[HN Gopher] Ask HN: Neutral DNS servers? ___________________________________________________________________ Ask HN: Neutral DNS servers? Hi HN - Here's a question that I hope will generate some useful comments, suggestions and links. Background for question: I normally run an internal DNS resolver with an upstream pool of 10-15 providers. These are normally a mix of Global Anycast servers (Quad9 etc) with some OpenNIC, YandexDNS etc thrown in towards the end to cover the 'chilling effects' blackholes. Currently Yandex DNS is pinging a timeout (either due to black-holing or DDOS'ing depending on where I connect To/From). My question to HN is this - Given my 'Information Wants To Be Free' viewpoint, are there any DNS equivalents of Switzerland (WWII, Neutral to all parties) providers? Author : NotAWorkNick Score : 69 points Date : 2022-03-11 17:04 UTC (5 hours ago) | BrandoElFollito wrote: | Question after reading (very interesting) answers: what is the | downsize using the root servers instead of the well-known ones? | (1.1.1.1, 8.8.8.8, ...) | | Is it the cache that improves resolution speed in a meaningful | way? | cyounkins wrote: | They are used in different ways - search for recursive resolver | vs caching public resolver. | | Running your own recursive resolver will almost certainly be | slower, on the order of 2x latency. I should test it... | | Also, DNS-over-HTTP and DNS-over-TLS are not available with all | DNS servers, but can be readily enabled to secure the last mile | when the upstream public resolver supports it. | neilalexander wrote: | You could just run a recursive resolver yourself by using the | root hints. You don't need to delegate your DNS queries onto a | third-party resolver like Quad9. | | https://www.iana.org/domains/root/files | DavideNL wrote: | Although querying the root servers directly is always | unencrypted right? So your ISP _can_ see and might manipulate | all queries at will? | CaliforniaKarl wrote: | In addition to the root hints, you should also download the | DNSSEC anchor key (available on the same site as the root | hints). That will let you detect manipulations of records | that are DNSSEC-signed. | | Otherwise, you could spin up your recursive resolver on your | cloud, VPS, or other hosting provider of choice, and then use | that. | teejmya wrote: | And make sure it only resolves records for you. Don't leave | it wide open or it will be used as an attack vector. | https://www.cloudflare.com/learning/ddos/dns- | amplification-d... | Arnavion wrote: | Right, DNSSEC will solve the "manipulate" problem, but it | won't solve the "see" problem. But whether that's a concern | is up to you. You could run your resolver on a VPS and | speak DoT / DoH to that, which shifts the leak from your | ISP to your VPS provider. | tptacek wrote: | It doesn't solve the "manipulate" problem we're talking | about here, either: nothing about DNSSEC prevents a DNS | server (or middlebox) from denying results to a | disfavored domain; it only (situationally) prevents them | from redirecting it somewhere else. (And, of course, it | only works if you're running your own recursive server; | it does nothing whatsoever in the 8.8.8.8-type use case). | Arnavion wrote: | Yes, that's true. | progval wrote: | > nothing about DNSSEC prevents a DNS server (or | middlebox) from denying results to a disfavored domain | | But at least it is detectable thanks to NSEC and NSEC3 | records. | cyounkins wrote: | Kind of. An intermediary can drop packets and the client | will never get the response. | 0xbadcafebee wrote: | In theory if you got a resolver which could disable UDP | queries, it would then default to TCP, and the ISP couldn't | manipulate those. Don't know if any resolver supports | disabling UDP though. | justsomehnguy wrote: | Unbound | cyounkins wrote: | Unbound as a client will fall back to TCP automatically if | the UDP response is too big. I'm uncertain if there is | widespread support for TCP servers though. | NotAWorkNick wrote: | Thanks for that, appreciated. I'll be honest- I'm just a | 'little guy' in the food chain so I always figured that doing | something like that was for the ISP level folks <edit to | clarify, I mean connecting to a Zone 1 Resolver. I wasn't aware | that one could download the Root Hints File directly (Thanks!). | | One quick question though - After taking a quick skim of it the | list seems to be extremely 'Western-Centric' (reference link | https://www.internic.net/domain/named.root) | icedchai wrote: | The root servers are anycasted. Each one of those root server | IPs corresponds to N physical servers at diverse networks / | locations all over the world. | tylersmith wrote: | The canonical DNS system itself is extremely Western-Centric. | kfrzcode wrote: | As are many Western inventions | aaomidi wrote: | They are western centric, and unfortunately, in this current | state of the web they're still essentially the authority on | DNS. | | Alternatively, you can maintain the NSes for all the TLDs you | are particularly interested in, and alert yourself if they | change to something you don't recognize. | | Finally, keep in mind that whatever you do, you need to have | multiple vantage points to the internet. There's not a lot | stopping your ISP from not delivering you to the right host | when you try to talk to it. E.g. your ISP can fake the DNS | responses. | endymi0n wrote: | > They are western centric, and unfortunately, in this | current state of the web they're still essentially the | authority on DNS. | | I'm curious to see your evidence on that or which future | state you would see as a more fortunate one. | nimbius wrote: | Google DNS should at this point be considered harmful. Devs love | to hardcode it in resolvd because 'user experience' but there's | ample evidence its just analytics. | | Quad 1 cloudflare is reliable doh but comes from a company with a | history of bloviating nonsense about internet freedom only to | eagerly capitulate to Twitter lynchmobs and blacklist a customer | or ten. | | https://dnscrypt.info/public-servers/ will give you a nice list | of doh to try out. Ymmv however as many are sporadic. | cyounkins wrote: | Can you point to the evidence that Google DNS is used for | analytics? | aaomidi wrote: | I know what you're referring to (systemd-resolved "defaulting" | to Google DNS). That "default" is a compile-time value, if you | use something like gentoo you get to be in full control of what | that default value is. | c0l0 wrote: | I run and use https://resolv.us.to/ - you may do the latter, too. | yegor wrote: | Shameless self promotion: Try Control D - | https://controld.com/free-dns | | There are many different types of resolvers, blocking and | unfiltered. We're adding global ECH support in the coming weeks. | There is also a paid plan if you need more control. | celsoazevedo wrote: | If you already run your own DNS resolver, query the root servers | directly. No need to trust DNS providers when you can do the same | thing yourself. | walrus01 wrote: | based on the OP's description of yandex and what I presume to | be their location it's not impossible that some time in the | future unencrypted 53/udp traffic leaving and entering the | country may be blocked or messed with | celsoazevedo wrote: | In that case maybe something like DNSCrypt[0] and a 3rd party | provider makes sense. On top of the encrypted connection, | DNSCrypt has the option to proxy queries to improve privacy. | | This only helps if they're not doing any advanced blocking | though. If I remember correctly, when Russia blocked | Telegram, they were blocking their IPs, not just DNS queries. | If the rumours of a "RuNet" are true, then they probably need | something more advanced (eg: a VPN with traffic obfuscation, | Tor, etc). | | --- | | [0] https://github.com/DNSCrypt/dnscrypt-proxy | nmjohn wrote: | Given you only mention censorship/chilling effect and not privacy | - why isn't 8.8.8.8 sufficient? Have there been instances of | domains it censored and stopped resolving that I'm not aware of? | | I guess I'm confused on the benefit (theoretical or practical) | one would get by using that variety of resolvers. Is it just to | prevent theoretical censorship at the DNS level? | tambeb wrote: | My question exactly. In another comment here I asked for some | examples for the claim that some .ru domains were being black | holed. | charcircuit wrote: | Same with 1.1.1.1 (the case where archive.is used to not work | was archive.is's nameserver purposefully being configured to | return bad results to 1.1.1.1) | antipooting wrote: | moltke wrote: | The DNS (as it exists today) is supposed to be the equivalent of | Switzerland. The internet community has said over and over again | they're not interested in censoring the internet or removing any | group of people from it. | | It sounds like what you really want is your own recursive | resolver. | nfriedly wrote: | I know this isn't quite what your asking for, but one idea is to | set up a Pi-hole + unbound: https://docs.pi- | hole.net/guides/dns/unbound/ | | Unbound is basically your own private DNS resolver and then Pi- | hole lets you filter out whatever "junk" you don't want. | drexlspivey wrote: | Unbound will also pre-fetch your most common lookups prior to | the TTL expiring so it's probably even faster than querying a | third-party resolver | egamirorrim wrote: | I don't know if it's an obvious question or not, but how does | performance compare with your own unbound vs quad1/8/9? I | imagine it's slower in general? | nfriedly wrote: | I'm not personally running unbound, just a Pi-hole that up- | stream's to my ISP's DNS, so I can't answer you from first- | hand experience. But, according to drexlspivey, unbound will | pre-fetch common queries, so it probably ends up being faster | on average - https://news.ycombinator.com/item?id=30646020 | lapinot wrote: | I never measured anything, but i'm running a recursive | resolver on my laptop since a couple years (knot resolver) | and never had any performance problem. | khimaros wrote: | for anyone running OpenWRT, unbound + adblock works well and is | trivially configurable via the LUCI web interface. | nobody9999 wrote: | >My question to HN is this - Given my 'Information Wants To Be | Free' viewpoint, are there any DNS equivalents of Switzerland | (WWII, Neutral to all parties) providers? | | Presumably the root and authoritative servers. Which is why I use | a local recursive resolver rather than any upstream/third party | resolvers. | | You should try it. It's easy and fun! | stranded22 wrote: | Personally, I use nextdns on a paid plan (PS17/year). Full | control, can change to no logs, or logs stored in Switzerland. | They have a free plan too | rsync wrote: | I do this. | | I have my own resolver on my own server running unbound and it | gets service from my paid nextdns account. | | Sort of like having a pihole but it is available from anywhere | and I don't have to run a rpi... | schleck8 wrote: | ControlD, DNS.sb and LibreDNS for instance. The latter two are | open source. | | I think non-disciminating DNS providers are rather the norm and | not an exception though. | NotAWorkNick wrote: | Really? | | Then your experience differs greatly from mine (EU based). My | usual mix of 'fastest anycast' upstreams' are reliably black- | holing a lot of .ru domains right now | | (Rightly or wrongly is a 'nother question for a 'nother day). | | P.S, YMMV and obviously does :) | tambeb wrote: | Could you give a couple of examples of the black holing | you've seen? | ajsnigrutin wrote: | In slovenia, at least these two are blocked at the DNS | level: | | https://www.rt.com/ | | https://sputniknews.com/ | ev1 wrote: | Are you sure it's not Runet dropping traffic incoming? | upnick wrote: | You might want to look up "geo-politically stable" web hosting. | Aside from that, Epik.com has traditionally been quite supportive | of free speech (even if it's Trump supporters). | jiveturkey wrote: | huh. Why aren't you simply querying the roots and from there the | SOA for any domain? | vetinari wrote: | It is very easy to hijaack port 53 traffic, so you might not | talk to DNS server you think you do. | | Heck, I did that at home for Chromecast and other devices that | hardcode their DNS. | nix23 wrote: | >Given my 'Information Wants To Be Free' viewpoint, are there any | DNS equivalents of Switzerland | | That's exactly why Quad9 changed it's HQ to Switzerland: | | https://www.switch.ch/news/quad9-moves-to-Switzerland/ | btdmaster wrote: | https://www.opennic.org/ and downstream providers from there are | quite good: https://servers.opennic.org/ | kseistrup wrote: | You could try Uncensored DNS: https://blog.uncensoreddns.org/ | kseistrup wrote: | See also Public DNS Server by Country: | https://dnschecker.org/public-dns ___________________________________________________________________ (page generated 2022-03-11 23:00 UTC)