Nah, I don’t want someone else to decide (a) what is safe for me, and (b) what my kids should have access to. This is a decision that I won’t delegate to anyone, but me. My primary concern is privacy – once they have the data, it is just a matter of time before it is abused. 1984.
That said, this may be a good option for technically-challenged parents, who just want a safer internet for their kids, and do not wish to pay for various anti-virus companies selling them the notion of “safer internet” and “internet monitoring”. Of course, the challenge is, the kids should not have Administrator or root access to the device, otherwise they can simply change the DNS back to 8.8.8.8.
I agree. It’s a shame that they don’t offer an un-censored service. Other than I think children (and bad actors) are probably both able to get around DNS based censorship these days.
They should really work on their page then. I just re-checked. While I saw both the kids and the zero version I actually can’t tell what the difference between zero and the regular is.
And are you sure? Zero says:
Massively increase the catch rate for malicious domains — especially in their brutal early hours — by combining human-vetted threat intelligence with advanced heuristics that automatically identify high-risk patterns.
Which to me sounds like “it does filtering, like regular, but more”. While the landing page explicitly states “Integrated protection against millions of malicious domains — from phishing websites to C&C servers.” without the context of zero.
You can run your own caching DNS server quite easily. Obviously this server is contacting third parties in order to satisfy queries but there is no single third party that can see everything you’re looking up.
Yes, and with something like unbound the resource overhead of running your own recursive resolver is so small that you can not only run one for yourself, you can run one locally on each of your machines.
I have mine configured to use 4MiB of RAM, which is low enough that it’s not going to make a difference compared to running a non-recursing stub resolver like systemd-resolved, but high enough to have a very high cache hit rate.
Yes indeed. 4MB is on the low-ish side, but even if you miss the cache it still won’t hit your ISP’s resolver - it will just recourse again through the hierarchy of authoritative DNS servers.
Honestly, 4 MiB sounds like a lot. DNS queries have got bigger with DNSSEC and have grown CPU overhead for the same reason, but the total state required is well under ten times what it was 20 years ago. DNS only recently moved to TCP, before that every request and response had to fit in a single Internet MTU packet. 4 MiB is a lot of responses at that size. 20 years ago, 16 MiB of total RAM was enough for a caching resolver for a network with a couple of thousand machines, using BIND. Unbound has lower resource requirements than BIND.
^^^ This. I have similar configuration of unbound, with oisd.nl blocklist on a OpenBSD pcengines router, and it makes for reasonably safe experience for my home network.
But those are also third-parties, I think that’s the point of the comment you’re replying to. What is the difference between your provider and another third-party?
I have a contractual relationship with them. I can raise a consumer protection complaint against them if they’re doing suspicious things with my DNS requests.
OK, fine. But they are third parties I trust more than the dudes from NextDNS.
What I meant by “third parties” was “random third parties with questionable track records when it comes to net neutrality”. Apologies for not making it more clear. :P
I think that when it comes to DNS the relationship between me and the providers needs to be one of trust.
I trust my provider more than dns0.eu because I have a contractual relationship with them that I can leverage if something goes wrong. I don’t care which upstream DNS they use, because they are the ultimate bearers of responsibility towards me.
I trust opendns more because they have a proven track record and don’t have outside incentives to track my DNS queries.
Yeah, I’m with you. DNS-based ad-blocking sure, but not keen on “safe and supervised Internet for kids”. In my experience that can mean anything that isn’t FANG and explicitly approved can get blocked. Or naïve word based blocking that means I can’t visit a Wikipedia page on cryptography because it’s associated with “hacking”. XD
I’m not sold either, but it’s worth noting they have two different levels of filtering. The “adult” one still has porn, and, potentially, stuff like hacking and so on. To get the extra filter for kids, you need to explicit use the kids DNS url.
I suppose the idea is that parents would put that in the home WiFi, or phones they hand to small children.
Could still be badly used, or even abused, of course.
A friend that works in internet infrastructure said that using third party DNS (like google DNS, for instance) almost invariably makes things slower, because your ISP DNS will always be closer, and likely have smaller load.
Anyone knowledgeable on the subject cares to weigh in? Does this has the same issue?
There are multiple layers to that. And it’s not true that they are always slower.
First of all a lot of them are fast, especially if they are popular and cache everything. So they don’t have to query upstream.
Google, etc. put DNS caches into Internet Exchanges and ISP data centers. So they may be just as close.
Sadly some ISPs have badly configured DNS servers.
But the speed part is typically blown out of proportion, because things you use will likely be cached at least once on your system. Most OSs ship with a local caching DNS server (or a library doing that) and even browser cache DNS records.
So in the end it rarely even matters. If you have an application where it would matter, you’d likely make sure things are cached. closed. So you probably only care if you somehow have an application where you query a lot of different hosts basically all the time. Other than maybe running a crawler or something I can’t really imagine many application. And even then you probably don’t care if the first request to a host takes milliseconds longer, potentially.
Reasons to care are when your ISP’s DNS server is badly maintained, does some sort of censorship, doesn’t offer features you want to use, etc. The big browsers will use DNS over HTTPS with a pre-defined server, so skip your OS/DHCP setting altogether, unless you manually change it.
In terms of security I am unsure whom to trust more. Some big corporation that might be a juicy target, where probably a lot of people interact with it, but which might have good policies, or a small one that anyways is able to track which IPs you connect to. The other side of security is around encryption.
First of all not only browsers use DNS. And then the linked page explicitly state that it supports DNS over HTTPS. And re-states it if you click on Browsers.
Nah, I don’t want someone else to decide (a) what is safe for me, and (b) what my kids should have access to. This is a decision that I won’t delegate to anyone, but me. My primary concern is privacy – once they have the data, it is just a matter of time before it is abused. 1984.
That said, this may be a good option for technically-challenged parents, who just want a safer internet for their kids, and do not wish to pay for various anti-virus companies selling them the notion of “safer internet” and “internet monitoring”. Of course, the challenge is, the kids should not have Administrator or root access to the device, otherwise they can simply change the DNS back to 8.8.8.8.
I agree. It’s a shame that they don’t offer an un-censored service. Other than I think children (and bad actors) are probably both able to get around DNS based censorship these days.
They do. There are 3 sets of DNS proposed: regular (uncensored), zero, and kids.
They should really work on their page then. I just re-checked. While I saw both the kids and the zero version I actually can’t tell what the difference between zero and the regular is.
And are you sure? Zero says:
Which to me sounds like “it does filtering, like regular, but more”. While the landing page explicitly states “Integrated protection against millions of malicious domains — from phishing websites to C&C servers.” without the context of zero.
isnt this just an advert?
Well I didn’t think so. It seems to be an announcement. I’m interested in alternatives in this space. Google, quad9, cloudflare etc.
Who owns this? I’m not ready to hand all my DNS queries to third parties.
Wait where were you sending your DNS queries if not to a third party? Phone book?
Personally I only use carrier pigeons for my DNS queries.
It’s certainly a solution, but one I have a hard time propagating.
I’m pretty sure they’ve successfully propagated without your assistance for tens of millions of years.
You can run your own caching DNS server quite easily. Obviously this server is contacting third parties in order to satisfy queries but there is no single third party that can see everything you’re looking up.
…where does your caching DNS server cache from? A rotating array of other DNS providers?
Your caching DNS server queries the authoritative name servers for the names it’s looking for, bootstrapped by the root name servers.
This is what something like dns0.eu is doing, you’re just doing the same thing on a small scale for yourself.
Yes, and with something like unbound the resource overhead of running your own recursive resolver is so small that you can not only run one for yourself, you can run one locally on each of your machines.
I have mine configured to use 4MiB of RAM, which is low enough that it’s not going to make a difference compared to running a non-recursing stub resolver like systemd-resolved, but high enough to have a very high cache hit rate.
Wait. This won’t hit, like, my ISP provider? With 4 MB of RAM?
DNS is an unencrypted protocol, and there’s nothing preventing your ISP from doing deep packet inspection. But it won’t hit your ISP’s DNS server.
Yes indeed. 4MB is on the low-ish side, but even if you miss the cache it still won’t hit your ISP’s resolver - it will just recourse again through the hierarchy of authoritative DNS servers.
Honestly, 4 MiB sounds like a lot. DNS queries have got bigger with DNSSEC and have grown CPU overhead for the same reason, but the total state required is well under ten times what it was 20 years ago. DNS only recently moved to TCP, before that every request and response had to fit in a single Internet MTU packet. 4 MiB is a lot of responses at that size. 20 years ago, 16 MiB of total RAM was enough for a caching resolver for a network with a couple of thousand machines, using BIND. Unbound has lower resource requirements than BIND.
^^^ This. I have similar configuration of unbound, with oisd.nl blocklist on a OpenBSD pcengines router, and it makes for reasonably safe experience for my home network.
My provider, or OpenDNS.
But those are also third-parties, I think that’s the point of the comment you’re replying to. What is the difference between your provider and another third-party?
I have a contractual relationship with them. I can raise a consumer protection complaint against them if they’re doing suspicious things with my DNS requests.
OK, fine. But they are third parties I trust more than the dudes from NextDNS.
What I meant by “third parties” was “random third parties with questionable track records when it comes to net neutrality”. Apologies for not making it more clear. :P
Wait so what happens after your provider? I don’t know anything about DNS /s
I don’t think you need to get sarcastic on me.
I think that when it comes to DNS the relationship between me and the providers needs to be one of trust.
I trust my provider more than dns0.eu because I have a contractual relationship with them that I can leverage if something goes wrong. I don’t care which upstream DNS they use, because they are the ultimate bearers of responsibility towards me.
I trust opendns more because they have a proven track record and don’t have outside incentives to track my DNS queries.
Do these things make sense to you? They do to me.
It’s on the home page.
Sure, OK. As far as I remember NextDNS is a service that wanted to filter DNS requests towards “the bad people”, I’m not sure I’m interested in that.
Yeah, I’m with you. DNS-based ad-blocking sure, but not keen on “safe and supervised Internet for kids”. In my experience that can mean anything that isn’t FANG and explicitly approved can get blocked. Or naïve word based blocking that means I can’t visit a Wikipedia page on cryptography because it’s associated with “hacking”. XD
I’m not sold either, but it’s worth noting they have two different levels of filtering. The “adult” one still has porn, and, potentially, stuff like hacking and so on. To get the extra filter for kids, you need to explicit use the kids DNS url.
I suppose the idea is that parents would put that in the home WiFi, or phones they hand to small children.
Could still be badly used, or even abused, of course.
Yes, they list that as well: Newly Registered Domains (NRD) Newly Active Domains (NAD) Domain Generation Algorithms (DGA) and similar categories.
All DNS queries go to third parties.
A friend that works in internet infrastructure said that using third party DNS (like google DNS, for instance) almost invariably makes things slower, because your ISP DNS will always be closer, and likely have smaller load.
Anyone knowledgeable on the subject cares to weigh in? Does this has the same issue?
There are multiple layers to that. And it’s not true that they are always slower.
First of all a lot of them are fast, especially if they are popular and cache everything. So they don’t have to query upstream.
Google, etc. put DNS caches into Internet Exchanges and ISP data centers. So they may be just as close.
Sadly some ISPs have badly configured DNS servers.
But the speed part is typically blown out of proportion, because things you use will likely be cached at least once on your system. Most OSs ship with a local caching DNS server (or a library doing that) and even browser cache DNS records.
So in the end it rarely even matters. If you have an application where it would matter, you’d likely make sure things are cached. closed. So you probably only care if you somehow have an application where you query a lot of different hosts basically all the time. Other than maybe running a crawler or something I can’t really imagine many application. And even then you probably don’t care if the first request to a host takes milliseconds longer, potentially.
Reasons to care are when your ISP’s DNS server is badly maintained, does some sort of censorship, doesn’t offer features you want to use, etc. The big browsers will use DNS over HTTPS with a pre-defined server, so skip your OS/DHCP setting altogether, unless you manually change it.
In terms of security I am unsure whom to trust more. Some big corporation that might be a juicy target, where probably a lot of people interact with it, but which might have good policies, or a small one that anyways is able to track which IPs you connect to. The other side of security is around encryption.
I am on century link, the only DNS server they can run is into the ground. CloudFlare and Google area always faster and more reliable.
What browsers aren’t using DNS over HTTPS yet?
First of all not only browsers use DNS. And then the linked page explicitly state that it supports DNS over HTTPS. And re-states it if you click on Browsers.
What about Europeans on other continents? They should have local DNS resolvers in all geos.