Ask HN: Neutral DNS servers?

132 pointsNotAWorkNick4y ago96 comments

Hi HN - Here’s a question that I hope will generate some useful comments, suggestions and links.

Background for question: I normally run an internal DNS resolver with an upstream pool of 10-15 providers. These are normally a mix of Global Anycast servers (Quad9 etc) with some OpenNIC, YandexDNS etc thrown in towards the end to cover the ‘chilling effects’ blackholes.

Currently Yandex DNS is pinging a timeout (either due to black-holing or DDOS’ing depending on where I connect To/From).

My question to HN is this – Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of Switzerland (WWII, Neutral to all parties) providers?

96 comments

neilalexander4y ago

You could just run a recursive resolver yourself by using the root hints. You don't need to delegate your DNS queries onto a third-party resolver like Quad9.

https://www.iana.org/domains/root/files

NotAWorkNickOP4y ago

Thanks for that, appreciated. I'll be honest- I'm just a 'little guy' in the food chain so I always figured that doing something like that was for the ISP level folks <edit to clarify, I mean connecting to a Zone 1 Resolver. I wasn't aware that one could download the Root Hints File directly (Thanks!).

One quick question though - After taking a quick skim of it the list seems to be extremely 'Western-Centric' (reference link https://www.internic.net/domain/named.root)

icedchai4y ago

The root servers are anycasted. Each one of those root server IPs corresponds to N physical servers at diverse networks / locations all over the world.

lapinot4y ago

> I'm just a 'little guy' in the food chain so I always figured that doing something like that was for the ISP level folks

A lot of people are running recursive resolvers at home (like pi-hole stuff, or most people running some custom openwrt router/modem). I'm running one on my laptop (my resolver is localhost) and it works great.

> After taking a quick skim of it the list seems to be extremely 'Western-Centric'

It is, but that's what the internet is. But by running your own recursive resolver you can control your cache and a lot of the data doesn't change often. If you're extra paranoid you can cache the record data (or even archive the history) for ccTLD (or even all TLDs). For stuff (domains) you're interested in you can also hard-code or otherwise program "non-standard" ways to resolve the ips (by somehow populating a local database that overrides recursive resolution), like pi-hole/safebrowsing blocklists, stuff from institutions or CDNs you trust.

aaomidi4y ago

They are western centric, and unfortunately, in this current state of the web they're still essentially the authority on DNS.

Alternatively, you can maintain the NSes for all the TLDs you are particularly interested in, and alert yourself if they change to something you don't recognize.

Finally, keep in mind that whatever you do, you need to have multiple vantage points to the internet. There's not a lot stopping your ISP from not delivering you to the right host when you try to talk to it. E.g. your ISP can fake the DNS responses.

1 more reply

tylersmith4y ago

The canonical DNS system itself is extremely Western-Centric.

1 more reply

DavideNL4y ago

Although querying the root servers directly is always unencrypted right? So your ISP can see and might manipulate all queries at will?

chrissnell4y ago

The way I handle this is to run unbound on a server in the public cloud and then tunnel over TLS from my local unbound to the cloud instance. My local clients query a PiHole, which forwards to unbound on localhost:15353, which forwards everything over TLS to the fully recursive instance of unbound in the cloud, which uses root.hints.

2 more replies

CaliforniaKarl4y ago

In addition to the root hints, you should also download the DNSSEC anchor key (available on the same site as the root hints). That will let you detect manipulations of records that are DNSSEC-signed.

Otherwise, you could spin up your recursive resolver on your cloud, VPS, or other hosting provider of choice, and then use that.

2 more replies

0xbadcafebee4y ago

In theory if you got a resolver which could disable UDP queries, it would then default to TCP, and the ISP couldn't manipulate those. Don't know if any resolver supports disabling UDP though.

3 more replies

nfriedly4y ago

I know this isn't quite what your asking for, but one idea is to set up a Pi-hole + unbound: https://docs.pi-hole.net/guides/dns/unbound/

Unbound is basically your own private DNS resolver and then Pi-hole lets you filter out whatever "junk" you don't want.

drexlspivey4y ago

Unbound will also pre-fetch your most common lookups prior to the TTL expiring so it's probably even faster than querying a third-party resolver

stingraycharles4y ago

Or you can just run unbound directly. I’ve been doing that for years, and let it directly resolve with the root DNS servers. Can’t get more neutral than that, I’d argue.

mekster4y ago

I'm using Adguard Home and it's working great.

https://github.com/AdguardTeam/AdGuardHome

egamirorrim4y ago

I don't know if it's an obvious question or not, but how does performance compare with your own unbound vs quad1/8/9? I imagine it's slower in general?

nfriedly4y ago

I'm not personally running unbound, just a Pi-hole that up-stream's to my ISP's DNS, so I can't answer you from first-hand experience. But, according to drexlspivey, unbound will pre-fetch common queries, so it probably ends up being faster on average - https://news.ycombinator.com/item?id=30646020

lapinot4y ago

I never measured anything, but i'm running a recursive resolver on my laptop since a couple years (knot resolver) and never had any performance problem.

justsomehnguy4y ago

https://news.ycombinator.com/item?id=30649709

khimaros4y ago

for anyone running OpenWRT, unbound + adblock works well and is trivially configurable via the LUCI web interface.

nobody99994y ago

>My question to HN is this – Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of Switzerland (WWII, Neutral to all parties) providers?

Presumably the root and authoritative servers. Which is why I use a local recursive resolver rather than any upstream/third party resolvers.

You should try it. It's easy and fun!

nimbius4y ago

Google DNS should at this point be considered harmful. Devs love to hardcode it in resolvd because 'user experience' but there's ample evidence its just analytics.

Quad 1 cloudflare is reliable doh but comes from a company with a history of bloviating nonsense about internet freedom only to eagerly capitulate to Twitter lynchmobs and blacklist a customer or ten.

https://dnscrypt.info/public-servers/ will give you a nice list of doh to try out. Ymmv however as many are sporadic.

cyounkins4y ago

Can you point to the evidence that Google DNS is used for analytics?

b1124y ago

Another person responded with info, but at this point, shouldn't we assume every single thing Google does, is for analytics?

At this point, the onus is to prove thing $x is not used for Google analytics.

2 more replies

nimbius4y ago

https://en.m.wikipedia.org/wiki/Google_Public_DNS

Google stated that for the purposes of performance and security, the querying IP address will be deleted after 24–48 hours, but Internet service provider (ISP) and location information are stored permanently on their servers.

1 more reply

speedgoose4y ago

https://developers.google.com/speed/public-dns/privacy

1 more reply

aaomidi4y ago

I know what you're referring to (systemd-resolved "defaulting" to Google DNS). That "default" is a compile-time value, if you use something like gentoo you get to be in full control of what that default value is.

celsoazevedo4y ago

If you already run your own DNS resolver, query the root servers directly. No need to trust DNS providers when you can do the same thing yourself.

walrus014y ago

based on the OP's description of yandex and what I presume to be their location it's not impossible that some time in the future unencrypted 53/udp traffic leaving and entering the country may be blocked or messed with

celsoazevedo4y ago

In that case maybe something like DNSCrypt[0] and a 3rd party provider makes sense. On top of the encrypted connection, DNSCrypt has the option to proxy queries to improve privacy.

This only helps if they're not doing any advanced blocking though. If I remember correctly, when Russia blocked Telegram, they were blocking their IPs, not just DNS queries. If the rumours of a "RuNet" are true, then they probably need something more advanced (eg: a VPN with traffic obfuscation, Tor, etc).

---

[0] https://github.com/DNSCrypt/dnscrypt-proxy

nmjohn4y ago

Given you only mention censorship/chilling effect and not privacy - why isn't 8.8.8.8 sufficient? Have there been instances of domains it censored and stopped resolving that I'm not aware of?

I guess I'm confused on the benefit (theoretical or practical) one would get by using that variety of resolvers. Is it just to prevent theoretical censorship at the DNS level?

charcircuit4y ago

Same with 1.1.1.1 (the case where archive.is used to not work was archive.is's nameserver purposefully being configured to return bad results to 1.1.1.1)

tambeb4y ago

My question exactly. In another comment here I asked for some examples for the claim that some .ru domains were being black holed.

yegor4y ago

Shameless self promotion: Try Control D - https://controld.com/free-dns

There are many different types of resolvers, blocking and unfiltered. We're adding global ECH support in the coming weeks. There is also a paid plan if you need more control.

schleck84y ago

ControlD, DNS.sb and LibreDNS for instance. The latter two are open source.

I think non-disciminating DNS providers are rather the norm and not an exception though.

NotAWorkNickOP4y ago

Really?

Then your experience differs greatly from mine (EU based). My usual mix of 'fastest anycast' upstreams’ are reliably black-holing a lot of .ru domains right now

(Rightly or wrongly is a ‘nother question for a ‘nother day).

P.S, YMMV and obviously does :)

ev14y ago

Are you sure it's not Runet dropping traffic incoming?

tambeb4y ago

Could you give a couple of examples of the black holing you've seen?

1 more reply

kseistrup4y ago

You could try Uncensored DNS: https://blog.uncensoreddns.org/

kseistrup4y ago

See also Public DNS Server by Country: https://dnschecker.org/public-dns

mike_d4y ago

  103.196.38.3
  103.196.38.8

Globally anycasted plain vanilla name resolution. I don't publicize it because I don't have anything to gain from more users, but you are free to use them.

hansel_der4y ago

> I don't publicize it

but you did ... thx anyway :)

loxias4y ago

It's really not that hard to just run your own DNS server locally. Then you're not beholden to anyone. I recommend it.

btdmaster4y ago

https://www.opennic.org/ and downstream providers from there are quite good: https://servers.opennic.org/

hansel_der4y ago

note that opennic provides an alternative dns-root, inlcudes new/fun/special tld's, and is hence considered more of an excentric option. ymmv

stranded224y ago

Personally, I use nextdns on a paid plan (£17/year). Full control, can change to no logs, or logs stored in Switzerland. They have a free plan too

rsync4y ago

I do this.

I have my own resolver on my own server running unbound and it gets service from my paid nextdns account.

Sort of like having a pihole but it is available from anywhere and I don’t have to run a rpi…

irq4y ago

This setup is intriguing. I'm curious, is there any latency penalty going this way vs using your own pihole + 1.1.1.1 or 8.8.8.8 instead of nextdns?

1 more reply

hansel_der4y ago

so your unbound instance is doing caching, mixing and stipping edns before forwarding the queries to nextdns resolvers?

c0l04y ago

I run and use https://resolv.us.to/ - you may do the latter, too.

nix234y ago

>Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of Switzerland

That's exactly why Quad9 changed it's HQ to Switzerland:

https://www.switch.ch/news/quad9-moves-to-Switzerland/

sp3324y ago

Quad9's default 9.9.9.9 address blocks malware, but the alternate 9.9.9.10 does not. https://www.quad9.net/service/service-addresses-and-features

matoro4y ago

I use dnscrypt-proxy[0] which round-robins to a bunch of upstream servers, plus encryption.

[0] https://github.com/DNSCrypt/dnscrypt-proxy

BrandoElFollito4y ago

Question after reading (very interesting) answers: what is the downsize using the root servers instead of the well-known ones? (1.1.1.1, 8.8.8.8, ...)

Is it the cache that improves resolution speed in a meaningful way?

cyounkins4y ago

They are used in different ways - search for recursive resolver vs caching public resolver.

Running your own recursive resolver will almost certainly be slower, on the order of 2x latency. I should test it...

Also, DNS-over-HTTP and DNS-over-TLS are not available with all DNS servers, but can be readily enabled to secure the last mile when the upstream public resolver supports it.

jiveturkey4y ago

huh. Why aren't you simply querying the roots and from there the SOA for any domain?

vetinari4y ago

It is very easy to hijaack port 53 traffic, so you might not talk to DNS server you think you do.

Heck, I did that at home for Chromecast and other devices that hardcode their DNS.

pabs34y ago

I just do this to get a neutral DNSSEC supporting recursive DNS resolver:

apt install unbound

snovv_crash4y ago

You could try using a DNS provider that's actually in Switzerland...

amitbakhru4y ago

1.1.1.1 1.0.0.1

hansel_der4y ago

squatting on someone elses couch is generally not considered 'making a home for oneself'

upnick4y ago

You might want to look up "geo-politically stable" web hosting. Aside from that, Epik.com has traditionally been quite supportive of free speech (even if it's Trump supporters).

moltke4y ago

The DNS (as it exists today) is supposed to be the equivalent of Switzerland. The internet community has said over and over again they're not interested in censoring the internet or removing any group of people from it.

It sounds like what you really want is your own recursive resolver.

axiosgunnar4y ago

Note that even Switzerland could not stay neutral this time and enacted severe sanctions against Russia.

Maybe staying neutral has the higher cost to a free society (and thus „information wanting to be free“) in the long term?

j / k navigate · click thread line to collapse

96 comments

neilalexander4y ago

You could just run a recursive resolver yourself by using the root hints. You don't need to delegate your DNS queries onto a third-party resolver like Quad9.

https://www.iana.org/domains/root/files

NotAWorkNickOP4y ago

One quick question though - After taking a quick skim of it the list seems to be extremely 'Western-Centric' (reference link https://www.internic.net/domain/named.root)

icedchai4y ago

The root servers are anycasted. Each one of those root server IPs corresponds to N physical servers at diverse networks / locations all over the world.

lapinot4y ago

> I'm just a 'little guy' in the food chain so I always figured that doing something like that was for the ISP level folks

> After taking a quick skim of it the list seems to be extremely 'Western-Centric'

aaomidi4y ago

They are western centric, and unfortunately, in this current state of the web they're still essentially the authority on DNS.

Alternatively, you can maintain the NSes for all the TLDs you are particularly interested in, and alert yourself if they change to something you don't recognize.

1 more reply

tylersmith4y ago

The canonical DNS system itself is extremely Western-Centric.

1 more reply

DavideNL4y ago

Although querying the root servers directly is always unencrypted right? So your ISP can see and might manipulate all queries at will?

chrissnell4y ago

2 more replies

CaliforniaKarl4y ago

In addition to the root hints, you should also download the DNSSEC anchor key (available on the same site as the root hints). That will let you detect manipulations of records that are DNSSEC-signed.

Otherwise, you could spin up your recursive resolver on your cloud, VPS, or other hosting provider of choice, and then use that.

2 more replies

0xbadcafebee4y ago

In theory if you got a resolver which could disable UDP queries, it would then default to TCP, and the ISP couldn't manipulate those. Don't know if any resolver supports disabling UDP though.

3 more replies

nfriedly4y ago

I know this isn't quite what your asking for, but one idea is to set up a Pi-hole + unbound: https://docs.pi-hole.net/guides/dns/unbound/

Unbound is basically your own private DNS resolver and then Pi-hole lets you filter out whatever "junk" you don't want.

drexlspivey4y ago

Unbound will also pre-fetch your most common lookups prior to the TTL expiring so it's probably even faster than querying a third-party resolver

stingraycharles4y ago

Or you can just run unbound directly. I’ve been doing that for years, and let it directly resolve with the root DNS servers. Can’t get more neutral than that, I’d argue.

mekster4y ago

I'm using Adguard Home and it's working great.

https://github.com/AdguardTeam/AdGuardHome

egamirorrim4y ago

I don't know if it's an obvious question or not, but how does performance compare with your own unbound vs quad1/8/9? I imagine it's slower in general?

nfriedly4y ago

lapinot4y ago

I never measured anything, but i'm running a recursive resolver on my laptop since a couple years (knot resolver) and never had any performance problem.

justsomehnguy4y ago

https://news.ycombinator.com/item?id=30649709

khimaros4y ago

for anyone running OpenWRT, unbound + adblock works well and is trivially configurable via the LUCI web interface.

nobody99994y ago

>My question to HN is this – Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of Switzerland (WWII, Neutral to all parties) providers?

Presumably the root and authoritative servers. Which is why I use a local recursive resolver rather than any upstream/third party resolvers.

You should try it. It's easy and fun!

nimbius4y ago

Google DNS should at this point be considered harmful. Devs love to hardcode it in resolvd because 'user experience' but there's ample evidence its just analytics.

https://dnscrypt.info/public-servers/ will give you a nice list of doh to try out. Ymmv however as many are sporadic.

cyounkins4y ago

Can you point to the evidence that Google DNS is used for analytics?

b1124y ago

Another person responded with info, but at this point, shouldn't we assume every single thing Google does, is for analytics?

At this point, the onus is to prove thing $x is not used for Google analytics.

2 more replies

nimbius4y ago

https://en.m.wikipedia.org/wiki/Google_Public_DNS

1 more reply

speedgoose4y ago

https://developers.google.com/speed/public-dns/privacy

1 more reply

aaomidi4y ago

celsoazevedo4y ago

If you already run your own DNS resolver, query the root servers directly. No need to trust DNS providers when you can do the same thing yourself.

walrus014y ago

celsoazevedo4y ago

In that case maybe something like DNSCrypt[0] and a 3rd party provider makes sense. On top of the encrypted connection, DNSCrypt has the option to proxy queries to improve privacy.

---

[0] https://github.com/DNSCrypt/dnscrypt-proxy

nmjohn4y ago

Given you only mention censorship/chilling effect and not privacy - why isn't 8.8.8.8 sufficient? Have there been instances of domains it censored and stopped resolving that I'm not aware of?

I guess I'm confused on the benefit (theoretical or practical) one would get by using that variety of resolvers. Is it just to prevent theoretical censorship at the DNS level?

charcircuit4y ago

Same with 1.1.1.1 (the case where archive.is used to not work was archive.is's nameserver purposefully being configured to return bad results to 1.1.1.1)

tambeb4y ago

My question exactly. In another comment here I asked for some examples for the claim that some .ru domains were being black holed.

yegor4y ago

Shameless self promotion: Try Control D - https://controld.com/free-dns

There are many different types of resolvers, blocking and unfiltered. We're adding global ECH support in the coming weeks. There is also a paid plan if you need more control.

schleck84y ago

ControlD, DNS.sb and LibreDNS for instance. The latter two are open source.

I think non-disciminating DNS providers are rather the norm and not an exception though.

NotAWorkNickOP4y ago

Really?

Then your experience differs greatly from mine (EU based). My usual mix of 'fastest anycast' upstreams’ are reliably black-holing a lot of .ru domains right now

(Rightly or wrongly is a ‘nother question for a ‘nother day).

P.S, YMMV and obviously does :)

ev14y ago

Are you sure it's not Runet dropping traffic incoming?

tambeb4y ago

Could you give a couple of examples of the black holing you've seen?

1 more reply

kseistrup4y ago

You could try Uncensored DNS: https://blog.uncensoreddns.org/

kseistrup4y ago

See also Public DNS Server by Country: https://dnschecker.org/public-dns

mike_d4y ago

  103.196.38.3
  103.196.38.8

Globally anycasted plain vanilla name resolution. I don't publicize it because I don't have anything to gain from more users, but you are free to use them.

hansel_der4y ago

> I don't publicize it

but you did ... thx anyway :)

loxias4y ago

It's really not that hard to just run your own DNS server locally. Then you're not beholden to anyone. I recommend it.

btdmaster4y ago

https://www.opennic.org/ and downstream providers from there are quite good: https://servers.opennic.org/

hansel_der4y ago

note that opennic provides an alternative dns-root, inlcudes new/fun/special tld's, and is hence considered more of an excentric option. ymmv

stranded224y ago

Personally, I use nextdns on a paid plan (£17/year). Full control, can change to no logs, or logs stored in Switzerland. They have a free plan too

rsync4y ago

I do this.

I have my own resolver on my own server running unbound and it gets service from my paid nextdns account.

Sort of like having a pihole but it is available from anywhere and I don’t have to run a rpi…

irq4y ago

This setup is intriguing. I'm curious, is there any latency penalty going this way vs using your own pihole + 1.1.1.1 or 8.8.8.8 instead of nextdns?

1 more reply

hansel_der4y ago

so your unbound instance is doing caching, mixing and stipping edns before forwarding the queries to nextdns resolvers?

c0l04y ago

I run and use https://resolv.us.to/ - you may do the latter, too.

nix234y ago

>Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of Switzerland

That's exactly why Quad9 changed it's HQ to Switzerland:

https://www.switch.ch/news/quad9-moves-to-Switzerland/

sp3324y ago

Quad9's default 9.9.9.9 address blocks malware, but the alternate 9.9.9.10 does not. https://www.quad9.net/service/service-addresses-and-features

matoro4y ago

I use dnscrypt-proxy[0] which round-robins to a bunch of upstream servers, plus encryption.

[0] https://github.com/DNSCrypt/dnscrypt-proxy

BrandoElFollito4y ago

Question after reading (very interesting) answers: what is the downsize using the root servers instead of the well-known ones? (1.1.1.1, 8.8.8.8, ...)

Is it the cache that improves resolution speed in a meaningful way?

cyounkins4y ago

They are used in different ways - search for recursive resolver vs caching public resolver.

Running your own recursive resolver will almost certainly be slower, on the order of 2x latency. I should test it...

Also, DNS-over-HTTP and DNS-over-TLS are not available with all DNS servers, but can be readily enabled to secure the last mile when the upstream public resolver supports it.

jiveturkey4y ago

huh. Why aren't you simply querying the roots and from there the SOA for any domain?

vetinari4y ago

It is very easy to hijaack port 53 traffic, so you might not talk to DNS server you think you do.

Heck, I did that at home for Chromecast and other devices that hardcode their DNS.

pabs34y ago

I just do this to get a neutral DNSSEC supporting recursive DNS resolver:

apt install unbound

snovv_crash4y ago

You could try using a DNS provider that's actually in Switzerland...

amitbakhru4y ago

1.1.1.1 1.0.0.1

hansel_der4y ago

squatting on someone elses couch is generally not considered 'making a home for oneself'

upnick4y ago

You might want to look up "geo-politically stable" web hosting. Aside from that, Epik.com has traditionally been quite supportive of free speech (even if it's Trump supporters).

moltke4y ago

It sounds like what you really want is your own recursive resolver.

axiosgunnar4y ago

Note that even Switzerland could not stay neutral this time and enacted severe sanctions against Russia.

Maybe staying neutral has the higher cost to a free society (and thus „information wanting to be free“) in the long term?

j / k navigate · click thread line to collapse