[HN Gopher] Ask HN: Neutral DNS servers?
___________________________________________________________________
Ask HN: Neutral DNS servers?
Hi HN - Here's a question that I hope will generate some useful
comments, suggestions and links. Background for question: I
normally run an internal DNS resolver with an upstream pool of
10-15 providers. These are normally a mix of Global Anycast servers
(Quad9 etc) with some OpenNIC, YandexDNS etc thrown in towards the
end to cover the 'chilling effects' blackholes. Currently Yandex
DNS is pinging a timeout (either due to black-holing or DDOS'ing
depending on where I connect To/From). My question to HN is this -
Given my 'Information Wants To Be Free' viewpoint, are there any
DNS equivalents of Switzerland (WWII, Neutral to all parties)
providers?
Author : NotAWorkNick
Score : 69 points
Date : 2022-03-11 17:04 UTC (5 hours ago)
| BrandoElFollito wrote:
| Question after reading (very interesting) answers: what is the
| downsize using the root servers instead of the well-known ones?
| (1.1.1.1, 8.8.8.8, ...)
|
| Is it the cache that improves resolution speed in a meaningful
| way?
| cyounkins wrote:
| They are used in different ways - search for recursive resolver
| vs caching public resolver.
|
| Running your own recursive resolver will almost certainly be
| slower, on the order of 2x latency. I should test it...
|
| Also, DNS-over-HTTP and DNS-over-TLS are not available with all
| DNS servers, but can be readily enabled to secure the last mile
| when the upstream public resolver supports it.
| neilalexander wrote:
| You could just run a recursive resolver yourself by using the
| root hints. You don't need to delegate your DNS queries onto a
| third-party resolver like Quad9.
|
| https://www.iana.org/domains/root/files
| DavideNL wrote:
| Although querying the root servers directly is always
| unencrypted right? So your ISP _can_ see and might manipulate
| all queries at will?
| CaliforniaKarl wrote:
| In addition to the root hints, you should also download the
| DNSSEC anchor key (available on the same site as the root
| hints). That will let you detect manipulations of records
| that are DNSSEC-signed.
|
| Otherwise, you could spin up your recursive resolver on your
| cloud, VPS, or other hosting provider of choice, and then use
| that.
| teejmya wrote:
| And make sure it only resolves records for you. Don't leave
| it wide open or it will be used as an attack vector.
| https://www.cloudflare.com/learning/ddos/dns-
| amplification-d...
| Arnavion wrote:
| Right, DNSSEC will solve the "manipulate" problem, but it
| won't solve the "see" problem. But whether that's a concern
| is up to you. You could run your resolver on a VPS and
| speak DoT / DoH to that, which shifts the leak from your
| ISP to your VPS provider.
| tptacek wrote:
| It doesn't solve the "manipulate" problem we're talking
| about here, either: nothing about DNSSEC prevents a DNS
| server (or middlebox) from denying results to a
| disfavored domain; it only (situationally) prevents them
| from redirecting it somewhere else. (And, of course, it
| only works if you're running your own recursive server;
| it does nothing whatsoever in the 8.8.8.8-type use case).
| Arnavion wrote:
| Yes, that's true.
| progval wrote:
| > nothing about DNSSEC prevents a DNS server (or
| middlebox) from denying results to a disfavored domain
|
| But at least it is detectable thanks to NSEC and NSEC3
| records.
| cyounkins wrote:
| Kind of. An intermediary can drop packets and the client
| will never get the response.
| 0xbadcafebee wrote:
| In theory if you got a resolver which could disable UDP
| queries, it would then default to TCP, and the ISP couldn't
| manipulate those. Don't know if any resolver supports
| disabling UDP though.
| justsomehnguy wrote:
| Unbound
| cyounkins wrote:
| Unbound as a client will fall back to TCP automatically if
| the UDP response is too big. I'm uncertain if there is
| widespread support for TCP servers though.
| NotAWorkNick wrote:
| Thanks for that, appreciated. I'll be honest- I'm just a
| 'little guy' in the food chain so I always figured that doing
| something like that was for the ISP level folks <edit to
| clarify, I mean connecting to a Zone 1 Resolver. I wasn't aware
| that one could download the Root Hints File directly (Thanks!).
|
| One quick question though - After taking a quick skim of it the
| list seems to be extremely 'Western-Centric' (reference link
| https://www.internic.net/domain/named.root)
| icedchai wrote:
| The root servers are anycasted. Each one of those root server
| IPs corresponds to N physical servers at diverse networks /
| locations all over the world.
| tylersmith wrote:
| The canonical DNS system itself is extremely Western-Centric.
| kfrzcode wrote:
| As are many Western inventions
| aaomidi wrote:
| They are western centric, and unfortunately, in this current
| state of the web they're still essentially the authority on
| DNS.
|
| Alternatively, you can maintain the NSes for all the TLDs you
| are particularly interested in, and alert yourself if they
| change to something you don't recognize.
|
| Finally, keep in mind that whatever you do, you need to have
| multiple vantage points to the internet. There's not a lot
| stopping your ISP from not delivering you to the right host
| when you try to talk to it. E.g. your ISP can fake the DNS
| responses.
| endymi0n wrote:
| > They are western centric, and unfortunately, in this
| current state of the web they're still essentially the
| authority on DNS.
|
| I'm curious to see your evidence on that or which future
| state you would see as a more fortunate one.
| nimbius wrote:
| Google DNS should at this point be considered harmful. Devs love
| to hardcode it in resolvd because 'user experience' but there's
| ample evidence its just analytics.
|
| Quad 1 cloudflare is reliable doh but comes from a company with a
| history of bloviating nonsense about internet freedom only to
| eagerly capitulate to Twitter lynchmobs and blacklist a customer
| or ten.
|
| https://dnscrypt.info/public-servers/ will give you a nice list
| of doh to try out. Ymmv however as many are sporadic.
| cyounkins wrote:
| Can you point to the evidence that Google DNS is used for
| analytics?
| aaomidi wrote:
| I know what you're referring to (systemd-resolved "defaulting"
| to Google DNS). That "default" is a compile-time value, if you
| use something like gentoo you get to be in full control of what
| that default value is.
| c0l0 wrote:
| I run and use https://resolv.us.to/ - you may do the latter, too.
| yegor wrote:
| Shameless self promotion: Try Control D -
| https://controld.com/free-dns
|
| There are many different types of resolvers, blocking and
| unfiltered. We're adding global ECH support in the coming weeks.
| There is also a paid plan if you need more control.
| celsoazevedo wrote:
| If you already run your own DNS resolver, query the root servers
| directly. No need to trust DNS providers when you can do the same
| thing yourself.
| walrus01 wrote:
| based on the OP's description of yandex and what I presume to
| be their location it's not impossible that some time in the
| future unencrypted 53/udp traffic leaving and entering the
| country may be blocked or messed with
| celsoazevedo wrote:
| In that case maybe something like DNSCrypt[0] and a 3rd party
| provider makes sense. On top of the encrypted connection,
| DNSCrypt has the option to proxy queries to improve privacy.
|
| This only helps if they're not doing any advanced blocking
| though. If I remember correctly, when Russia blocked
| Telegram, they were blocking their IPs, not just DNS queries.
| If the rumours of a "RuNet" are true, then they probably need
| something more advanced (eg: a VPN with traffic obfuscation,
| Tor, etc).
|
| ---
|
| [0] https://github.com/DNSCrypt/dnscrypt-proxy
| nmjohn wrote:
| Given you only mention censorship/chilling effect and not privacy
| - why isn't 8.8.8.8 sufficient? Have there been instances of
| domains it censored and stopped resolving that I'm not aware of?
|
| I guess I'm confused on the benefit (theoretical or practical)
| one would get by using that variety of resolvers. Is it just to
| prevent theoretical censorship at the DNS level?
| tambeb wrote:
| My question exactly. In another comment here I asked for some
| examples for the claim that some .ru domains were being black
| holed.
| charcircuit wrote:
| Same with 1.1.1.1 (the case where archive.is used to not work
| was archive.is's nameserver purposefully being configured to
| return bad results to 1.1.1.1)
| antipooting wrote:
| moltke wrote:
| The DNS (as it exists today) is supposed to be the equivalent of
| Switzerland. The internet community has said over and over again
| they're not interested in censoring the internet or removing any
| group of people from it.
|
| It sounds like what you really want is your own recursive
| resolver.
| nfriedly wrote:
| I know this isn't quite what your asking for, but one idea is to
| set up a Pi-hole + unbound: https://docs.pi-
| hole.net/guides/dns/unbound/
|
| Unbound is basically your own private DNS resolver and then Pi-
| hole lets you filter out whatever "junk" you don't want.
| drexlspivey wrote:
| Unbound will also pre-fetch your most common lookups prior to
| the TTL expiring so it's probably even faster than querying a
| third-party resolver
| egamirorrim wrote:
| I don't know if it's an obvious question or not, but how does
| performance compare with your own unbound vs quad1/8/9? I
| imagine it's slower in general?
| nfriedly wrote:
| I'm not personally running unbound, just a Pi-hole that up-
| stream's to my ISP's DNS, so I can't answer you from first-
| hand experience. But, according to drexlspivey, unbound will
| pre-fetch common queries, so it probably ends up being faster
| on average - https://news.ycombinator.com/item?id=30646020
| lapinot wrote:
| I never measured anything, but i'm running a recursive
| resolver on my laptop since a couple years (knot resolver)
| and never had any performance problem.
| khimaros wrote:
| for anyone running OpenWRT, unbound + adblock works well and is
| trivially configurable via the LUCI web interface.
| nobody9999 wrote:
| >My question to HN is this - Given my 'Information Wants To Be
| Free' viewpoint, are there any DNS equivalents of Switzerland
| (WWII, Neutral to all parties) providers?
|
| Presumably the root and authoritative servers. Which is why I use
| a local recursive resolver rather than any upstream/third party
| resolvers.
|
| You should try it. It's easy and fun!
| stranded22 wrote:
| Personally, I use nextdns on a paid plan (PS17/year). Full
| control, can change to no logs, or logs stored in Switzerland.
| They have a free plan too
| rsync wrote:
| I do this.
|
| I have my own resolver on my own server running unbound and it
| gets service from my paid nextdns account.
|
| Sort of like having a pihole but it is available from anywhere
| and I don't have to run a rpi...
| schleck8 wrote:
| ControlD, DNS.sb and LibreDNS for instance. The latter two are
| open source.
|
| I think non-disciminating DNS providers are rather the norm and
| not an exception though.
| NotAWorkNick wrote:
| Really?
|
| Then your experience differs greatly from mine (EU based). My
| usual mix of 'fastest anycast' upstreams' are reliably black-
| holing a lot of .ru domains right now
|
| (Rightly or wrongly is a 'nother question for a 'nother day).
|
| P.S, YMMV and obviously does :)
| tambeb wrote:
| Could you give a couple of examples of the black holing
| you've seen?
| ajsnigrutin wrote:
| In slovenia, at least these two are blocked at the DNS
| level:
|
| https://www.rt.com/
|
| https://sputniknews.com/
| ev1 wrote:
| Are you sure it's not Runet dropping traffic incoming?
| upnick wrote:
| You might want to look up "geo-politically stable" web hosting.
| Aside from that, Epik.com has traditionally been quite supportive
| of free speech (even if it's Trump supporters).
| jiveturkey wrote:
| huh. Why aren't you simply querying the roots and from there the
| SOA for any domain?
| vetinari wrote:
| It is very easy to hijaack port 53 traffic, so you might not
| talk to DNS server you think you do.
|
| Heck, I did that at home for Chromecast and other devices that
| hardcode their DNS.
| nix23 wrote:
| >Given my 'Information Wants To Be Free' viewpoint, are there any
| DNS equivalents of Switzerland
|
| That's exactly why Quad9 changed it's HQ to Switzerland:
|
| https://www.switch.ch/news/quad9-moves-to-Switzerland/
| btdmaster wrote:
| https://www.opennic.org/ and downstream providers from there are
| quite good: https://servers.opennic.org/
| kseistrup wrote:
| You could try Uncensored DNS: https://blog.uncensoreddns.org/
| kseistrup wrote:
| See also Public DNS Server by Country:
| https://dnschecker.org/public-dns
___________________________________________________________________
(page generated 2022-03-11 23:00 UTC)