Ask HN: Neutral DNS servers?
Hi HN - Here’s a question that I hope will generate some useful comments, suggestions and links.
Background for question: I normally run an internal DNS resolver with an upstream pool of 10-15 providers. These are normally a mix of Global Anycast servers (Quad9 etc) with some OpenNIC, YandexDNS etc thrown in towards the end to cover the ‘chilling effects’ blackholes.
Currently Yandex DNS is pinging a timeout (either due to black-holing or DDOS’ing depending on where I connect To/From).
My question to HN is this – Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of Switzerland (WWII, Neutral to all parties) providers? You could just run a recursive resolver yourself by using the root hints. You don't need to delegate your DNS queries onto a third-party resolver like Quad9. Thanks for that, appreciated. I'll be honest- I'm just a 'little guy' in the food chain so I always figured that doing something like that was for the ISP level folks <edit to clarify, I mean connecting to a Zone 1 Resolver. I wasn't aware that one could download the Root Hints File directly (Thanks!). One quick question though - After taking a quick skim of it the list seems to be extremely 'Western-Centric' (reference link https://www.internic.net/domain/named.root) The root servers are anycasted.
Each one of those root server IPs corresponds to N physical servers at diverse networks / locations all over the world. > I'm just a 'little guy' in the food chain so I always figured that doing something like that was for the ISP level folks A lot of people are running recursive resolvers at home (like pi-hole stuff, or most people running some custom openwrt router/modem). I'm running one on my laptop (my resolver is localhost) and it works great. > After taking a quick skim of it the list seems to be extremely 'Western-Centric' It is, but that's what the internet is. But by running your own recursive resolver you can control your cache and a lot of the data doesn't change often. If you're extra paranoid you can cache the record data (or even archive the history) for ccTLD (or even all TLDs). For stuff (domains) you're interested in you can also hard-code or otherwise program "non-standard" ways to resolve the ips (by somehow populating a local database that overrides recursive resolution), like pi-hole/safebrowsing blocklists, stuff from institutions or CDNs you trust. They are western centric, and unfortunately, in this current state of the web they're still essentially the authority on DNS. Alternatively, you can maintain the NSes for all the TLDs you are particularly interested in, and alert yourself if they change to something you don't recognize. Finally, keep in mind that whatever you do, you need to have multiple vantage points to the internet. There's not a lot stopping your ISP from not delivering you to the right host when you try to talk to it. E.g. your ISP can fake the DNS responses. > They are western centric, and unfortunately, in this current state of the web they're still essentially the authority on DNS. I‘m curious to see your evidence on that or which future state you would see as a more fortunate one. Questioning why the distributed cluster runs on nodes 'a' and 'b' alone doesn't necessarily imply that nodes 'c', 'd' and 'e' are any better or worse, today or in future. If I knew the answer to this I would be very rich and probably have my name on multiple textbooks of solving decentralized computing problems. The canonical DNS system itself is extremely Western-Centric. As are many Western inventions DNS[0] is only a decentralized hierarchy with caching, a class of system which pre-dates the digital era as the de-facto means of political and military organization in any human society larger than a village or town. DNS as a directory system for IP is could itself be viewed as a direct philosophical descendant of military insignia (perhaps via the then-popular branch-tangent of the telephone book, itself ex-telegraph, and postal system) and these could all be in effect traced back to at least Roman society[1], I don't think arguing this is a "western" invention is very convincing or useful. Any ancient army or polity of any size would have had an equivalent, which would then include ancient Egypt, China[2], India, Mesopotamia[3], Mesoamerica, etc. Actually, come to think of it, the comparative study of ancient postal systems would be pretty interesting.[4] [0] Original DNS RFC1035 https://datatracker.ietf.org/doc/html/rfc1035 (1987) [1] Somewhat cheekily as the inventor of DNS has a Greek surname. https://en.wikipedia.org/wiki/Paul_Mockapetris [2] 2000+ years ago and mature enough to have QoS+max-TTL/hop: http://libgen.rs/scimag/10.1163%2F9789004292123 (pp17-48) + where I write this. [3] Evidenced to 9th century BC https://www.ucl.ac.uk/sargon/essentials/governors/thekingsro... [4] Start by fixing https://en.wikipedia.org/wiki/Timeline_of_postal_history > I don't think arguing this is a "western" invention is very convincing or useful. Any ancient army or polity of any size would have had an equivalent, which would then include ancient Egypt, China[2], India, Mesopotamia[3], Mesoamerica, etc. And yet, none of these other regions and cultures actually did invent it, and thus it remains a Western invention. Of course. However, my point was the originality and claim to authorship is low, because if you look at store and forward networks with centrally agreed node identification and local caching using that for routing purposes, humans have literally done it globally for 3000+ years... that's clear prior art. It's like "technology" being used to describe a bash script, or "invention" used to describe a standard algorithm. By that same token the internet was invented by the first person to hand gesture to another one. You can’t dilute DNS down to a directory because there were/and are already other directory protocols. Walking gets you from A to B just like a car, so actually the first bipeds really invented the automobile. It's more like describing a walking robot as an original invention, which it is, but all they really did was ape apes. You've been nerdsniped my friend! bazinga Although querying the root servers directly is always unencrypted right? So your ISP can see and might manipulate all queries at will? The way I handle this is to run unbound on a server in the public cloud and then tunnel over TLS from my local unbound to the cloud instance. My local clients query a PiHole, which forwards to unbound on localhost:15353, which forwards everything over TLS to the fully recursive instance of unbound in the cloud, which uses root.hints. Still, your cloud vendor can see the requests. But someone can see it, but you can rotate upstream resolvers to split requests if you have to. How is the latency for such a setup? And how is the general browsing experience with said latency (I realize it also depends on which sites you frequently access)? I see some cloud providers/CDNs using a caching TTL as low as five minutes. You spend most of the time waiting for the actual resolve to complete, not for the "transfer" time between you and VPS. Source: I'm running Unbound on my notebook, I'm actually queried the stats for some heated discussion on reddit. For example my current stats_noreset: In addition to the root hints, you should also download the DNSSEC anchor key (available on the same site as the root hints). That will let you detect manipulations of records that are DNSSEC-signed. Otherwise, you could spin up your recursive resolver on your cloud, VPS, or other hosting provider of choice, and then use that. And make sure it only resolves records for you. Don't leave it wide open or it will be used as an attack vector. https://www.cloudflare.com/learning/ddos/dns-amplification-d... Right, DNSSEC will solve the "manipulate" problem, but it won't solve the "see" problem. But whether that's a concern is up to you. You could run your resolver on a VPS and speak DoT / DoH to that, which shifts the leak from your ISP to your VPS provider. It doesn't solve the "manipulate" problem we're talking about here, either: nothing about DNSSEC prevents a DNS server (or middlebox) from denying results to a disfavored domain; it only (situationally) prevents them from redirecting it somewhere else. (And, of course, it only works if you're running your own recursive server; it does nothing whatsoever in the 8.8.8.8-type use case). > nothing about DNSSEC prevents a DNS server (or middlebox) from denying results to a disfavored domain But at least it is detectable thanks to NSEC and NSEC3 records. Kind of. An intermediary can drop packets and the client will never get the response. It's detectable when the site that the DNS provider is censoring falls off the Internet! Yes, that's true. In theory if you got a resolver which could disable UDP queries, it would then default to TCP, and the ISP couldn't manipulate those. Don't know if any resolver supports disabling UDP though. > would then default to TCP, and the ISP couldn't manipulate those They can easily manipulate TCP as well. Unless you establish an authenticated session like TLS, TCP can be mitm-ed easily. Unbound as a client will fall back to TCP automatically if the UDP response is too big. I'm uncertain if there is widespread support for TCP servers though. Unbound I know this isn't quite what your asking for, but one idea is to set up a Pi-hole + unbound: https://docs.pi-hole.net/guides/dns/unbound/ Unbound is basically your own private DNS resolver and then Pi-hole lets you filter out whatever "junk" you don't want. Unbound will also pre-fetch your most common lookups prior to the TTL expiring so it's probably even faster than querying a third-party resolver Or you can just run unbound directly. I’ve been doing that for years, and let it directly resolve with the root DNS servers. Can’t get more neutral than that, I’d argue. I'm using Adguard Home and it's working great. I don't know if it's an obvious question or not, but how does performance compare with your own unbound vs quad1/8/9? I imagine it's slower in general? I'm not personally running unbound, just a Pi-hole that up-stream's to my ISP's DNS, so I can't answer you from first-hand experience. But, according to drexlspivey, unbound will pre-fetch common queries, so it probably ends up being faster on average - https://news.ycombinator.com/item?id=30646020 I never measured anything, but i'm running a recursive resolver on my laptop since a couple years (knot resolver) and never had any performance problem. for anyone running OpenWRT, unbound + adblock works well and is trivially configurable via the LUCI web interface. >My question to HN is this – Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of Switzerland (WWII, Neutral to all parties) providers? Presumably the root and authoritative servers. Which is why I use a local recursive resolver rather than any upstream/third party resolvers. You should try it. It's easy and fun! Google DNS should at this point be considered harmful. Devs love to hardcode it in resolvd because 'user experience' but there's ample evidence its just analytics. Quad 1 cloudflare is reliable doh but comes from a company with a history of bloviating nonsense about internet freedom only to eagerly capitulate to Twitter lynchmobs and blacklist a customer or ten. https://dnscrypt.info/public-servers/ will give you a nice list of doh to try out. Ymmv however as many are sporadic. Can you point to the evidence that Google DNS is used for analytics? Another person responded with info, but at this point, shouldn't we assume every single thing Google does, is for analytics? At this point, the onus is to prove thing $x is not used for Google analytics. Came here to say roughly the same thing. That it’s Google and they’re not charging you for it can at this point be considered suspicious, if not conclusive. I think some of Google's efforts are genuinely for the public good, like Project Zero. https://en.m.wikipedia.org/wiki/Google_Public_DNS Google stated that for the purposes of performance and security, the querying IP address will be deleted after 24–48 hours, but Internet service provider (ISP) and location information are stored permanently on their servers. More specific details on logging: https://developers.google.com/speed/public-dns/privacy > Google does not use any personal information collected through the Public DNS service to target ads. > We do not correlate or associate personal information in Google Public DNS logs with your information from use of any other Google service except for addressing security and abuse. Yes they claim that they don’t use the personal information they collect to target ads. It doesn’t mean they don’t use the other data for analytics. They could also anonymise the personal information first before using it to do analytics. Like “users who visit example.com also visit “store.example.net” is good information and they don’t need your personal information for that. Why do they collect personal information? Why do they collect dns logs ? I know what you're referring to (systemd-resolved "defaulting" to Google DNS). That "default" is a compile-time value, if you use something like gentoo you get to be in full control of what that default value is. If you already run your own DNS resolver, query the root servers directly. No need to trust DNS providers when you can do the same thing yourself. based on the OP's description of yandex and what I presume to be their location it's not impossible that some time in the future unencrypted 53/udp traffic leaving and entering the country may be blocked or messed with In that case maybe something like DNSCrypt[0] and a 3rd party provider makes sense. On top of the encrypted connection, DNSCrypt has the option to proxy queries to improve privacy. This only helps if they're not doing any advanced blocking though. If I remember correctly, when Russia blocked Telegram, they were blocking their IPs, not just DNS queries. If the rumours of a "RuNet" are true, then they probably need something more advanced (eg: a VPN with traffic obfuscation, Tor, etc). --- Given you only mention censorship/chilling effect and not privacy - why isn't 8.8.8.8 sufficient? Have there been instances of domains it censored and stopped resolving that I'm not aware of? I guess I'm confused on the benefit (theoretical or practical) one would get by using that variety of resolvers. Is it just to prevent theoretical censorship at the DNS level? Same with 1.1.1.1 (the case where archive.is used to not work was archive.is's nameserver purposefully being configured to return bad results to 1.1.1.1) My question exactly. In another comment here I asked for some examples for the claim that some .ru domains were being black holed. Shameless self promotion: Try Control D - https://controld.com/free-dns There are many different types of resolvers, blocking and unfiltered. We're adding global ECH support in the coming weeks. There is also a paid plan if you need more control. ControlD, DNS.sb and LibreDNS for instance. The latter two are open source. I think non-disciminating DNS providers are rather the norm and not an exception though. Really? Then your experience differs greatly from mine (EU based). My usual mix of 'fastest anycast' upstreams’ are reliably black-holing a lot of .ru domains right now (Rightly or wrongly is a ‘nother question for a ‘nother day). P.S, YMMV and obviously does :) Are you sure it's not Runet dropping traffic incoming? Could you give a couple of examples of the black holing you've seen? In slovenia, at least these two are blocked at the DNS level: Interestingly enough, the 'academic network' (arnes) that covers schools etc., and also some government entities is not blocking it, but atleast two out of the three largest commercial ISP are (can't test the third, since it's locked to their customers' IPs only). Because the russian media mafia (tacc, rt, sputnik and the like, which are all either directly state-owned or via the state-owned tv novosti) are about to be banned in all EU countries where they are still available, and the ISPs might have banned them pro-actively. You could try Uncensored DNS: https://blog.uncensoreddns.org/ See also Public DNS Server by Country: https://dnschecker.org/public-dns > I don't publicize it but you did ... thx anyway :) It's really not that hard to just run your own DNS server locally. Then you're not beholden to anyone. I recommend it. https://www.opennic.org/ and downstream providers from there are quite good: https://servers.opennic.org/ note that opennic provides an alternative dns-root, inlcudes new/fun/special tld's, and is hence considered more of an excentric option. ymmv Personally, I use nextdns on a paid plan (£17/year). Full control, can change to no logs, or logs stored in Switzerland. They have a free plan too I do this. I have my own resolver on my own server running unbound and it gets service from my paid nextdns account. Sort of like having a pihole but it is available from anywhere and I don’t have to run a rpi… This setup is intriguing. I'm curious, is there any latency penalty going this way vs using your own pihole + 1.1.1.1 or 8.8.8.8 instead of nextdns? so your unbound instance is doing caching, mixing and stipping edns before forwarding the queries to nextdns resolvers? I run and use https://resolv.us.to/ - you may do the latter, too. >Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of Switzerland That's exactly why Quad9 changed it's HQ to Switzerland: Quad9's default 9.9.9.9 address blocks malware, but the alternate 9.9.9.10 does not. https://www.quad9.net/service/service-addresses-and-features I use dnscrypt-proxy[0] which round-robins to a bunch of upstream servers, plus encryption. Question after reading (very interesting) answers: what is the downsize using the root servers instead of the well-known ones? (1.1.1.1, 8.8.8.8, ...) Is it the cache that improves resolution speed in a meaningful way? They are used in different ways - search for recursive resolver vs caching public resolver. Running your own recursive resolver will almost certainly be slower, on the order of 2x latency. I should test it... Also, DNS-over-HTTP and DNS-over-TLS are not available with all DNS servers, but can be readily enabled to secure the last mile when the upstream public resolver supports it. huh. Why aren't you simply querying the roots and from there the SOA for any domain? It is very easy to hijaack port 53 traffic, so you might not talk to DNS server you think you do. Heck, I did that at home for Chromecast and other devices that hardcode their DNS. I just do this to get a neutral DNSSEC supporting recursive DNS resolver: apt install unbound You could try using a DNS provider that's actually in Switzerland... 1.1.1.1
1.0.0.1 squatting on someone elses couch is generally not considered 'making a home for oneself' You might want to look up "geo-politically stable" web hosting. Aside from that, Epik.com has traditionally been quite supportive of free speech (even if it's Trump supporters). The DNS (as it exists today) is supposed to be the equivalent of Switzerland. The internet community has said over and over again they're not interested in censoring the internet or removing any group of people from it. It sounds like what you really want is your own recursive resolver. Note that even Switzerland could not stay neutral this time and enacted severe sanctions against Russia. Maybe staying neutral has the higher cost to a free society (and thus „information wanting to be free“) in the long term?
As you can see most of queries are completed in a way below 500ms. Adding another 20-40ms on top that doesn't change anything, because caching is a thing and with Unbound you can even ask to actually refresh the expiring records, so you would be served a fresh one from the cache every time, though I never bothered with it, it works fine even without it. histogram.000000.000512.to.000000.001024=17
histogram.000000.001024.to.000000.002048=33
histogram.000000.002048.to.000000.004096=251
histogram.000000.004096.to.000000.008192=509
histogram.000000.008192.to.000000.016384=1161
histogram.000000.016384.to.000000.032768=1891
histogram.000000.032768.to.000000.065536=2611
histogram.000000.065536.to.000000.131072=3197
histogram.000000.131072.to.000000.262144=2502
histogram.000000.262144.to.000000.524288=1547
histogram.000000.524288.to.000001.000000=857
histogram.000001.000000.to.000002.000000=121
histogram.000002.000000.to.000004.000000=70
histogram.000004.000000.to.000008.000000=22
histogram.000008.000000.to.000016.000000=441
histogram.000016.000000.to.000032.000000=80
Globally anycasted plain vanilla name resolution. I don't publicize it because I don't have anything to gain from more users, but you are free to use them. 103.196.38.3
103.196.38.8