Neutral DNS servers?

Question

Hi HN - Here&rsquo;s a question that I hope will generate some useful comments, suggestions and links.Background for question: I normally run an internal DNS resolver with an upstream pool of 10-15 providers. These are normally a mix of Global Anycast servers (Quad9 etc) with some OpenNIC, YandexDNS etc thrown in towards the end to cover the &lsquo;chilling effects&rsquo; blackholes.Currently Yandex DNS is pinging a timeout (either due to black-holing or DDOS&rsquo;ing depending on where I connect To/From).My question to HN is this &ndash; Given my &lsquo;Information Wants To Be Free&rsquo; viewpoint, are there any DNS equivalents of Switzerland (WWII, Neutral to all parties) providers?

neilalexander · Accepted Answer

You could just run a recursive resolver yourself by using the root hints. You don't need to delegate your DNS queries onto a third-party resolver like Quad9.https://www.iana.org/domains/root/files

nfriedly · Answer

I know this isn't quite what your asking for, but one idea is to set up a Pi-hole + unbound: https://docs.pi-hole.net/guides/dns/unbound/Unbound is basically your own private DNS resolver and then Pi-hole lets you filter out whatever "junk" you don't want.

nobody9999 · Answer

>My question to HN is this &ndash; Given my &lsquo;Information Wants To Be Free&rsquo; viewpoint, are there any DNS equivalents of Switzerland (WWII, Neutral to all parties) providers?Presumably the root and authoritative servers. Which is why I use a local recursive resolver rather than any upstream/third party resolvers.You should try it. It's easy and fun!

nimbius · Answer

Google DNS should at this point be considered harmful. Devs love to hardcode it in resolvd because 'user experience' but there's ample evidence its just analytics.
Quad 1 cloudflare is reliable doh but comes from a company with a history of bloviating nonsense about internet freedom only to eagerly capitulate to Twitter lynchmobs and blacklist a customer or ten.
https://dnscrypt.info/public-servers/ will give you a nice list of doh to try out. Ymmv however as many are sporadic.

celsoazevedo · Answer

If you already run your own DNS resolver, query the root servers directly. No need to trust DNS providers when you can do the same thing yourself.

nmjohn · Answer

Given you only mention censorship/chilling effect and not privacy - why isn't 8.8.8.8 sufficient? Have there been instances of domains it censored and stopped resolving that I'm not aware of?I guess I'm confused on the benefit (theoretical or practical) one would get by using that variety of resolvers. Is it just to prevent theoretical censorship at the DNS level?

yegor · Answer

Shameless self promotion: Try Control D - https://controld.com/free-dnsThere are many different types of resolvers, blocking and unfiltered. We're adding global ECH support in the coming weeks. There is also a paid plan if you need more control.

schleck8 · Answer

ControlD, DNS.sb and LibreDNS for instance. The latter two are open source.I think non-disciminating DNS providers are rather the norm and not an exception though.

kseistrup · Answer

You could try Uncensored DNS: https://blog.uncensoreddns.org/

mike_d · Answer

103.196.38.3 103.196.38.8 Globally anycasted plain vanilla name resolution. I don't publicize it because I don't have anything to gain from more users, but you are free to use them.

loxias · Answer

It's really not that hard to just run your own DNS server locally. Then you're not beholden to anyone. I recommend it.

btdmaster · Answer

https://www.opennic.org/ and downstream providers from there are quite good: https://servers.opennic.org/

stranded22 · Answer

Personally, I use nextdns on a paid plan (&pound;17/year). Full control, can change to no logs, or logs stored in Switzerland. They have a free plan too

c0l0 · Answer

I run and use https://resolv.us.to/ - you may do the latter, too.

nix23 · Answer

>Given my &lsquo;Information Wants To Be Free&rsquo; viewpoint, are there any DNS equivalents of SwitzerlandThat's exactly why Quad9 changed it's HQ to Switzerland:https://www.switch.ch/news/quad9-moves-to-Switzerland/

matoro · Answer

I use dnscrypt-proxy[0] which round-robins to a bunch of upstream servers, plus encryption.[0] https://github.com/DNSCrypt/dnscrypt-proxy

BrandoElFollito · Answer

Question after reading (very interesting) answers: what is the downsize using the root servers instead of the well-known ones? (1.1.1.1, 8.8.8.8, ...)Is it the cache that improves resolution speed in a meaningful way?

jiveturkey · Answer

huh. Why aren't you simply querying the roots and from there the SOA for any domain?

pabs3 · Answer

I just do this to get a neutral DNSSEC supporting recursive DNS resolver:apt install unbound

snovv_crash · Answer

You could try using a DNS provider that's actually in Switzerland...

amitbakhru · Answer

1.1.1.1 1.0.0.1

upnick · Answer

You might want to look up "geo-politically stable" web hosting. Aside from that, Epik.com has traditionally been quite supportive of free speech (even if it's Trump supporters).

moltke · Answer

The DNS (as it exists today) is supposed to be the equivalent of Switzerland. The internet community has said over and over again they're not interested in censoring the internet or removing any group of people from it.It sounds like what you really want is your own recursive resolver.

axiosgunnar · Answer

Note that even Switzerland could not stay neutral this time and enacted severe sanctions against Russia.Maybe staying neutral has the higher cost to a free society (and thus &bdquo;information wanting to be free&ldquo;) in the long term?

Neutral DNS servers?

You could just run a recursive resolver yourself by using the root hints. You don't need to delegate your DNS queries onto a third-party resolver like Quad9.
https://www.iana.org/domains/root/files

I know this isn't quite what your asking for, but one idea is to set up a Pi-hole + unbound: https://docs.pi-hole.net/guides/dns/unbound/
Unbound is basically your own private DNS resolver and then Pi-hole lets you filter out whatever "junk" you don't want.

If you already run your own DNS resolver, query the root servers directly. No need to trust DNS providers when you can do the same thing yourself.

Shameless self promotion: Try Control D - https://controld.com/free-dns
There are many different types of resolvers, blocking and unfiltered. We're adding global ECH support in the coming weeks. There is also a paid plan if you need more control.

ControlD, DNS.sb and LibreDNS for instance. The latter two are open source.
I think non-disciminating DNS providers are rather the norm and not an exception though.

You could try Uncensored DNS: https://blog.uncensoreddns.org/

`103.196.38.3 103.196.38.8`
Globally anycasted plain vanilla name resolution. I don't publicize it because I don't have anything to gain from more users, but you are free to use them.

It's really not that hard to just run your own DNS server locally. Then you're not beholden to anyone. I recommend it.

https://www.opennic.org/ and downstream providers from there are quite good: https://servers.opennic.org/

Personally, I use nextdns on a paid plan (£17/year). Full control, can change to no logs, or logs stored in Switzerland. They have a free plan too

I run and use https://resolv.us.to/ - you may do the latter, too.

>Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of Switzerland
That's exactly why Quad9 changed it's HQ to Switzerland:
https://www.switch.ch/news/quad9-moves-to-Switzerland/

I use dnscrypt-proxy[0] which round-robins to a bunch of upstream servers, plus encryption.
[0] https://github.com/DNSCrypt/dnscrypt-proxy

Question after reading (very interesting) answers: what is the downsize using the root servers instead of the well-known ones? (1.1.1.1, 8.8.8.8, ...)
Is it the cache that improves resolution speed in a meaningful way?

huh. Why aren't you simply querying the roots and from there the SOA for any domain?

I just do this to get a neutral DNSSEC supporting recursive DNS resolver:
apt install unbound

You could try using a DNS provider that's actually in Switzerland...

1.1.1.1 1.0.0.1

You might want to look up "geo-politically stable" web hosting. Aside from that, Epik.com has traditionally been quite supportive of free speech (even if it's Trump supporters).

The DNS (as it exists today) is supposed to be the equivalent of Switzerland. The internet community has said over and over again they're not interested in censoring the internet or removing any group of people from it.
It sounds like what you really want is your own recursive resolver.

Note that even Switzerland could not stay neutral this time and enacted severe sanctions against Russia.
Maybe staying neutral has the higher cost to a free society (and thus „information wanting to be free“) in the long term?

Neutral DNS servers?

You could just run a recursive resolver yourself by using the root hints. You don't need to delegate your DNS queries onto a third-party resolver like Quad9.https://www.iana.org/domains/root/files

I know this isn't quite what your asking for, but one idea is to set up a Pi-hole + unbound: https://docs.pi-hole.net/guides/dns/unbound/Unbound is basically your own private DNS resolver and then Pi-hole lets you filter out whatever "junk" you don't want.

If you already run your own DNS resolver, query the root servers directly. No need to trust DNS providers when you can do the same thing yourself.

Shameless self promotion: Try Control D - https://controld.com/free-dnsThere are many different types of resolvers, blocking and unfiltered. We're adding global ECH support in the coming weeks. There is also a paid plan if you need more control.

ControlD, DNS.sb and LibreDNS for instance. The latter two are open source.I think non-disciminating DNS providers are rather the norm and not an exception though.

You could try Uncensored DNS: https://blog.uncensoreddns.org/

103.196.38.3 103.196.38.8 Globally anycasted plain vanilla name resolution. I don't publicize it because I don't have anything to gain from more users, but you are free to use them.

It's really not that hard to just run your own DNS server locally. Then you're not beholden to anyone. I recommend it.

https://www.opennic.org/ and downstream providers from there are quite good: https://servers.opennic.org/

Personally, I use nextdns on a paid plan (£17/year). Full control, can change to no logs, or logs stored in Switzerland. They have a free plan too

I run and use https://resolv.us.to/ - you may do the latter, too.

>Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of SwitzerlandThat's exactly why Quad9 changed it's HQ to Switzerland:https://www.switch.ch/news/quad9-moves-to-Switzerland/

I use dnscrypt-proxy[0] which round-robins to a bunch of upstream servers, plus encryption.[0] https://github.com/DNSCrypt/dnscrypt-proxy

Question after reading (very interesting) answers: what is the downsize using the root servers instead of the well-known ones? (1.1.1.1, 8.8.8.8, ...)Is it the cache that improves resolution speed in a meaningful way?

huh. Why aren't you simply querying the roots and from there the SOA for any domain?

I just do this to get a neutral DNSSEC supporting recursive DNS resolver:apt install unbound

You could try using a DNS provider that's actually in Switzerland...

1.1.1.1 1.0.0.1

You might want to look up "geo-politically stable" web hosting. Aside from that, Epik.com has traditionally been quite supportive of free speech (even if it's Trump supporters).

The DNS (as it exists today) is supposed to be the equivalent of Switzerland. The internet community has said over and over again they're not interested in censoring the internet or removing any group of people from it.It sounds like what you really want is your own recursive resolver.

Note that even Switzerland could not stay neutral this time and enacted severe sanctions against Russia.Maybe staying neutral has the higher cost to a free society (and thus „information wanting to be free“) in the long term?

You could just run a recursive resolver yourself by using the root hints. You don't need to delegate your DNS queries onto a third-party resolver like Quad9.
https://www.iana.org/domains/root/files

I know this isn't quite what your asking for, but one idea is to set up a Pi-hole + unbound: https://docs.pi-hole.net/guides/dns/unbound/
Unbound is basically your own private DNS resolver and then Pi-hole lets you filter out whatever "junk" you don't want.

Shameless self promotion: Try Control D - https://controld.com/free-dns
There are many different types of resolvers, blocking and unfiltered. We're adding global ECH support in the coming weeks. There is also a paid plan if you need more control.

ControlD, DNS.sb and LibreDNS for instance. The latter two are open source.
I think non-disciminating DNS providers are rather the norm and not an exception though.

`103.196.38.3 103.196.38.8`
Globally anycasted plain vanilla name resolution. I don't publicize it because I don't have anything to gain from more users, but you are free to use them.

>Given my ‘Information Wants To Be Free’ viewpoint, are there any DNS equivalents of Switzerland
That's exactly why Quad9 changed it's HQ to Switzerland:
https://www.switch.ch/news/quad9-moves-to-Switzerland/

I use dnscrypt-proxy[0] which round-robins to a bunch of upstream servers, plus encryption.
[0] https://github.com/DNSCrypt/dnscrypt-proxy

Question after reading (very interesting) answers: what is the downsize using the root servers instead of the well-known ones? (1.1.1.1, 8.8.8.8, ...)
Is it the cache that improves resolution speed in a meaningful way?

I just do this to get a neutral DNSSEC supporting recursive DNS resolver:
apt install unbound

The DNS (as it exists today) is supposed to be the equivalent of Switzerland. The internet community has said over and over again they're not interested in censoring the internet or removing any group of people from it.
It sounds like what you really want is your own recursive resolver.

Note that even Switzerland could not stay neutral this time and enacted severe sanctions against Russia.
Maybe staying neutral has the higher cost to a free society (and thus „information wanting to be free“) in the long term?