This is hard because DNS going down means Internet is down for anyone who isn't savvy to check and change a failing DNS upstream. And when your users are global, it might mean some really angry users if you couldn't fix emergent issues for hours on end. I run a public content-blocking DNS stub resolver. We made the decision (and subsequently paid the price upfront in terms of engineering) to host it on Fly.io (DoT), Deno Deploy (DoH), and Cloudflare Workers (DoH) to specifically avoid sysadmin tasks for what's a free offering, and the code is licensed under MPLv2 in case anyone wants to run their own stub resolver on those platforms.
We haven't had much down time, if any at all, in the past one and half years we have been functional. It costs us $1 per 2tps (transactions per second: ~6M requests) for a month. The free-tier of these platforms should cover personal workloads (3 to 5 devices: ~1M requests), just fine.
> I will make sure to keep the domain registered and under my control for the next year, to prevent adhole.org from being abused by DNS hijackers/spoofers.
I think they could, if they want to, transfer the ownership of the domain to another public content-blocking resolver, after a year has passed. There are two or three such providers that have a very solid business backing them up to support such a migration.
> a free offering
You see, anything free should be treated as a privilege, not expected to last forever. Have you considered what you can do when the free providers either kick the can, or start charging fair value?
Nobody else then me that thinks that 1 year is too soon here? Cost of domain renewal is very little.
Isn't this a problem that most hobbyist projects that get big have to deal with in some capacity? To me it seems like maybe a case of deciding between monetizing it somehow and having a business around it with multiple other developers partaking in the development/maintenance processes, donating/selling the entire project to some company or foundation, or pulling the plug as we see here.
[1]: https://major.io/2021/06/06/a-new-future-for-icanhazip/
Kinda sad that OSS and "community-friendly" projects like these mostly end up like this or bought and monetized. But it's totally understandable.
It's not 100% clean service - you are arbitrarily blocking access to certain resources, so I would guess companies wouldn't want to be associated with it.
> having a business around it
For a service like this, it could pose a major breach in trust for its users. Maybe there's a business that doesn't involve changes in the DNS that I don't see.
- has resources for supporting a project like this
- doesn't have any connection to the ad industry and therefore don't care for backpressure from it
- views ads as a security risk and a vector for attacks (in addition to other questionable content) on their corporate devices
One case worth mentioning: The Pirate Bay. One the of the largest websites in the world (or was at least), with the least amount of technical focus. The website hardly changed, never made the owners any money, they never focused on the technology but rather built the simplest thing they could for the smallest amount of money the could. They had the largest adversary at that time, but still, the website is up and running and basically been since day 1. I think their trick is that they never really cared about the technology itself, and only cared about making information free.
Is this even possible in our modern day world, where there are constantly breaking updates and security risks that need fixes (look at the recent log4j debacle, for example)?
Because while sites like TPB and even HN don't outwardly change often (for example, if the UI works it's generally left that way, without a redesign every year), there is no doubt that they still take attention and effort to maintain, keep running and more importantly, keep running securely.
Of course, if you're talking about the domain complexity (which you need to deal with) vs accidental complexity (which you introduce because of either lacking knowledge or chasing after the latest and shiny technologies), then i fully agree with you in that regard! That's why i rather enjoyed the "Choose Boring Technology" talk: http://boringtechnology.club/
Thanks so much for developing and hosting Adhole!
This is an article (in Dutch) with the same news, but the owner responds in the comments:
I started it at the time because I noticed in my circle of acquaintances that there was interest in adblocking at DNS level, but that they didn't have the knowledge to set up and maintain a Pihole themselves. Five years ago, the world looked a little different and there were almost no public services that offered this (for free) and since I had a spare server, I took the chance.
During the process, I learned a lot. From Docker to Ansible but also from DNS itself. Especially DNS amplification attacks were big troublemakers in the beginning, which Pi-hole couldn't handle. Logical too, because Pi-hole is actually not meant to be used publicly, the developers make that very clear in their documentation. At the time I tried to find a way around this with all kinds of iptable rules and that worked reasonably well, but support for things like DNS over TLS or DNS over HTTPs was missing in Pi-hole. Again logical, normally there is no need to encrypt your DNS requests on your own trusted LAN.
A year or two ago I switched to Adguard Home as backend, since Adguard does support these features and also has some basic security features on board like rate limiting. That's also when I moved everything to an Ansible Playbook so I could easily reinstall everything with one push of a button, e.g. when buying a new node.
I often bought new nodes during Black Friday or Cyber Monday on sites like Lowendspirit. Some nodes were sponsored by providers themselves, because they liked the idea.
Now after five years I stop. Lately, I put more energy into it than I got satisfaction from it. In addition, the servers were bursting at the seams, making the latency of each request far too high. You noticed this while surfing and I don't want to do that to anyone. Bigger servers are an option, but the money has to come from somewhere. By the way, I would have preferred horizontal scaling instead of vertical, but the number of (affordable) providers offering anycast IPs is scarce (BuyVM is one of them).
Fortunately, there are now plenty of other services that offer the same thing for next to nothing, so hopefully ex-Adhole users will not fall into a deep hole.
In the end, the 'iron' has to be paid. Part of the servers was sponsored, the rest came from donations and from my own pocket. Upgrading was easier said than done, because with 6 locations and therefore 6 servers, all costs are multiplied by 6. Going to providers for an upgrade on an already sponsored server was something I didn't do (something about a given horse). And asking for donations has never been the intention of this project. I saw it as a hobby and a hobby costs money, but it must remain fun. By the way, this was not the main reason to stop, it was really the time it took and the lack of satisfaction I got from it.
IP addresses would sometimes change for various reasons. For example because a provider cancelled his location, a migration to another node or simply a switch to another provider. That was irritating because all users then had to change the IP address of their DNS. I think if you really want to do it right, you have to have your own IP range (and that is very expensive).
I have no tips about incidents. However, since the new intermediate certificate at Let's Encrypt I have had problems getting DoH and Dot to work. In the end, I did not succeed either. Why remains a mystery to me, the chain was correct.