouts with quad9.
Please please inform them about it.
I seem to have worked around it with a DNS cache (systemd-resolved as the Linux instructions for dns0.eu suggest).

I don't have time or care enough to debug intermittent network issues, if they no longer bother me.

I think you have other problems then just a plug on cache then...

>I don't have time or care enough to debug intermittent network issues, if they no longer bother me.

I see who's the problem now ;)

I had the same issue here in Sweden. 1.5 second delays on some lookups. I opened a ticket and worked with them to isolate the issue, which they then fixed. They were very helpful and very knowledgeable for L1 support.
Which doesn't do ad blocking.
Yeah i don't want that at a "not controlled by me" level.
For what it's worth: nextdns.io, Adblock DNS, etc., give you granular control at DNS level, both which lists to use, but also overrides.

AdBlock DNS also gives you full custom rules engine and DSL.

My router runs Unbound in order to rotate queries across a number of different DNS-over-TLS providers. I'll toss these guys into the mix as well out of curiosity just to see how it goes.
Better to send your queries to a single DNS provider (over TLS/HTTPS) rather than spread it out, because now, not one but multiple providers can build your browsing history. As someone who runs a public DNS resolver, I can tell you that it isn't that hard to build user profiles.

If you're running Unbound, might as well recurse DNS queries, instead of upstreaming it. If you are adamant on spreading DNS queries across multiple upstreams; doing so over ODoH and/or Anonymized DNSCrypt is what I'd recommend.

Won't recursing also spread your queries across multiple providers? And in the clear for deep packet inspectors to see, instead of encrypted?
You wish all nameservers would support DoH / DoT, but until then using Qname minimisation limits exposure.
>"Better to send your queries to a single DNS provider (over TLS/HTTPS) rather than spread it out, because now, not one but multiple providers can build your browsing history."

What I'm wary about is indeed query logging and profiling, but whether it's one provider or a dozen providers isn't that relevant to me. I make a small effort in trying to gauge which providers are honest and which ones are not.

>"As someone who runs a public DNS resolver, I can tell you that it isn't that hard to build user profiles."

Yes, I understand this. May I ask why you/RethinkDNS are doing this with your users' query data?

We aren't.
You will forgive me for thinking "mmmmmmm-hmmmmmm" when you say that after your initial comment on how easy it is in light of running a public resolver yourself.
Ideally, one should think that for every dns resolver they use.

As one example, even when a popular configurable dns resolver says they don't store logs outside the EU, they might yet be caching those logs and analytics with AWS and GCP servers all over the world.

Btw, Rethink is FOSS (https://github.com/serverless-dns/serverless-dns), and its deployment logs are inspectable right on GitHub. Not saying you should trust us, but that's already more transparency than most resolvers (speak nothing of vague / cute privacy policy). Any how, our focus with Rethink has mainly been anti censorship / anti surveillance, and nothing much else.

Given the restrictions on this server which won't be on the other, adding it to a rotating list will make DNS answers inconsistant. Why would you want to do that?
I won't be using the "zero" resolver.
Why not just have unbound make the query itself? no need to depend on a third party recursive resolver if you already have your own.
I want to ensure my leg on the network traffic path is encrypted.
Do they block or allow mandated blocked domain by EU countries?
Unbelievable that so many operating systems don't support encrypted DNS out of the box.
Before i start digging into it, does anybody know how they do "No mature videos on YouTube" (in the "kids" filter) with just DNS?
uh, you are right: +1 for this question
It appears this is functionality provided by YouTube themselves where you can set a CNAME: https://support.google.com/a/answer/6214622?hl=en#zippy=%2Co...
thanks, looks like you're right:

    $ kdig +tls www.youtube.com @kids.dns0.eu
    …
    ;; QUESTION SECTION:
    ;; www.youtube.com.      IN A

    ;; ANSWER SECTION:
    www.youtube.com.              300  IN CNAME restrictmoderate.youtube.com.
    restrictmoderate.youtube.com. 1611 IN A     216.239.38.119
(comment deleted)
(comment deleted)
They make it seem like they're affiliated with the EU, from brand colors, to TLD, and more. But of course they're unaffiliated. Seems intentionally deceptive.
I did not have that feeling and .eu domains quite standard nation-like domain.
The blurb makes it crystal clear that it's talking about location or situs. In other words, regulated by EU regulations. The TLD is specifically for sites that are "in" the EU (as opposed to being "by" te EU).
Doesn't disclose where their blocklists come from for the child product, hugely overblocks legitimate websites, has no appeals process for miscatagorisation.

What an awful product.

Can you provide any examples of legitimate sites that they block on their "zero" resolvers?
I'll answer the question myself by providing an example I saw elsewhere, which also illustrates that their "default" resolver differs from the curated "zero" resolver:

  dig @193.110.81.0 uni.cf a
  
  status: NOERROR, ANSWER: 2
  IN  A  67.199.248.12
  IN  A  67.199.248.13
  
  
  dig @193.110.81.9 uni.cf a

  status: NXDOMAIN, ANSWER: 0
  IN  A
Note that for the iphone's configuration to work, you need to use Safari to open their "configuration profile" link
So this is just NextDNS but without a control panel, and it’s 100% free? That’s nice.
It has quite extreme filtering:

- No porn or other adult websites

- No explicit search results

- No mature videos on YouTube

- No dating websites or apps

- No mixed-content websites

- No piracy

- No ads

That seems to be only the case for the "childproof" version.
Ah, right, it has different DNS IPs.
Unless I'm missing something this is the filtering for `kids.dns0.eu` not the ones on `dns0.eu`.
If I choose their DNS, the website shows a text at the bottom that says "You are using dns0.eu"

How does the website know I'm using their DNS? I couldn't find anything in the HTTP header that would help them with this.

https://imgur.com/fMZwxYz

They could be giving out different IP (or CNAME) for people using their DNS. Then the site is just slightly different depending on how it is accessed. or i suppose they could be looking at logs of the ips using their dns and checking all visitors to the website, but that would be wild.

ooh they could also have a host that is only resolvable from those servers, and have the front end dynamically load that message from that host. and if it fails it does not show anything.

I guess they redirect you to a different IP than they publish in the public DNS?
JS does a GET request every 2 seconds or so to some random subdomain (probably to avoid caching): https://i.vgy.me/qCTabA.png

The JSON response contains 'status: "unconfigured"' when you're not using their resolver and 'status: "ok"' when you are: https://i.vgy.me/iVgIe1.png

That green bar just appears after a "ok" response (no page reload needed).

If anyone's wondering which are the "High-risk TLDs" blocked in the "zero" filter: CF, CG, GA, GQ, ML, TK, TOP, WIN (right now, i guess it may change any time)

The "kids" filter blocks the same TLDs, so it allows XXX or PORN, i guess they just block individual 2nd level domains.

I just looped through IANA's TLD list with a simple script to get this. The resolver returns NXDOMAIN with "negative-caching.dns0.eu." SOA for the blocked ones:

    $ kdig +tls ns tk @zero.dns0.eu
    …
    ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 39321
    …
    ;; QUESTION SECTION:
    ;; tk.                   IN NS

    ;; AUTHORITY SECTION:
    tk.                  300 IN SOA negative-caching.dns0.eu. hostmaster.tk. 0 1200 300 1209600 300
It seems pretty ridiculous to block those domains outright. There are plenty of legitimate government, tourist and local sites, which could at least be whitelisted.

They've blocked UNICEF's link shortener: https://uni.cf

"They've blocked UNICEF's link shortener: https://uni.cf"

Which I consider a good thing, why route links through the influence space of a country that is in a civil war with foreign mercenaries running parts of the show?

That's not their reason for blocking, since e.g. North Korea is allowed (tried airkoryo.com.kp).
> safe for children

Ah, it's filtered.

Someone decides what "children" means. Someone decides what "safe" means.

There are people who think that not just under-16s, but almost everyone is incapable of making adult decisions. And different (responsible, informed) adults may come to different conclusions about what is and isn't safe.

Curated DNS may suit some people, but I appreciate having access to the real internet.

There are separate dns servers, the one for kids is different from the one mentioned on the landing page.
If it's not for you it's not for you.

I always wonder about people who go to a French restaurant and want Pizza.

> I always wonder about people who go to a French restaurant and want Pizza.

To be fair, this is more like trying to lookup contact information for the local pizzeria, and realizing to your surprise that the phone book you've picked up has directed you to the French restaurant instead.

Well sure, if you picked up the phonebook called "Pizza to French Cuisine" ....
When I first encountered pizza, I was a kid, and it was in France. For quite a few years, I thought pizza was a French thing.

I'm not sure what your point is. I read the article because I'm interested in DNS; not because I'm researching 3rd-party resolvers. I run my own Unbound recursor.

Probably the best pizza I’ve ever had in my life was at a French restaurant in Vientiane, Laos.

So, yeah…

"Migas? A Mexican restaurant in Beirut? I'm impressed."
Nonsense.

You can choose which version to use, same with Cloudflare’s 3 different DNS choices.

And much like Cloudflare the lack of accountability and clumsy blocking schema of the "child safe" one is dangerous and worthy of criticism.
I’m now 35 and incapable of making adult decisions. Does that count?
I think there may be a 5-year window, perhaps from 60-65, when you are old enough but not too old. Older, and you're child-like because you're senile; younger, and you're naive, reckless, and under-informed.
They offer three families of resolvers: the default one which as far as I understand isn't curated at all, the "zero" one which is curated against "bad actors", and the "kids" one which you speak of.
> They offer three families of resolvers

Yeah, I see. On first reading, that wasn't obvious to me.

But a DNS provider that can filter, and that also purports to be something to do with the EU, presumably imposes EU-mandated filtering, whichever server you choose. Or it will, as soon as it's ordered to.

I don't get why people use 3rd-party resolvers. It's not hard to set up an Unbound recursor.

(comment deleted)
"presumably imposes EU-mandated filtering"

Source?

He’s been triggered. He either didn’t read the article or doesn’t understand it.
It's in France. It operates under French and EU jurisdiction.

[Edit] So EU mandates will be enforced. Is that fact what you want a source for?

france is like the hub of content anarchism dude. culture matters, its not all about laws.
Think about how many people want to at least keep their children safe online and do not have an easy means to do so.

This helps make simple solutions accessible to a wider audience.

Sure you may not care if your children are watching porn at age 6 .. some may prefer to parent differently.

Giving people an option is not a bad thing, and it does not purport to be anything to do with the EU itself, just built for the EU market.

If you're the type of person to think Federal Express is part of the US government, that's partially on you.

IMHO the only solution for real safety for children on internet are the parents that navigate with the child and education, any other solution is only a patch that give false security. And, above all, you're giving to other people the right to choose what is good or bad for your children. Not my way.
Golly - there's a few strawmen there.

* My children are in their thirties, and don't live with me. I live on my own now, but I was a good parent.

* I didn't suggest that using this service should be banned; I just asked why people don't run their own recursive DNS.

* And I have no idea where you got the notion that I confuse Fedex with the US government.

It is within .eu domain. Nothing to do with the European Union.
.eu domains are only available to any person or entity that reside within the European Union. As such, any European Union legislation will apply.
No support for Anonymized DNSCrypt nor ODoH. Guess they still want to see client IP addresses.