DNS0: The European public DNS that makes your internet safer (opens in new tab)

(dns0.eu)

244 pointspopasmurf3y ago178 comments

178 comments

"dns0.eu is a French non‑profit organization founded in 2022 by Romain Cointepas and Olivier Poitrey — co-founders of NextDNS."

eikaramba3y ago

okay now it actually sounds way more interesting. Because NextDNS is by far my most beloved DNS resolver

denton-scratch3y ago

> safe for children

Ah, it's filtered.

Someone decides what "children" means. Someone decides what "safe" means.

There are people who think that not just under-16s, but almost everyone is incapable of making adult decisions. And different (responsible, informed) adults may come to different conclusions about what is and isn't safe.

Curated DNS may suit some people, but I appreciate having access to the real internet.

daneel_w3y ago

They offer three families of resolvers: the default one which as far as I understand isn't curated at all, the "zero" one which is curated against "bad actors", and the "kids" one which you speak of.

denton-scratch3y ago

> They offer three families of resolvers

Yeah, I see. On first reading, that wasn't obvious to me.

But a DNS provider that can filter, and that also purports to be something to do with the EU, presumably imposes EU-mandated filtering, whichever server you choose. Or it will, as soon as it's ordered to.

I don't get why people use 3rd-party resolvers. It's not hard to set up an Unbound recursor.

4 more replies

mhitza3y ago

There are separate dns servers, the one for kids is different from the one mentioned on the landing page.

xctr943y ago

Nonsense.

You can choose which version to use, same with Cloudflare’s 3 different DNS choices.

Mindwipe3y ago

And much like Cloudflare the lack of accountability and clumsy blocking schema of the "child safe" one is dangerous and worthy of criticism.

KingOfCoders3y ago

If it's not for you it's not for you.

I always wonder about people who go to a French restaurant and want Pizza.

denton-scratch3y ago

When I first encountered pizza, I was a kid, and it was in France. For quite a few years, I thought pizza was a French thing.

I'm not sure what your point is. I read the article because I'm interested in DNS; not because I'm researching 3rd-party resolvers. I run my own Unbound recursor.

UncleEntity3y ago

Probably the best pizza I’ve ever had in my life was at a French restaurant in Vientiane, Laos.

So, yeah…

1 more reply

jMyles3y ago

> I always wonder about people who go to a French restaurant and want Pizza.

To be fair, this is more like trying to lookup contact information for the local pizzeria, and realizing to your surprise that the phone book you've picked up has directed you to the French restaurant instead.

1 more reply

Aeolun3y ago

I’m now 35 and incapable of making adult decisions. Does that count?

denton-scratch3y ago

I think there may be a 5-year window, perhaps from 60-65, when you are old enough but not too old. Older, and you're child-like because you're senile; younger, and you're naive, reckless, and under-informed.

helb3y ago

Before i start digging into it, does anybody know how they do "No mature videos on YouTube" (in the "kids" filter) with just DNS?

rmccue3y ago

It appears this is functionality provided by YouTube themselves where you can set a CNAME: https://support.google.com/a/answer/6214622?hl=en#zippy=%2Co...

helb3y ago

thanks, looks like you're right:

    $ kdig +tls www.youtube.com @kids.dns0.eu
    …
    ;; QUESTION SECTION:
    ;; www.youtube.com.      IN A

    ;; ANSWER SECTION:
    www.youtube.com.              300  IN CNAME restrictmoderate.youtube.com.
    restrictmoderate.youtube.com. 1611 IN A     216.239.38.119

nicolaslem3y ago

The DNS responds with forcesafesearch.google.com for google.com.

https://support.google.com/websearch/answer/186669?hl=en

oriettaxx3y ago

uh, you are right: +1 for this question

helb3y ago

If anyone's wondering which are the "High-risk TLDs" blocked in the "zero" filter: CF, CG, GA, GQ, ML, TK, TOP, WIN (right now, i guess it may change any time)

The "kids" filter blocks the same TLDs, so it allows XXX or PORN, i guess they just block individual 2nd level domains.

I just looped through IANA's TLD list with a simple script to get this. The resolver returns NXDOMAIN with "negative-caching.dns0.eu." SOA for the blocked ones:

    $ kdig +tls ns tk @zero.dns0.eu
    …
    ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 39321
    …
    ;; QUESTION SECTION:
    ;; tk.                   IN NS

    ;; AUTHORITY SECTION:
    tk.                  300 IN SOA negative-caching.dns0.eu. hostmaster.tk. 0 1200 300 1209600 300

Symbiote3y ago

It seems pretty ridiculous to block those domains outright. There are plenty of legitimate government, tourist and local sites, which could at least be whitelisted.

They've blocked UNICEF's link shortener: https://uni.cf

KingOfCoders3y ago

"They've blocked UNICEF's link shortener: https://uni.cf"

Which I consider a good thing, why route links through the influence space of a country that is in a civil war with foreign mercenaries running parts of the show?

1 more reply

preisschild3y ago

Is this actually affiliated with the EU, other than just being hosted in the EU?

leohonexus3y ago

Not affiliated with EU at all. Their branding and wording makes it look like they are until you scroll to the bottom and read the About.

Admittedly I don't live in the EU so to some of you folks the non-affiliation may seem obvious.

izacus3y ago

> Admittedly I don't live in the EU so to some of you folks the non-affiliation may seem obvious.

The webpage is too nice looking and lacking the 30 poorly resized 80x80 EU institution logos. So yeah, not affiliated ;P

1 more reply

capableweb3y ago

> Their branding and wording makes it look like they are

Because the website is blue and mentions "European Union"?

It doesn't say anywhere that it's a official EU project, nor does it contain some of the famous "banners" that EU projects usually have in the footer to show their grants/funding, nor is it on a official EU domain.

Clearly a not-EU project from first glance.

2 more replies

ulimn3y ago

Well... I understand what you mean but they only have "European" in their title. Europe != European Union.

1 more reply

mihaaly3y ago

As far as I see it is just yet another private organization that aims at watching what the population visits on the internet.

kapsteur3y ago

Europe having already planned to launch a service which will be called DNS4EU, it looks a bit like phishing. Source: https://joinup.ec.europa.eu/collection/ict-standards-procure...

Y_Y3y ago

Pity they couldn't get a cool IP address like Cloudflare and Google. Since without some source of DNS you can't reach dns0.eu it's good to have something memorable like 1.1.1.1 or 8.8.8.8

1f60c3y ago

And 1.1.1.1 + 8.8.8.8 = 9.9.9.9 (https://quad9.net)

toyg3y ago

yeah I think that's really a big shortcoming. It probably comes down to funding, but it results in a big usability issue. I'll never remember those IPs, and when I can so easily remember 1.1.1.1 and 8.8.8.8, it's obvious what I'm always going to choose.

zxcvbn40383y ago

No IPv6 either

1 more reply

dm3y ago

It's kind of ironic that their main IPv4 addresses are x.x.x.0, while their "ZERO" filtering version uses x.x.x.9.

jordiburgos3y ago

Use 1.1.1.1 to get the networking working, find DNS0.eu and change the DNS again :)

codesniperjoe3y ago

Warning:

Do not go to this site with enabled javascript! They spam your uplink DNS provider with thousands of uniq, uncachable (fingerprinting?) 'test' dns keys without your consent, to identify & track the DNS service you are using!

Take a look at your DNS outbound log yourself!

jedisct13y ago

Since they don't seem to be mentioned on their website, DNS Stamps are sdns://AgMAAAAAAAAAACCaOjT3J965vKUQA9nOnDn48n3ZxSQpAcK6saROY1oCGQdkbnMwLmV1Ci9kbnMtcXVlcnk ("zero" version) and sdns://AgMAAAAAAAAAACCaOjT3J965vKUQA9nOnDn48n3ZxSQpAcK6saROY1oCGQxraWRzLmRuczAuZXUKL2Rucy1xdWVyeQ ("kids" version).

But these are already present in the list of public encrypted resolvers (https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v...).

iruoy3y ago

This is founded by co-founders of NextDNS. But why? How is it different?

leokennis3y ago

For one, on NextDNS I can configure exactly what I want to block (i.e. enable arbitrary combinations of ad filter lists, whitelist domains etc.). This introduces complexity (IPv6 DNS addresses, binding your external IPv4 to a specific configuration etc.)

With DNS0 I just get an IPv4 address that blocks X, Y and Z.

So NextDNS is sort of the power user version of DNS0.

__alexs3y ago

Because NextDNS is a for-profit company they probably can't get funding from the EU for these silly EU vanity projects so easily.

toyg3y ago

DNS is not a "vanity project", it's a massive issue in terms of internet governance. We've known this since the '90s, which is why the EU is starting its own service (that is not this one). I doubt this project got any EU funding, or is likely to ever get any EU money at all; in fact, it looks like a last-gasp attempt from a private DNS company to remain relevant.

1 more reply

daneel_w3y ago

How is this a "silly EU vanity project"?

1 more reply

easytiger3y ago

The EU Commission has a DNS project that they tendered to various private companies. They want the majority of EU internet through something they can directly regulate and control EU internet users.

DNS is a very cheap service to run so I wonder if the founders intended to get a first mover advantage and to be subsumed into the project

nix233y ago

I just use quad9:

https://www.quad9.net/service/service-addresses-and-features

forgotpwd163y ago

Also operated by a non-profit and also in Europe (albeit in Switzerland that isn't part of EU).

5e92cb50239222b3y ago

I wish they'd put more resolvers around the globe. I have 10ms ping to the nearest Cloudflare colocation, but around 100ms to quad9. It makes browsing the web so much slower.

richij3y ago

90 ms. So much.

1 more reply

danuker3y ago

From Romania, I've been getting random delays/timeouts with quad9.

greyly3y ago

I had the same issue here in Sweden. 1.5 second delays on some lookups. I opened a ticket and worked with them to isolate the issue, which they then fixed. They were very helpful and very knowledgeable for L1 support.

nix233y ago

Please please inform them about it.

1 more reply

Terretta3y ago

Which doesn't do ad blocking.

nix233y ago

Yeah i don't want that at a "not controlled by me" level.

1 more reply

AstixAndBelix3y ago

The EU will actually start offering an official European DNS service later this year, not to be confused with this private initiative

madspindel3y ago

It's called DNS4EU: https://www.whalebone.io/dns4eu

amai3y ago

Whalebone? Doesn't sound like an official EU domain.

shasts3y ago

If I choose their DNS, the website shows a text at the bottom that says "You are using dns0.eu"

How does the website know I'm using their DNS? I couldn't find anything in the HTTP header that would help them with this.

https://imgur.com/fMZwxYz

helb3y ago

JS does a GET request every 2 seconds or so to some random subdomain (probably to avoid caching): https://i.vgy.me/qCTabA.png

The JSON response contains 'status: "unconfigured"' when you're not using their resolver and 'status: "ok"' when you are: https://i.vgy.me/iVgIe1.png

That green bar just appears after a "ok" response (no page reload needed).

ignoramous3y ago

Here's an open source nameserver that helps ID DNS resolver in use: https://github.com/redirect2me/which-dns

ulti5523y ago

stupid q here but what font is your terminal using from your screenshot pic

1 more reply

dec0dedab0de3y ago

They could be giving out different IP (or CNAME) for people using their DNS. Then the site is just slightly different depending on how it is accessed. or i suppose they could be looking at logs of the ips using their dns and checking all visitors to the website, but that would be wild.

ooh they could also have a host that is only resolvable from those servers, and have the front end dynamically load that message from that host. and if it fails it does not show anything.

HerrMonnezza3y ago

I guess they redirect you to a different IP than they publish in the public DNS?

daneel_w3y ago

My router runs Unbound in order to rotate queries across a number of different DNS-over-TLS providers. I'll toss these guys into the mix as well out of curiosity just to see how it goes.

ignoramous3y ago

Better to send your queries to a single DNS provider (over TLS/HTTPS) rather than spread it out, because now, not one but multiple providers can build your browsing history. As someone who runs a public DNS resolver, I can tell you that it isn't that hard to build user profiles.

If you're running Unbound, might as well recurse DNS queries, instead of upstreaming it. If you are adamant on spreading DNS queries across multiple upstreams; doing so over ODoH and/or Anonymized DNSCrypt is what I'd recommend.

daneel_w3y ago

>"Better to send your queries to a single DNS provider (over TLS/HTTPS) rather than spread it out, because now, not one but multiple providers can build your browsing history."

What I'm wary about is indeed query logging and profiling, but whether it's one provider or a dozen providers isn't that relevant to me. I make a small effort in trying to gauge which providers are honest and which ones are not.

>"As someone who runs a public DNS resolver, I can tell you that it isn't that hard to build user profiles."

Yes, I understand this. May I ask why you/RethinkDNS are doing this with your users' query data?

1 more reply

addingnumbers3y ago

Won't recursing also spread your queries across multiple providers? And in the clear for deep packet inspectors to see, instead of encrypted?

1 more reply

dorfsmay3y ago

Given the restrictions on this server which won't be on the other, adding it to a rotating list will make DNS answers inconsistant. Why would you want to do that?

daneel_w3y ago

I won't be using the "zero" resolver.

somat3y ago

Why not just have unbound make the query itself? no need to depend on a third party recursive resolver if you already have your own.

daneel_w3y ago

I want to ensure my leg on the network traffic path is encrypted.

xav09893y ago

CIRA, Canada's Internet Registry, runs a number of public DNS servers[1]. The main attraction is that the service is provided by a non-profit and the data and control are held in Canada, subject to Canadian laws and regulation.

They also offer a number of levels of protection, from none (simply resolving the queries) to one blocking suspected malware/C2 domain and one blocking pornographic material.

[1] https://www.cira.ca/cybersecurity-services/canadian-shield

conradfr3y ago

Do they block or allow mandated blocked domain by EU countries?

1 more reply

VoodooJuJu3y ago

They make it seem like they're affiliated with the EU, from brand colors, to TLD, and more. But of course they're unaffiliated. Seems intentionally deceptive.

richij3y ago

The blurb makes it crystal clear that it's talking about location or situs. In other words, regulated by EU regulations. The TLD is specifically for sites that are "in" the EU (as opposed to being "by" te EU).

czechdeveloper3y ago

I did not have that feeling and .eu domains quite standard nation-like domain.

1f60c3y ago

So this is just NextDNS but without a control panel, and it’s 100% free? That’s nice.

amai3y ago

Comparison to PiHole: https://news.ycombinator.com/item?id=22718670 and https://help.nextdns.io/t/q6hmvay/what-is-the-advantage-of-u...

edpichler3y ago

"The European public DNS" sounds misleading to me.

somat3y ago

While I don't think it should be the only choice. Recursive dns does sound like the sort of service a government should offer it's citizens.

Authoritative dns also sounds like the sort of service a government should offer it's citizens. I mean, sure, it would suck compared to commercial dns, but at least everybody could have a name if they wanted.

alpenbazi3y ago

nope. What do you do if your gov says "no" to your website? via your idea that would be a simple matter of seconds

somat3y ago

Then you use another choice, the internet is great like that, what do you do when google's resolver says "nope" to your domain?

Personally, all my devices run through my own recursive resolver which in turn directly resolves the address. Then I get to say "nope" to whatever domains I want(mainly ad services). Except for those thrice infernal dns over https devices, hard to police them that way.

jedisct13y ago

No support for Anonymized DNSCrypt nor ODoH. Guess they still want to see client IP addresses.

moffkalast3y ago

> 193.110.81.0

Ah yes, easy to remember /s

tinco3y ago

212.142.28.66 is an IP address of a DNS server that has been stuck in my mind for 25 years now. That said the time where anyone would regularly configure DNS settings is long gone I imagine.

ignoramous3y ago

You lived in a pre-smartphone era, which has made the rest of us dumb...

andix3y ago

Why do you need to remember the dns server address? I just type it in once.

moffkalast3y ago

Once on every device, VM, container, VPS, etc. That's a lot of times.

4 more replies

sgjohnson3y ago

The era of easy to remember DNS server addresses is coming to a close anyway, due to IPv6.

Cloudflare’s are 2606:4700:4700:1001:: and 2606:4700:4700:1111::

I’ve been deploying IPv6 recently and these addresses haven’t burnt into my brains yet, so I occasionally have to do `dig AAAA one.one.one.one` still.

moduspol3y ago

Coming soon: my public IPv6 dns at dead:beef::

1 more reply

andy_ppp3y ago

Not everyone has the resources of a Google to acquire lucky IP addresses.

londons_explore3y ago

If you have no working DNS, it's hard to google stuff...

There are two types of people - those that just want dns to work at all so they can get stuff done, and those who have working dns but want to 'upgrade' for privacy/filtering reasons.

moffkalast3y ago

Well you'd think the EU would have more resources than a single company.

5 more replies

userbinator3y ago

My phone number is a little longer and yet I remember it, along with my own public IP address as well as my physical one. It depends how much you need to use it, of course.

denton-scratch3y ago

I rarely phone myself. When my number changes, it takes me about a year before I can remember the new one. Numbers I actually call are much easier to memorize.

dschuetz3y ago

No, thanks.

oriettaxx3y ago

Note that for the iphone's configuration to work, you need to use Safari to open their "configuration profile" link

andridk3y ago

Unbelievable that so many operating systems don't support encrypted DNS out of the box.

tambre3y ago

No IPv6 in 2023, is this a joke?

sschueller3y ago

They are listed under Linux:

   [Resolve]
   DNS=193.110.81.0#dns0.eu
   DNS=2a0f:fc80::#dns0.eu
   DNS=185.253.5.0#dns0.eu
   DNS=2a0f:fc81::#dns0.eu
   DNSOverTLS=yes

mhitza3y ago

There's IPv6, but I see it's not suggested by default except for Linux configuration and on the Others tab.

f_devd3y ago

They do have a IPv6 address under Linux & Others if that's what you mean

acatton3y ago

From the "other" tab:

> DNS53 (IPv6)

> 2a0f:fc80::

> 2a0f:fc81::

1 more reply

Mindwipe3y ago

Doesn't disclose where their blocklists come from for the child product, hugely overblocks legitimate websites, has no appeals process for miscatagorisation.

What an awful product.

daneel_w3y ago

Can you provide any examples of legitimate sites that they block on their "zero" resolvers?

daneel_w3y ago

I'll answer the question myself by providing an example I saw elsewhere, which also illustrates that their "default" resolver differs from the curated "zero" resolver:

  dig @193.110.81.0 uni.cf a
  
  status: NOERROR, ANSWER: 2
  IN  A  67.199.248.12
  IN  A  67.199.248.13
  
  
  dig @193.110.81.9 uni.cf a

  status: NXDOMAIN, ANSWER: 0
  IN  A

RobotToaster3y ago

I just use OpenNIC

https://www.opennic.org/

tuananh3y ago

it's so slow for me. probably only deployed in Europe.

8fingerlouie3y ago

So the end of NextDNS ?

theshrike793y ago

NextDNS lets me pick what to block, I can't configure DNS0 except for the few variants that require me to change the DNS address completely.

Also: I can't pay for DNS0, so how can I trust they stay up when I'm not their customer?

parminya3y ago

How can you trust any company you pay to stay up even if you are their customer? I've used discontinued products before. Paid subscriptions to companies that merge with others and the service no longer really exists.

1 more reply

breton3y ago

How can you trust they stay up when you are their customer and pay them?

2 more replies

helb3y ago

NextDNS founders launched this…

eterevsky3y ago

It has quite extreme filtering:

- No porn or other adult websites

- No explicit search results

- No mature videos on YouTube

- No dating websites or apps

- No mixed-content websites

- No piracy

- No ads

b3orn3y ago

That seems to be only the case for the "childproof" version.

eterevsky3y ago

Ah, right, it has different DNS IPs.

Timshel3y ago

Unless I'm missing something this is the filtering for `kids.dns0.eu` not the ones on `dns0.eu`.

0x001010103y ago

Today it's a feature. Tomorrow it becomes mandatory by law. Loosing freedom with a big bang and a hole lot of happy people because they cannot compute. There is nothing good about things like that, at least on the long run.

bragr3y ago

This is run by a French non-profit, not the EU government. What are you on about?

msm_3y ago

This slope is very slippery. This is an optional service that you can use, or ignore. Your position is like saying that kids-safe movies are a feature today, but will become mandatory in the future.

H4ZB73y ago

> 100% European

but is it gluten free? /s at least it's not google or cloudflare

it's pretty funny how a completely irrelevant broken protocol that i don't actually needed (could just type the 4 IP digits) is the central talking point of politics junkies

j / k navigate · click thread line to collapse

178 comments

mdrzn3y ago

"dns0.eu is a French non‑profit organization founded in 2022 by Romain Cointepas and Olivier Poitrey — co-founders of NextDNS."

eikaramba3y ago

okay now it actually sounds way more interesting. Because NextDNS is by far my most beloved DNS resolver

denton-scratch3y ago

> safe for children

Ah, it's filtered.

Someone decides what "children" means. Someone decides what "safe" means.

Curated DNS may suit some people, but I appreciate having access to the real internet.

daneel_w3y ago

They offer three families of resolvers: the default one which as far as I understand isn't curated at all, the "zero" one which is curated against "bad actors", and the "kids" one which you speak of.

denton-scratch3y ago

> They offer three families of resolvers

Yeah, I see. On first reading, that wasn't obvious to me.

I don't get why people use 3rd-party resolvers. It's not hard to set up an Unbound recursor.

4 more replies

mhitza3y ago

There are separate dns servers, the one for kids is different from the one mentioned on the landing page.

xctr943y ago

Nonsense.

You can choose which version to use, same with Cloudflare’s 3 different DNS choices.

Mindwipe3y ago

And much like Cloudflare the lack of accountability and clumsy blocking schema of the "child safe" one is dangerous and worthy of criticism.

KingOfCoders3y ago

If it's not for you it's not for you.

I always wonder about people who go to a French restaurant and want Pizza.

denton-scratch3y ago

When I first encountered pizza, I was a kid, and it was in France. For quite a few years, I thought pizza was a French thing.

I'm not sure what your point is. I read the article because I'm interested in DNS; not because I'm researching 3rd-party resolvers. I run my own Unbound recursor.

UncleEntity3y ago

Probably the best pizza I’ve ever had in my life was at a French restaurant in Vientiane, Laos.

So, yeah…

1 more reply

jMyles3y ago

> I always wonder about people who go to a French restaurant and want Pizza.

1 more reply

Aeolun3y ago

I’m now 35 and incapable of making adult decisions. Does that count?

denton-scratch3y ago

helb3y ago

Before i start digging into it, does anybody know how they do "No mature videos on YouTube" (in the "kids" filter) with just DNS?

rmccue3y ago

It appears this is functionality provided by YouTube themselves where you can set a CNAME: https://support.google.com/a/answer/6214622?hl=en#zippy=%2Co...

helb3y ago

thanks, looks like you're right:

    $ kdig +tls www.youtube.com @kids.dns0.eu
    …
    ;; QUESTION SECTION:
    ;; www.youtube.com.      IN A

    ;; ANSWER SECTION:
    www.youtube.com.              300  IN CNAME restrictmoderate.youtube.com.
    restrictmoderate.youtube.com. 1611 IN A     216.239.38.119

nicolaslem3y ago

The DNS responds with forcesafesearch.google.com for google.com.

https://support.google.com/websearch/answer/186669?hl=en

oriettaxx3y ago

uh, you are right: +1 for this question

helb3y ago

If anyone's wondering which are the "High-risk TLDs" blocked in the "zero" filter: CF, CG, GA, GQ, ML, TK, TOP, WIN (right now, i guess it may change any time)

The "kids" filter blocks the same TLDs, so it allows XXX or PORN, i guess they just block individual 2nd level domains.

I just looped through IANA's TLD list with a simple script to get this. The resolver returns NXDOMAIN with "negative-caching.dns0.eu." SOA for the blocked ones:

    $ kdig +tls ns tk @zero.dns0.eu
    …
    ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 39321
    …
    ;; QUESTION SECTION:
    ;; tk.                   IN NS

    ;; AUTHORITY SECTION:
    tk.                  300 IN SOA negative-caching.dns0.eu. hostmaster.tk. 0 1200 300 1209600 300

Symbiote3y ago

It seems pretty ridiculous to block those domains outright. There are plenty of legitimate government, tourist and local sites, which could at least be whitelisted.

They've blocked UNICEF's link shortener: https://uni.cf

KingOfCoders3y ago

"They've blocked UNICEF's link shortener: https://uni.cf"

Which I consider a good thing, why route links through the influence space of a country that is in a civil war with foreign mercenaries running parts of the show?

1 more reply

preisschild3y ago

Is this actually affiliated with the EU, other than just being hosted in the EU?

leohonexus3y ago

Not affiliated with EU at all. Their branding and wording makes it look like they are until you scroll to the bottom and read the About.

Admittedly I don't live in the EU so to some of you folks the non-affiliation may seem obvious.

izacus3y ago

> Admittedly I don't live in the EU so to some of you folks the non-affiliation may seem obvious.

The webpage is too nice looking and lacking the 30 poorly resized 80x80 EU institution logos. So yeah, not affiliated ;P

1 more reply

capableweb3y ago

> Their branding and wording makes it look like they are

Because the website is blue and mentions "European Union"?

Clearly a not-EU project from first glance.

2 more replies

ulimn3y ago

Well... I understand what you mean but they only have "European" in their title. Europe != European Union.

1 more reply

mihaaly3y ago

As far as I see it is just yet another private organization that aims at watching what the population visits on the internet.

kapsteur3y ago

Europe having already planned to launch a service which will be called DNS4EU, it looks a bit like phishing. Source: https://joinup.ec.europa.eu/collection/ict-standards-procure...

Y_Y3y ago

Pity they couldn't get a cool IP address like Cloudflare and Google. Since without some source of DNS you can't reach dns0.eu it's good to have something memorable like 1.1.1.1 or 8.8.8.8

1f60c3y ago

And 1.1.1.1 + 8.8.8.8 = 9.9.9.9 (https://quad9.net)

toyg3y ago

zxcvbn40383y ago

No IPv6 either

1 more reply

dm3y ago

It's kind of ironic that their main IPv4 addresses are x.x.x.0, while their "ZERO" filtering version uses x.x.x.9.

jordiburgos3y ago

Use 1.1.1.1 to get the networking working, find DNS0.eu and change the DNS again :)

codesniperjoe3y ago

Warning:

Take a look at your DNS outbound log yourself!

jedisct13y ago

But these are already present in the list of public encrypted resolvers (https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v...).

iruoy3y ago

This is founded by co-founders of NextDNS. But why? How is it different?

leokennis3y ago

With DNS0 I just get an IPv4 address that blocks X, Y and Z.

So NextDNS is sort of the power user version of DNS0.

__alexs3y ago

Because NextDNS is a for-profit company they probably can't get funding from the EU for these silly EU vanity projects so easily.

toyg3y ago

1 more reply

daneel_w3y ago

How is this a "silly EU vanity project"?

1 more reply

easytiger3y ago

The EU Commission has a DNS project that they tendered to various private companies. They want the majority of EU internet through something they can directly regulate and control EU internet users.

DNS is a very cheap service to run so I wonder if the founders intended to get a first mover advantage and to be subsumed into the project

nix233y ago

I just use quad9:

https://www.quad9.net/service/service-addresses-and-features

forgotpwd163y ago

Also operated by a non-profit and also in Europe (albeit in Switzerland that isn't part of EU).

5e92cb50239222b3y ago

I wish they'd put more resolvers around the globe. I have 10ms ping to the nearest Cloudflare colocation, but around 100ms to quad9. It makes browsing the web so much slower.

richij3y ago

90 ms. So much.

1 more reply

danuker3y ago

From Romania, I've been getting random delays/timeouts with quad9.

greyly3y ago

nix233y ago

Please please inform them about it.

1 more reply

Terretta3y ago

Which doesn't do ad blocking.

nix233y ago

Yeah i don't want that at a "not controlled by me" level.

1 more reply

AstixAndBelix3y ago

The EU will actually start offering an official European DNS service later this year, not to be confused with this private initiative

madspindel3y ago

It's called DNS4EU: https://www.whalebone.io/dns4eu

amai3y ago

Whalebone? Doesn't sound like an official EU domain.

shasts3y ago

If I choose their DNS, the website shows a text at the bottom that says "You are using dns0.eu"

How does the website know I'm using their DNS? I couldn't find anything in the HTTP header that would help them with this.

https://imgur.com/fMZwxYz

helb3y ago

JS does a GET request every 2 seconds or so to some random subdomain (probably to avoid caching): https://i.vgy.me/qCTabA.png

The JSON response contains 'status: "unconfigured"' when you're not using their resolver and 'status: "ok"' when you are: https://i.vgy.me/iVgIe1.png

That green bar just appears after a "ok" response (no page reload needed).

ignoramous3y ago

Here's an open source nameserver that helps ID DNS resolver in use: https://github.com/redirect2me/which-dns

ulti5523y ago

stupid q here but what font is your terminal using from your screenshot pic

1 more reply

dec0dedab0de3y ago

ooh they could also have a host that is only resolvable from those servers, and have the front end dynamically load that message from that host. and if it fails it does not show anything.

HerrMonnezza3y ago

I guess they redirect you to a different IP than they publish in the public DNS?

daneel_w3y ago

My router runs Unbound in order to rotate queries across a number of different DNS-over-TLS providers. I'll toss these guys into the mix as well out of curiosity just to see how it goes.

ignoramous3y ago

daneel_w3y ago

>"Better to send your queries to a single DNS provider (over TLS/HTTPS) rather than spread it out, because now, not one but multiple providers can build your browsing history."

>"As someone who runs a public DNS resolver, I can tell you that it isn't that hard to build user profiles."

Yes, I understand this. May I ask why you/RethinkDNS are doing this with your users' query data?

1 more reply

addingnumbers3y ago

Won't recursing also spread your queries across multiple providers? And in the clear for deep packet inspectors to see, instead of encrypted?

1 more reply

dorfsmay3y ago

Given the restrictions on this server which won't be on the other, adding it to a rotating list will make DNS answers inconsistant. Why would you want to do that?

daneel_w3y ago

I won't be using the "zero" resolver.

somat3y ago

Why not just have unbound make the query itself? no need to depend on a third party recursive resolver if you already have your own.

daneel_w3y ago

I want to ensure my leg on the network traffic path is encrypted.

xav09893y ago

They also offer a number of levels of protection, from none (simply resolving the queries) to one blocking suspected malware/C2 domain and one blocking pornographic material.

[1] https://www.cira.ca/cybersecurity-services/canadian-shield

conradfr3y ago

Do they block or allow mandated blocked domain by EU countries?

1 more reply

VoodooJuJu3y ago

They make it seem like they're affiliated with the EU, from brand colors, to TLD, and more. But of course they're unaffiliated. Seems intentionally deceptive.

richij3y ago

czechdeveloper3y ago

I did not have that feeling and .eu domains quite standard nation-like domain.

1f60c3y ago

So this is just NextDNS but without a control panel, and it’s 100% free? That’s nice.

amai3y ago

Comparison to PiHole: https://news.ycombinator.com/item?id=22718670 and https://help.nextdns.io/t/q6hmvay/what-is-the-advantage-of-u...

edpichler3y ago

"The European public DNS" sounds misleading to me.

somat3y ago

While I don't think it should be the only choice. Recursive dns does sound like the sort of service a government should offer it's citizens.

alpenbazi3y ago

nope. What do you do if your gov says "no" to your website? via your idea that would be a simple matter of seconds

somat3y ago

Then you use another choice, the internet is great like that, what do you do when google's resolver says "nope" to your domain?

jedisct13y ago

No support for Anonymized DNSCrypt nor ODoH. Guess they still want to see client IP addresses.

moffkalast3y ago

> 193.110.81.0

Ah yes, easy to remember /s

tinco3y ago

212.142.28.66 is an IP address of a DNS server that has been stuck in my mind for 25 years now. That said the time where anyone would regularly configure DNS settings is long gone I imagine.

ignoramous3y ago

You lived in a pre-smartphone era, which has made the rest of us dumb...

andix3y ago

Why do you need to remember the dns server address? I just type it in once.

moffkalast3y ago

Once on every device, VM, container, VPS, etc. That's a lot of times.

4 more replies

sgjohnson3y ago

The era of easy to remember DNS server addresses is coming to a close anyway, due to IPv6.

Cloudflare’s are 2606:4700:4700:1001:: and 2606:4700:4700:1111::

I’ve been deploying IPv6 recently and these addresses haven’t burnt into my brains yet, so I occasionally have to do `dig AAAA one.one.one.one` still.

moduspol3y ago

Coming soon: my public IPv6 dns at dead:beef::

1 more reply

andy_ppp3y ago

Not everyone has the resources of a Google to acquire lucky IP addresses.

londons_explore3y ago

If you have no working DNS, it's hard to google stuff...

There are two types of people - those that just want dns to work at all so they can get stuff done, and those who have working dns but want to 'upgrade' for privacy/filtering reasons.

moffkalast3y ago

Well you'd think the EU would have more resources than a single company.

5 more replies

userbinator3y ago

My phone number is a little longer and yet I remember it, along with my own public IP address as well as my physical one. It depends how much you need to use it, of course.

denton-scratch3y ago

I rarely phone myself. When my number changes, it takes me about a year before I can remember the new one. Numbers I actually call are much easier to memorize.

dschuetz3y ago

No, thanks.

oriettaxx3y ago

Note that for the iphone's configuration to work, you need to use Safari to open their "configuration profile" link

andridk3y ago

Unbelievable that so many operating systems don't support encrypted DNS out of the box.

tambre3y ago

No IPv6 in 2023, is this a joke?

sschueller3y ago

They are listed under Linux:

   [Resolve]
   DNS=193.110.81.0#dns0.eu
   DNS=2a0f:fc80::#dns0.eu
   DNS=185.253.5.0#dns0.eu
   DNS=2a0f:fc81::#dns0.eu
   DNSOverTLS=yes

mhitza3y ago

There's IPv6, but I see it's not suggested by default except for Linux configuration and on the Others tab.

f_devd3y ago

They do have a IPv6 address under Linux & Others if that's what you mean

acatton3y ago

From the "other" tab:

> DNS53 (IPv6)

> 2a0f:fc80::

> 2a0f:fc81::

1 more reply

Mindwipe3y ago

Doesn't disclose where their blocklists come from for the child product, hugely overblocks legitimate websites, has no appeals process for miscatagorisation.

What an awful product.

daneel_w3y ago

Can you provide any examples of legitimate sites that they block on their "zero" resolvers?

daneel_w3y ago

I'll answer the question myself by providing an example I saw elsewhere, which also illustrates that their "default" resolver differs from the curated "zero" resolver:

  dig @193.110.81.0 uni.cf a
  
  status: NOERROR, ANSWER: 2
  IN  A  67.199.248.12
  IN  A  67.199.248.13
  
  
  dig @193.110.81.9 uni.cf a

  status: NXDOMAIN, ANSWER: 0
  IN  A

RobotToaster3y ago

I just use OpenNIC

https://www.opennic.org/

tuananh3y ago

it's so slow for me. probably only deployed in Europe.

8fingerlouie3y ago

So the end of NextDNS ?

theshrike793y ago

NextDNS lets me pick what to block, I can't configure DNS0 except for the few variants that require me to change the DNS address completely.

Also: I can't pay for DNS0, so how can I trust they stay up when I'm not their customer?

parminya3y ago

1 more reply

breton3y ago

How can you trust they stay up when you are their customer and pay them?

2 more replies

helb3y ago

NextDNS founders launched this…

eterevsky3y ago

It has quite extreme filtering:

- No porn or other adult websites

- No explicit search results

- No mature videos on YouTube

- No dating websites or apps

- No mixed-content websites

- No piracy

- No ads

b3orn3y ago

That seems to be only the case for the "childproof" version.

eterevsky3y ago

Ah, right, it has different DNS IPs.

Timshel3y ago

Unless I'm missing something this is the filtering for `kids.dns0.eu` not the ones on `dns0.eu`.

0x001010103y ago

bragr3y ago

This is run by a French non-profit, not the EU government. What are you on about?

msm_3y ago

This slope is very slippery. This is an optional service that you can use, or ignore. Your position is like saying that kids-safe movies are a feature today, but will become mandatory in the future.

H4ZB73y ago

> 100% European

but is it gluten free? /s at least it's not google or cloudflare

it's pretty funny how a completely irrelevant broken protocol that i don't actually needed (could just type the 4 IP digits) is the central talking point of politics junkies

j / k navigate · click thread line to collapse