Someone decides what "children" means. Someone decides what "safe" means.
There are people who think that not just under-16s, but almost everyone is incapable of making adult decisions. And different (responsible, informed) adults may come to different conclusions about what is and isn't safe.
Curated DNS may suit some people, but I appreciate having access to the real internet.
They offer three families of resolvers: the default one which as far as I understand isn't curated at all, the "zero" one which is curated against "bad actors", and the "kids" one which you speak of.
Yeah, I see. On first reading, that wasn't obvious to me.
But a DNS provider that can filter, and that also purports to be something to do with the EU, presumably imposes EU-mandated filtering, whichever server you choose. Or it will, as soon as it's ordered to.
I don't get why people use 3rd-party resolvers. It's not hard to set up an Unbound recursor.
IMHO the only solution for real safety for children on internet are the parents that navigate with the child and education, any other solution is only a patch that give false security. And, above all, you're giving to other people the right to choose what is good or bad for your children. Not my way.
When I first encountered pizza, I was a kid, and it was in France. For quite a few years, I thought pizza was a French thing.
I'm not sure what your point is. I read the article because I'm interested in DNS; not because I'm researching 3rd-party resolvers. I run my own Unbound recursor.
> I always wonder about people who go to a French restaurant and want Pizza.
To be fair, this is more like trying to lookup contact information for the local pizzeria, and realizing to your surprise that the phone book you've picked up has directed you to the French restaurant instead.
I think there may be a 5-year window, perhaps from 60-65, when you are old enough but not too old. Older, and you're child-like because you're senile; younger, and you're naive, reckless, and under-informed.
If anyone's wondering which are the "High-risk TLDs" blocked in the "zero" filter: CF, CG, GA, GQ, ML, TK, TOP, WIN (right now, i guess it may change any time)
The "kids" filter blocks the same TLDs, so it allows XXX or PORN, i guess they just block individual 2nd level domains.
I just looped through IANA's TLD list with a simple script to get this. The resolver returns NXDOMAIN with "negative-caching.dns0.eu." SOA for the blocked ones:
It seems pretty ridiculous to block those domains outright. There are plenty of legitimate government, tourist and local sites, which could at least be whitelisted.
"They've blocked UNICEF's link shortener: https://uni.cf"
Which I consider a good thing, why route links through the influence space of a country that is in a civil war with foreign mercenaries running parts of the show?
> Their branding and wording makes it look like they are
Because the website is blue and mentions "European Union"?
It doesn't say anywhere that it's a official EU project, nor does it contain some of the famous "banners" that EU projects usually have in the footer to show their grants/funding, nor is it on a official EU domain.
It seems like they went through enough trouble to ensure that the page is translated into the official languages of the EU which is usually only something you see on EU websites. For that reason, it does appear official'ish at first glance.
Maybe something is wrong in my browser, but changing the language just changes the tagline at the top, the rest of the body remains untranslated (English), except for French (founders are French) which translates the entire page.
Actually my impression is that they have done a good job of targeting the EU market and its languages without suggesting that they have any official connection to the EU. There's neither a flag nor a logo and the background blue is, to my eye at least, not the azure of the EU flag.
(Although curiously they call their background colour bg-european-blue in their CSS.)
Sure, but “European public…” definitely sounds like it’s a service offered by some pan-European government body. In hindsight I understand this isn’t how it was intended.
Pity they couldn't get a cool IP address like Cloudflare and Google. Since without some source of DNS you can't reach dns0.eu it's good to have something memorable like 1.1.1.1 or 8.8.8.8
yeah I think that's really a big shortcoming. It probably comes down to funding, but it results in a big usability issue. I'll never remember those IPs, and when I can so easily remember 1.1.1.1 and 8.8.8.8, it's obvious what I'm always going to choose.
Do not go to this site with enabled javascript! They spam your uplink DNS provider with thousands of uniq, uncachable (fingerprinting?) 'test' dns keys without your
consent, to identify & track the DNS service you are using!
Since they don't seem to be mentioned on their website, DNS Stamps are sdns://AgMAAAAAAAAAACCaOjT3J965vKUQA9nOnDn48n3ZxSQpAcK6saROY1oCGQdkbnMwLmV1Ci9kbnMtcXVlcnk ("zero" version) and sdns://AgMAAAAAAAAAACCaOjT3J965vKUQA9nOnDn48n3ZxSQpAcK6saROY1oCGQxraWRzLmRuczAuZXUKL2Rucy1xdWVyeQ ("kids" version).
For one, on NextDNS I can configure exactly what I want to block (i.e. enable arbitrary combinations of ad filter lists, whitelist domains etc.). This introduces complexity (IPv6 DNS addresses, binding your external IPv4 to a specific configuration etc.)
With DNS0 I just get an IPv4 address that blocks X, Y and Z.
So NextDNS is sort of the power user version of DNS0.
DNS is not a "vanity project", it's a massive issue in terms of internet governance. We've known this since the '90s, which is why the EU is starting its own service (that is not this one). I doubt this project got any EU funding, or is likely to ever get any EU money at all; in fact, it looks like a last-gasp attempt from a private DNS company to remain relevant.
DNS4EU is yet another EU vanity / pork barrel project. DNS resolvers are commercial failures as you point out and DNS4EU is going to do nothing to change that.
There is an EU fund for silly projects like Gaia-X which are mostly about vanity rather than actually producing anything useful. I am suggesting they've formed a non-profit to try and benefit from this fund.
Yeah I don't see what's silly about providing a resolver with the features being offered, no matter the "EU" branding or official project funding. Right off the bat I'm willing to bet these guys are more genuine and honest about privacy/integrity than e.g. Google.
> It's the way the EU is funding technology projects.
I personally think that's a good thing, to provide funding and opportunity for gratis service projects with less risk of deviating in the way things often do in commercial context where revenue is the top priority.
Gaia-X isn't EU funded, it was just endorsed by EU parliament members. It's actually funded by different entities in the manufacturing industries (like car manufacturers). EU funded projects have distinctive markers on their pages.
The EU Commission has a DNS project that they tendered to various private companies. They want the majority of EU internet through something they can directly regulate and control EU internet users.
DNS is a very cheap service to run so I wonder if the founders intended to get a first mover advantage and to be subsumed into the project
I wish they'd put more resolvers around the globe. I have 10ms ping to the nearest Cloudflare colocation, but around 100ms to quad9. It makes browsing the web so much slower.
Keep your sarcasm to yourself. Multiply 90ms by sometimes dozens of domains modern websites like to load from. Occasionally ISP reroutes me to another Cloudflare colocation and ping to 1.1.1.1 rises to 20-25 ms. It's easily noticeable. I like to play the guessing game, and almost always "win".
I had the same issue here in Sweden. 1.5 second delays on some lookups. I opened a ticket and worked with them to isolate the issue, which they then fixed. They were very helpful and very knowledgeable for L1 support.
They could be giving out different IP (or CNAME) for people using their DNS. Then the site is just slightly different depending on how it is accessed. or i suppose they could be looking at logs of the ips using their dns and checking all visitors to the website, but that would be wild.
ooh they could also have a host that is only resolvable from those servers, and have the front end dynamically load that message from that host. and if it fails it does not show anything.
My router runs Unbound in order to rotate queries across a number of different DNS-over-TLS providers. I'll toss these guys into the mix as well out of curiosity just to see how it goes.
Better to send your queries to a single DNS provider (over TLS/HTTPS) rather than spread it out, because now, not one but multiple providers can build your browsing history. As someone who runs a public DNS resolver, I can tell you that it isn't that hard to build user profiles.
If you're running Unbound, might as well recurse DNS queries, instead of upstreaming it. If you are adamant on spreading DNS queries across multiple upstreams; doing so over ODoH and/or Anonymized DNSCrypt is what I'd recommend.
>"Better to send your queries to a single DNS provider (over TLS/HTTPS) rather than spread it out, because now, not one but multiple providers can build your browsing history."
What I'm wary about is indeed query logging and profiling, but whether it's one provider or a dozen providers isn't that relevant to me. I make a small effort in trying to gauge which providers are honest and which ones are not.
>"As someone who runs a public DNS resolver, I can tell you that it isn't that hard to build user profiles."
Yes, I understand this. May I ask why you/RethinkDNS are doing this with your users' query data?
You will forgive me for thinking "mmmmmmm-hmmmmmm" when you say that after your initial comment on how easy it is in light of running a public resolver yourself.
Ideally, one should think that for every dns resolver they use.
As one example, even when a popular configurable dns resolver says they don't store logs outside the EU, they might yet be caching those logs and analytics with AWS and GCP servers all over the world.
Btw, Rethink is FOSS (https://github.com/serverless-dns/serverless-dns), and its deployment logs are inspectable right on GitHub. Not saying you should trust us, but that's already more transparency than most resolvers (speak nothing of vague / cute privacy policy). Any how, our focus with Rethink has mainly been anti censorship / anti surveillance, and nothing much else.
Given the restrictions on this server which won't be on the other, adding it to a rotating list will make DNS answers inconsistant. Why would you want to do that?
CIRA, Canada's Internet Registry, runs a number of public DNS servers[1]. The main attraction is that the service is provided by a non-profit and the data and control are held in Canada, subject to Canadian laws and regulation.
They also offer a number of levels of protection, from none (simply resolving the queries) to one blocking suspected malware/C2 domain and one blocking pornographic material.
They make it seem like they're affiliated with the EU, from brand colors, to TLD, and more. But of course they're unaffiliated. Seems intentionally deceptive.
The blurb makes it crystal clear that it's talking about location or situs. In other words, regulated by EU regulations. The TLD is specifically for sites that are "in" the EU (as opposed to being "by" te EU).
While I don't think it should be the only choice. Recursive dns does sound like the sort of service a government should offer it's citizens.
Authoritative dns also sounds like the sort of service a government should offer it's citizens. I mean, sure, it would suck compared to commercial dns, but at least everybody could have a name if they wanted.
Then you use another choice, the internet is great like that, what do you do when google's resolver says "nope" to your domain?
Personally, all my devices run through my own recursive resolver which in turn directly resolves the address. Then I get to say "nope" to whatever domains I want(mainly ad services). Except for those thrice infernal dns over https devices, hard to police them that way.
212.142.28.66 is an IP address of a DNS server that has been stuck in my mind for 25 years now. That said the time where anyone would regularly configure DNS settings is long gone I imagine.
My devices get their dns servers via DHCP. So I enter it only once on the DHCP server.
If you’re running so many devices, you probably want to use your own DNS server too (for internal name resolution), so you can also set the upstream just there.
If you have no working DNS, it's hard to google stuff...
There are two types of people - those that just want dns to work at all so they can get stuff done, and those who have working dns but want to 'upgrade' for privacy/filtering reasons.
They're not random, they're a French non-profit (created by cofounders of nextdns, btw). Why wouldn't people trust them? In my country most people use a DNS hosted by their ISP, and there are a lot of small ISPs all around. I suspect it's similar everywhere. How is it different?
And anyway, I trust a random French small company more than I trust Google.
Well yes exactly, the only reason you'd switch to a trusted service over a default is to hopefully shield from DNS poisoning and other shenanigans. It would need to be a proven trustworthy service, and just about anyone with a few hours of spare time and literally no cash can open a French NGO, they've got the lowest barrier for entry of any EU country. Just slapping on a nextdns logo doesn't mean shit. It's completely pointless unless it's an EU official government service financed directly by our tax dollars.
Google has a reputation to uphold, so while you can be certain they'll be datamining the shit out of your requests they are also unlikely to be direct malicious actors.
It's the "anycast" mapping of the IP to geographically and network diverse hosts to connect the user to the "closest" (for some value of latency that stays within the data governance jurisdiction).
To do this, you basically have to own a large enough IP block that backbones will deal with it, and route map it.
My phone number is a little longer and yet I remember it, along with my own public IP address as well as my physical one. It depends how much you need to use it, of course.
I rarely phone myself. When my number changes, it takes me about a year before I can remember the new one. Numbers I actually call are much easier to memorize.
Doesn't disclose where their blocklists come from for the child product, hugely overblocks legitimate websites, has no appeals process for miscatagorisation.
I'll answer the question myself by providing an example I saw elsewhere, which also illustrates that their "default" resolver differs from the curated "zero" resolver:
dig @193.110.81.0 uni.cf a
status: NOERROR, ANSWER: 2
IN A 67.199.248.12
IN A 67.199.248.13
dig @193.110.81.9 uni.cf a
status: NXDOMAIN, ANSWER: 0
IN A
How can you trust any company you pay to stay up even if you are their customer? I've used discontinued products before. Paid subscriptions to companies that merge with others and the service no longer really exists.
DNS resolvers aren't that expensive to run. Besides, one of the founders of dns0.eu has already scaled and sold a venture-backed startup (DailyMotion: https://archive.is/4pN5e), and currently employed as Director at Netflix. Pretty sure they can keep paying for dns0.eu servers for multiple decades. The only problem is maintenance, which is automatable to a large extent.
Today it's a feature. Tomorrow it becomes mandatory by law. Loosing freedom with a big bang and a hole lot of happy people because they cannot compute. There is nothing good about things like that, at least on the long run.
This slope is very slippery. This is an optional service that you can use, or ignore. Your position is like saying that kids-safe movies are a feature today, but will become mandatory in the future.
but is it gluten free? /s at least it's not google or cloudflare
it's pretty funny how a completely irrelevant broken protocol that i don't actually needed (could just type the 4 IP digits) is the central talking point of politics junkies
