Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
2716057 4 days ago

The workarounds on this page mostly suggest to use large public resolvers. Feature request (not sure if the author is on HN): it would be interesting to know which domains are blocked by 9.9.9.9, 1.1.1.1, and especially the new DNS4EU service.

p2detar 4 days ago | parent | next [-]

Thanks so much for this. I never heard about DNS4EU before.

https://www.joindns4.eu/about

sunaookami 4 days ago | parent | next [-]

"Supported by the European Commission" is a massive red flag.

fsflover 7 hours ago | parent [-]

It isn't.

nicce 4 days ago | parent | prev | next [-]

Few years ago I would have been happy about such a service in EU level. Now I just fear how they are planning to misuse it.

throw28158916 4 days ago | parent | prev [-]

Sadly dns4eu does not support dnscrypt protocol which is deal-breaker in 2025 if you ask me.

rfl890 4 days ago | parent [-]

Why isn't DoT sufficient?

throw28158916 4 days ago | parent [-]

I am not an expert but I read this website [1] and got impression that dns-over-tls is first iteration of encrypted dns and dnscrpyt protocol is second iteration of encrypted dns fixing its problems. Also dns-over-tls is not supported by package dnscrypt-proxy2 on openwrt and I have personal bias for not configuring dns-over-https on routers (in my opinion https is too complex protocol and have risk of getting hacked). Maybe I am alone with my opinions - I do not know. I wanted to use dns4eu and got really disappointed with not supporting dnscrypt. That's all.

[1] https://dnscrypt.info/faq

nicce 4 days ago | parent [-]

By looking the list of negative sides of DNS over TLS (DoT) in there, this project seems to list artificial problems, which makes me want to avoid the whole project. Maybe there are real benefits on using this protocol, but they should not make the list of problems looking longer than it actually is.

The project especially lists the problems of TLS. TLS is one of the most understood, tested, and well-defined protocols that can be abstracted away in implementation level. Nothing also prevents forcing TLS 1.3 which removes most of the described other problems.

This especially sounds odd:

> Questionable practical benefits over DoH

But DoH brings the full TLS stack and also the HTTP stack as well? At the same time the project complains about increased attack surface in DoT, but DoH just extends it even more.

If I also look the DoH list, there is

> Requires TCP

But just few lines befeore, they say that DoH supports HTTP/3 which is UDP.

E.g. Android has supported it 3 years already:

https://security.googleblog.com/2022/07/dns-over-http3-in-an...

throw28158916 3 days ago | parent [-]

I think my opinion is based on idea that for connection between my pc/router and dns server certificates PKI is not needed. You can just hardcode/configure public key of dns server and that is it. Similar to wireguard or ssh server.

> The project especially lists the problems of TLS. TLS is one of the most understood, tested, and well-defined protocols that can be abstracted away in implementation level.

I agree that TLS is understood, tested, used every day etc. I do not agree that you sleep calm at night. For example a few years ago [1] or [2] mozilla removed root CA from firefox for bad behavior. And you can argue everything is working properly because bad behavior was detected and removed but the thing is - you can avoid this group of problems entirely by avoiding PKI in protocol. That is why I like dnscrypt protocol more. Less problems to worry about. You only change hardcoded/configured public key if you change which dns server you are using (not a big deal). You do not have to regularly update router to keep root ca store up-to-date. Do you update your router every month? Because I do not.

[1] https://www.feistyduck.com/newsletter/issue_53_certificate_a...

[2] https://www.itbrew.com/stories/2022/12/02/mozilla-microsoft-...

nicce 3 days ago | parent [-]

I see that point. But you can do the same with DoT? Instead of public key, you just pin the cert and bypass CA in that way. And you get the perfect forward secrecy and other benefits of TLS. But this might require the regular update of certs, and does not solve your maintenance problem.

iggldiggl 3 days ago | parent | prev | next [-]

One problem I've run into with that approach is that Akamai uses DNS for steering you to the correct portion of its CDN and the default servers you get from public DNS have abysmal peering with my ISP. So simply switching the default DNS in my router isn't enough, I'd actually have to run my own custom DNS resolver in order to special case Akamai there.

31a05b9c 4 days ago | parent | prev | next [-]

9.9.9.9 provides a first-party tool to test domains against their block list

https://quad9.net/result/

and there is also 9.9.9.10, which does not perform any blocking (if it does, then no one has noticed that, which is unlikely)

rsync 4 days ago | parent | prev [-]

Tangent: does anybody know which DNS server software that providers like dns4eu and nextdns use ?

Are they using nsd or bind or … did they write their own?

madspindel a day ago | parent [-]

DNS4EU is using the Knot resolver