[Resolve]
DNS=193.110.81.0#dns0.eu
DNS=2a0f:fc80::#dns0.eu
DNS=185.253.5.0#dns0.eu
DNS=2a0f:fc81::#dns0.eu
DNSOverTLS=yes> DNS53 (IPv6)
> 2a0f:fc80::
> 2a0f:fc81::
What an awful product.
dig @193.110.81.0 uni.cf a
status: NOERROR, ANSWER: 2
IN A 67.199.248.12
IN A 67.199.248.13
dig @193.110.81.9 uni.cf a
status: NXDOMAIN, ANSWER: 0
IN AAlso: I can't pay for DNS0, so how can I trust they stay up when I'm not their customer?
- No porn or other adult websites
- No explicit search results
- No mature videos on YouTube
- No dating websites or apps
- No mixed-content websites
- No piracy
- No ads
but is it gluten free? /s at least it's not google or cloudflare
it's pretty funny how a completely irrelevant broken protocol that i don't actually needed (could just type the 4 IP digits) is the central talking point of politics junkies
That way they don't need to rely on grants or investors who usually need hockey stick growth and make the business do stupid things.
This is why I used to pay for pinboard (before the admin disappeared again) and still pay for Newsblur.
It's like Google's stuff. It's free, but you're not the customer, you're the product.
Ah, it's filtered.
Someone decides what "children" means. Someone decides what "safe" means.
There are people who think that not just under-16s, but almost everyone is incapable of making adult decisions. And different (responsible, informed) adults may come to different conclusions about what is and isn't safe.
Curated DNS may suit some people, but I appreciate having access to the real internet.
Yeah, I see. On first reading, that wasn't obvious to me.
But a DNS provider that can filter, and that also purports to be something to do with the EU, presumably imposes EU-mandated filtering, whichever server you choose. Or it will, as soon as it's ordered to.
I don't get why people use 3rd-party resolvers. It's not hard to set up an Unbound recursor.
You can choose which version to use, same with Cloudflare’s 3 different DNS choices.
I always wonder about people who go to a French restaurant and want Pizza.
I'm not sure what your point is. I read the article because I'm interested in DNS; not because I'm researching 3rd-party resolvers. I run my own Unbound recursor.
So, yeah…
To be fair, this is more like trying to lookup contact information for the local pizzeria, and realizing to your surprise that the phone book you've picked up has directed you to the French restaurant instead.
$ kdig +tls www.youtube.com @kids.dns0.eu
…
;; QUESTION SECTION:
;; www.youtube.com. IN A
;; ANSWER SECTION:
www.youtube.com. 300 IN CNAME restrictmoderate.youtube.com.
restrictmoderate.youtube.com. 1611 IN A 216.239.38.119The "kids" filter blocks the same TLDs, so it allows XXX or PORN, i guess they just block individual 2nd level domains.
I just looped through IANA's TLD list with a simple script to get this. The resolver returns NXDOMAIN with "negative-caching.dns0.eu." SOA for the blocked ones:
$ kdig +tls ns tk @zero.dns0.eu
…
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 39321
…
;; QUESTION SECTION:
;; tk. IN NS
;; AUTHORITY SECTION:
tk. 300 IN SOA negative-caching.dns0.eu. hostmaster.tk. 0 1200 300 1209600 300They've blocked UNICEF's link shortener: https://uni.cf
Which I consider a good thing, why route links through the influence space of a country that is in a civil war with foreign mercenaries running parts of the show?
Admittedly I don't live in the EU so to some of you folks the non-affiliation may seem obvious.
The webpage is too nice looking and lacking the 30 poorly resized 80x80 EU institution logos. So yeah, not affiliated ;P
Because the website is blue and mentions "European Union"?
It doesn't say anywhere that it's a official EU project, nor does it contain some of the famous "banners" that EU projects usually have in the footer to show their grants/funding, nor is it on a official EU domain.
Clearly a not-EU project from first glance.
Do not go to this site with enabled javascript! They spam your uplink DNS provider with thousands of uniq, uncachable (fingerprinting?) 'test' dns keys without your consent, to identify & track the DNS service you are using!
Take a look at your DNS outbound log yourself!
But these are already present in the list of public encrypted resolvers (https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v...).
With DNS0 I just get an IPv4 address that blocks X, Y and Z.
So NextDNS is sort of the power user version of DNS0.
DNS is a very cheap service to run so I wonder if the founders intended to get a first mover advantage and to be subsumed into the project
https://www.quad9.net/service/service-addresses-and-features
How does the website know I'm using their DNS? I couldn't find anything in the HTTP header that would help them with this.
The JSON response contains 'status: "unconfigured"' when you're not using their resolver and 'status: "ok"' when you are: https://i.vgy.me/iVgIe1.png
That green bar just appears after a "ok" response (no page reload needed).
ooh they could also have a host that is only resolvable from those servers, and have the front end dynamically load that message from that host. and if it fails it does not show anything.
If you're running Unbound, might as well recurse DNS queries, instead of upstreaming it. If you are adamant on spreading DNS queries across multiple upstreams; doing so over ODoH and/or Anonymized DNSCrypt is what I'd recommend.
What I'm wary about is indeed query logging and profiling, but whether it's one provider or a dozen providers isn't that relevant to me. I make a small effort in trying to gauge which providers are honest and which ones are not.
>"As someone who runs a public DNS resolver, I can tell you that it isn't that hard to build user profiles."
Yes, I understand this. May I ask why you/RethinkDNS are doing this with your users' query data?
They also offer a number of levels of protection, from none (simply resolving the queries) to one blocking suspected malware/C2 domain and one blocking pornographic material.
[1] https://www.cira.ca/cybersecurity-services/canadian-shield
Authoritative dns also sounds like the sort of service a government should offer it's citizens. I mean, sure, it would suck compared to commercial dns, but at least everybody could have a name if they wanted.
Personally, all my devices run through my own recursive resolver which in turn directly resolves the address. Then I get to say "nope" to whatever domains I want(mainly ad services). Except for those thrice infernal dns over https devices, hard to police them that way.
Ah yes, easy to remember /s
Cloudflare’s are 2606:4700:4700:1001:: and 2606:4700:4700:1111::
I’ve been deploying IPv6 recently and these addresses haven’t burnt into my brains yet, so I occasionally have to do `dig AAAA one.one.one.one` still.
There are two types of people - those that just want dns to work at all so they can get stuff done, and those who have working dns but want to 'upgrade' for privacy/filtering reasons.
AdBlock DNS also gives you full custom rules engine and DSL.
If you’re running so many devices, you probably want to use your own DNS server too (for internal name resolution), so you can also set the upstream just there.
I don't have time or care enough to debug intermittent network issues, if they no longer bother me.
>I don't have time or care enough to debug intermittent network issues, if they no longer bother me.
I see who's the problem now ;)
As one example, even when a popular configurable dns resolver says they don't store logs outside the EU, they might yet be caching those logs and analytics with AWS and GCP servers all over the world.
Btw, Rethink is FOSS (https://github.com/serverless-dns/serverless-dns), and its deployment logs are inspectable right on GitHub. Not saying you should trust us, but that's already more transparency than most resolvers (speak nothing of vague / cute privacy policy). Any how, our focus with Rethink has mainly been anti censorship / anti surveillance, and nothing much else.
(Although curiously they call their background colour bg-european-blue in their CSS.)
What I am calling silly is not dns0. It's the way the EU is funding technology projects.
I personally think that's a good thing, to provide funding and opportunity for gratis service projects with less risk of deviating in the way things often do in commercial context where revenue is the top priority.
And anyway, I trust a random French small company more than I trust Google.
5.4.0.0/14 (so 5.5.5.5) is Telefonica Germany. Same thing there.
Mercedes owns 53.0.0.0/8 which feels like a nice number for DNS too.
It's the "anycast" mapping of the IP to geographically and network diverse hosts to connect the user to the "closest" (for some value of latency that stays within the data governance jurisdiction).
To do this, you basically have to own a large enough IP block that backbones will deal with it, and route map it.
This helps make simple solutions accessible to a wider audience.
Sure you may not care if your children are watching porn at age 6 .. some may prefer to parent differently.
Giving people an option is not a bad thing, and it does not purport to be anything to do with the EU itself, just built for the EU market.
If you're the type of person to think Federal Express is part of the US government, that's partially on you.
* My children are in their thirties, and don't live with me. I live on my own now, but I was a good parent.
* I didn't suggest that using this service should be banned; I just asked why people don't run their own recursive DNS.
* And I have no idea where you got the notion that I confuse Fedex with the US government.
Source?
[Edit] So EU mandates will be enforced. Is that fact what you want a source for?
Google has a reputation to uphold, so while you can be certain they'll be datamining the shit out of your requests they are also unlikely to be direct malicious actors.