Pity they couldn't get a cool IP address like Cloudflare and Google. Since without some source of DNS you can't reach dns0.eu it's good to have something memorable like 1.1.1.1 or 8.8.8.8
yeah I think that's really a big shortcoming. It probably comes down to funding, but it results in a big usability issue. I'll never remember those IPs, and when I can so easily remember 1.1.1.1 and 8.8.8.8, it's obvious what I'm always going to choose.
DNS resolvers aren't that expensive to run. Besides, one of the founders of dns0.eu has already scaled and sold a venture-backed startup (DailyMotion: https://archive.is/4pN5e), and currently employed as Director at Netflix. Pretty sure they can keep paying for dns0.eu servers for multiple decades. The only problem is maintenance, which is automatable to a large extent.
How can you trust any company you pay to stay up even if you are their customer? I've used discontinued products before. Paid subscriptions to companies that merge with others and the service no longer really exists.
It's the "anycast" mapping of the IP to geographically and network diverse hosts to connect the user to the "closest" (for some value of latency that stays within the data governance jurisdiction).
To do this, you basically have to own a large enough IP block that backbones will deal with it, and route map it.
They're not random, they're a French non-profit (created by cofounders of nextdns, btw). Why wouldn't people trust them? In my country most people use a DNS hosted by their ISP, and there are a lot of small ISPs all around. I suspect it's similar everywhere. How is it different?
And anyway, I trust a random French small company more than I trust Google.
Well yes exactly, the only reason you'd switch to a trusted service over a default is to hopefully shield from DNS poisoning and other shenanigans. It would need to be a proven trustworthy service, and just about anyone with a few hours of spare time and literally no cash can open a French NGO, they've got the lowest barrier for entry of any EU country. Just slapping on a nextdns logo doesn't mean shit. It's completely pointless unless it's an EU official government service financed directly by our tax dollars.
Google has a reputation to uphold, so while you can be certain they'll be datamining the shit out of your requests they are also unlikely to be direct malicious actors.
If you have no working DNS, it's hard to google stuff...
There are two types of people - those that just want dns to work at all so they can get stuff done, and those who have working dns but want to 'upgrade' for privacy/filtering reasons.
My devices get their dns servers via DHCP. So I enter it only once on the DHCP server.
If you’re running so many devices, you probably want to use your own DNS server too (for internal name resolution), so you can also set the upstream just there.
212.142.28.66 is an IP address of a DNS server that has been stuck in my mind for 25 years now. That said the time where anyone would regularly configure DNS settings is long gone I imagine.
My phone number is a little longer and yet I remember it, along with my own public IP address as well as my physical one. It depends how much you need to use it, of course.
I rarely phone myself. When my number changes, it takes me about a year before I can remember the new one. Numbers I actually call are much easier to memorize.
There is an EU fund for silly projects like Gaia-X which are mostly about vanity rather than actually producing anything useful. I am suggesting they've formed a non-profit to try and benefit from this fund.
Yeah I don't see what's silly about providing a resolver with the features being offered, no matter the "EU" branding or official project funding. Right off the bat I'm willing to bet these guys are more genuine and honest about privacy/integrity than e.g. Google.
> It's the way the EU is funding technology projects.
I personally think that's a good thing, to provide funding and opportunity for gratis service projects with less risk of deviating in the way things often do in commercial context where revenue is the top priority.
Gaia-X isn't EU funded, it was just endorsed by EU parliament members. It's actually funded by different entities in the manufacturing industries (like car manufacturers). EU funded projects have distinctive markers on their pages.
DNS is not a "vanity project", it's a massive issue in terms of internet governance. We've known this since the '90s, which is why the EU is starting its own service (that is not this one). I doubt this project got any EU funding, or is likely to ever get any EU money at all; in fact, it looks like a last-gasp attempt from a private DNS company to remain relevant.
DNS4EU is yet another EU vanity / pork barrel project. DNS resolvers are commercial failures as you point out and DNS4EU is going to do nothing to change that.
The EU Commission has a DNS project that they tendered to various private companies. They want the majority of EU internet through something they can directly regulate and control EU internet users.
DNS is a very cheap service to run so I wonder if the founders intended to get a first mover advantage and to be subsumed into the project
For one, on NextDNS I can configure exactly what I want to block (i.e. enable arbitrary combinations of ad filter lists, whitelist domains etc.). This introduces complexity (IPv6 DNS addresses, binding your external IPv4 to a specific configuration etc.)
With DNS0 I just get an IPv4 address that blocks X, Y and Z.
So NextDNS is sort of the power user version of DNS0.
> Their branding and wording makes it look like they are
Because the website is blue and mentions "European Union"?
It doesn't say anywhere that it's a official EU project, nor does it contain some of the famous "banners" that EU projects usually have in the footer to show their grants/funding, nor is it on a official EU domain.
It seems like they went through enough trouble to ensure that the page is translated into the official languages of the EU which is usually only something you see on EU websites. For that reason, it does appear official'ish at first glance.
Maybe something is wrong in my browser, but changing the language just changes the tagline at the top, the rest of the body remains untranslated (English), except for French (founders are French) which translates the entire page.
Actually my impression is that they have done a good job of targeting the EU market and its languages without suggesting that they have any official connection to the EU. There's neither a flag nor a logo and the background blue is, to my eye at least, not the azure of the EU flag.
(Although curiously they call their background colour bg-european-blue in their CSS.)
Sure, but “European public…” definitely sounds like it’s a service offered by some pan-European government body. In hindsight I understand this isn’t how it was intended.
I wish they'd put more resolvers around the globe. I have 10ms ping to the nearest Cloudflare colocation, but around 100ms to quad9. It makes browsing the web so much slower.
Keep your sarcasm to yourself. Multiply 90ms by sometimes dozens of domains modern websites like to load from. Occasionally ISP reroutes me to another Cloudflare colocation and ping to 1.1.1.1 rises to 20-25 ms. It's easily noticeable. I like to play the guessing game, and almost always "win".
I had the same issue here in Sweden. 1.5 second delays on some lookups. I opened a ticket and worked with them to isolate the issue, which they then fixed. They were very helpful and very knowledgeable for L1 support.
My router runs Unbound in order to rotate queries across a number of different DNS-over-TLS providers. I'll toss these guys into the mix as well out of curiosity just to see how it goes.
Better to send your queries to a single DNS provider (over TLS/HTTPS) rather than spread it out, because now, not one but multiple providers can build your browsing history. As someone who runs a public DNS resolver, I can tell you that it isn't that hard to build user profiles.
If you're running Unbound, might as well recurse DNS queries, instead of upstreaming it. If you are adamant on spreading DNS queries across multiple upstreams; doing so over ODoH and/or Anonymized DNSCrypt is what I'd recommend.
>"Better to send your queries to a single DNS provider (over TLS/HTTPS) rather than spread it out, because now, not one but multiple providers can build your browsing history."
What I'm wary about is indeed query logging and profiling, but whether it's one provider or a dozen providers isn't that relevant to me. I make a small effort in trying to gauge which providers are honest and which ones are not.
>"As someone who runs a public DNS resolver, I can tell you that it isn't that hard to build user profiles."
Yes, I understand this. May I ask why you/RethinkDNS are doing this with your users' query data?
You will forgive me for thinking "mmmmmmm-hmmmmmm" when you say that after your initial comment on how easy it is in light of running a public resolver yourself.
Ideally, one should think that for every dns resolver they use.
As one example, even when a popular configurable dns resolver says they don't store logs outside the EU, they might yet be caching those logs and analytics with AWS and GCP servers all over the world.
Btw, Rethink is FOSS (https://github.com/serverless-dns/serverless-dns), and its deployment logs are inspectable right on GitHub. Not saying you should trust us, but that's already more transparency than most resolvers (speak nothing of vague / cute privacy policy). Any how, our focus with Rethink has mainly been anti censorship / anti surveillance, and nothing much else.
Given the restrictions on this server which won't be on the other, adding it to a rotating list will make DNS answers inconsistant. Why would you want to do that?
They make it seem like they're affiliated with the EU, from brand colors, to TLD, and more. But of course they're unaffiliated. Seems intentionally deceptive.
The blurb makes it crystal clear that it's talking about location or situs. In other words, regulated by EU regulations. The TLD is specifically for sites that are "in" the EU (as opposed to being "by" te EU).
Doesn't disclose where their blocklists come from for the child product, hugely overblocks legitimate websites, has no appeals process for miscatagorisation.
I'll answer the question myself by providing an example I saw elsewhere, which also illustrates that their "default" resolver differs from the curated "zero" resolver:
dig @193.110.81.0 uni.cf a
status: NOERROR, ANSWER: 2
IN A 67.199.248.12
IN A 67.199.248.13
dig @193.110.81.9 uni.cf a
status: NXDOMAIN, ANSWER: 0
IN A
They could be giving out different IP (or CNAME) for people using their DNS. Then the site is just slightly different depending on how it is accessed. or i suppose they could be looking at logs of the ips using their dns and checking all visitors to the website, but that would be wild.
ooh they could also have a host that is only resolvable from those servers, and have the front end dynamically load that message from that host. and if it fails it does not show anything.
If anyone's wondering which are the "High-risk TLDs" blocked in the "zero" filter: CF, CG, GA, GQ, ML, TK, TOP, WIN (right now, i guess it may change any time)
The "kids" filter blocks the same TLDs, so it allows XXX or PORN, i guess they just block individual 2nd level domains.
I just looped through IANA's TLD list with a simple script to get this. The resolver returns NXDOMAIN with "negative-caching.dns0.eu." SOA for the blocked ones:
It seems pretty ridiculous to block those domains outright. There are plenty of legitimate government, tourist and local sites, which could at least be whitelisted.
"They've blocked UNICEF's link shortener: https://uni.cf"
Which I consider a good thing, why route links through the influence space of a country that is in a civil war with foreign mercenaries running parts of the show?
Someone decides what "children" means. Someone decides what "safe" means.
There are people who think that not just under-16s, but almost everyone is incapable of making adult decisions. And different (responsible, informed) adults may come to different conclusions about what is and isn't safe.
Curated DNS may suit some people, but I appreciate having access to the real internet.
> I always wonder about people who go to a French restaurant and want Pizza.
To be fair, this is more like trying to lookup contact information for the local pizzeria, and realizing to your surprise that the phone book you've picked up has directed you to the French restaurant instead.
When I first encountered pizza, I was a kid, and it was in France. For quite a few years, I thought pizza was a French thing.
I'm not sure what your point is. I read the article because I'm interested in DNS; not because I'm researching 3rd-party resolvers. I run my own Unbound recursor.
I think there may be a 5-year window, perhaps from 60-65, when you are old enough but not too old. Older, and you're child-like because you're senile; younger, and you're naive, reckless, and under-informed.
They offer three families of resolvers: the default one which as far as I understand isn't curated at all, the "zero" one which is curated against "bad actors", and the "kids" one which you speak of.
Yeah, I see. On first reading, that wasn't obvious to me.
But a DNS provider that can filter, and that also purports to be something to do with the EU, presumably imposes EU-mandated filtering, whichever server you choose. Or it will, as soon as it's ordered to.
I don't get why people use 3rd-party resolvers. It's not hard to set up an Unbound recursor.
IMHO the only solution for real safety for children on internet are the parents that navigate with the child and education, any other solution is only a patch that give false security. And, above all, you're giving to other people the right to choose what is good or bad for your children. Not my way.
186 comments
[ 3.2 ms ] story [ 122 ms ] threadAlso: I can't pay for DNS0, so how can I trust they stay up when I'm not their customer?
That way they don't need to rely on grants or investors who usually need hockey stick growth and make the business do stupid things.
This is why I used to pay for pinboard (before the admin disappeared again) and still pay for Newsblur.
It's like Google's stuff. It's free, but you're not the customer, you're the product.
Ah yes, easy to remember /s
5.4.0.0/14 (so 5.5.5.5) is Telefonica Germany. Same thing there.
Mercedes owns 53.0.0.0/8 which feels like a nice number for DNS too.
It's the "anycast" mapping of the IP to geographically and network diverse hosts to connect the user to the "closest" (for some value of latency that stays within the data governance jurisdiction).
To do this, you basically have to own a large enough IP block that backbones will deal with it, and route map it.
https://en.wikipedia.org/wiki/Anycast
And anyway, I trust a random French small company more than I trust Google.
Google has a reputation to uphold, so while you can be certain they'll be datamining the shit out of your requests they are also unlikely to be direct malicious actors.
There are two types of people - those that just want dns to work at all so they can get stuff done, and those who have working dns but want to 'upgrade' for privacy/filtering reasons.
If you’re running so many devices, you probably want to use your own DNS server too (for internal name resolution), so you can also set the upstream just there.
Cloudflare’s are 2606:4700:4700:1001:: and 2606:4700:4700:1111::
I’ve been deploying IPv6 recently and these addresses haven’t burnt into my brains yet, so I occasionally have to do `dig AAAA one.one.one.one` still.
What I am calling silly is not dns0. It's the way the EU is funding technology projects.
I personally think that's a good thing, to provide funding and opportunity for gratis service projects with less risk of deviating in the way things often do in commercial context where revenue is the top priority.
DNS is a very cheap service to run so I wonder if the founders intended to get a first mover advantage and to be subsumed into the project
With DNS0 I just get an IPv4 address that blocks X, Y and Z.
So NextDNS is sort of the power user version of DNS0.
> DNS53 (IPv6)
> 2a0f:fc80::
> 2a0f:fc81::
Admittedly I don't live in the EU so to some of you folks the non-affiliation may seem obvious.
Because the website is blue and mentions "European Union"?
It doesn't say anywhere that it's a official EU project, nor does it contain some of the famous "banners" that EU projects usually have in the footer to show their grants/funding, nor is it on a official EU domain.
Clearly a not-EU project from first glance.
(Although curiously they call their background colour bg-european-blue in their CSS.)
The webpage is too nice looking and lacking the 30 poorly resized 80x80 EU institution logos. So yeah, not affiliated ;P
https://www.quad9.net/service/service-addresses-and-features
I don't have time or care enough to debug intermittent network issues, if they no longer bother me.
>I don't have time or care enough to debug intermittent network issues, if they no longer bother me.
I see who's the problem now ;)
AdBlock DNS also gives you full custom rules engine and DSL.
If you're running Unbound, might as well recurse DNS queries, instead of upstreaming it. If you are adamant on spreading DNS queries across multiple upstreams; doing so over ODoH and/or Anonymized DNSCrypt is what I'd recommend.
What I'm wary about is indeed query logging and profiling, but whether it's one provider or a dozen providers isn't that relevant to me. I make a small effort in trying to gauge which providers are honest and which ones are not.
>"As someone who runs a public DNS resolver, I can tell you that it isn't that hard to build user profiles."
Yes, I understand this. May I ask why you/RethinkDNS are doing this with your users' query data?
As one example, even when a popular configurable dns resolver says they don't store logs outside the EU, they might yet be caching those logs and analytics with AWS and GCP servers all over the world.
Btw, Rethink is FOSS (https://github.com/serverless-dns/serverless-dns), and its deployment logs are inspectable right on GitHub. Not saying you should trust us, but that's already more transparency than most resolvers (speak nothing of vague / cute privacy policy). Any how, our focus with Rethink has mainly been anti censorship / anti surveillance, and nothing much else.
https://support.google.com/websearch/answer/186669?hl=en
What an awful product.
- No porn or other adult websites
- No explicit search results
- No mature videos on YouTube
- No dating websites or apps
- No mixed-content websites
- No piracy
- No ads
How does the website know I'm using their DNS? I couldn't find anything in the HTTP header that would help them with this.
https://imgur.com/fMZwxYz
ooh they could also have a host that is only resolvable from those servers, and have the front end dynamically load that message from that host. and if it fails it does not show anything.
The JSON response contains 'status: "unconfigured"' when you're not using their resolver and 'status: "ok"' when you are: https://i.vgy.me/iVgIe1.png
That green bar just appears after a "ok" response (no page reload needed).
The "kids" filter blocks the same TLDs, so it allows XXX or PORN, i guess they just block individual 2nd level domains.
I just looped through IANA's TLD list with a simple script to get this. The resolver returns NXDOMAIN with "negative-caching.dns0.eu." SOA for the blocked ones:
They've blocked UNICEF's link shortener: https://uni.cf
Which I consider a good thing, why route links through the influence space of a country that is in a civil war with foreign mercenaries running parts of the show?
Ah, it's filtered.
Someone decides what "children" means. Someone decides what "safe" means.
There are people who think that not just under-16s, but almost everyone is incapable of making adult decisions. And different (responsible, informed) adults may come to different conclusions about what is and isn't safe.
Curated DNS may suit some people, but I appreciate having access to the real internet.
I always wonder about people who go to a French restaurant and want Pizza.
To be fair, this is more like trying to lookup contact information for the local pizzeria, and realizing to your surprise that the phone book you've picked up has directed you to the French restaurant instead.
I'm not sure what your point is. I read the article because I'm interested in DNS; not because I'm researching 3rd-party resolvers. I run my own Unbound recursor.
So, yeah…
You can choose which version to use, same with Cloudflare’s 3 different DNS choices.
Yeah, I see. On first reading, that wasn't obvious to me.
But a DNS provider that can filter, and that also purports to be something to do with the EU, presumably imposes EU-mandated filtering, whichever server you choose. Or it will, as soon as it's ordered to.
I don't get why people use 3rd-party resolvers. It's not hard to set up an Unbound recursor.
Source?
[Edit] So EU mandates will be enforced. Is that fact what you want a source for?
This helps make simple solutions accessible to a wider audience.
Sure you may not care if your children are watching porn at age 6 .. some may prefer to parent differently.
Giving people an option is not a bad thing, and it does not purport to be anything to do with the EU itself, just built for the EU market.
If you're the type of person to think Federal Express is part of the US government, that's partially on you.
* My children are in their thirties, and don't live with me. I live on my own now, but I was a good parent.
* I didn't suggest that using this service should be banned; I just asked why people don't run their own recursive DNS.
* And I have no idea where you got the notion that I confuse Fedex with the US government.