Hoping the HN DNS savvy reading this can help me understand a Quad9 thing I ran into. I was debugging (as in scratching my head) a bank website login problem and ended up doing some DNS checks against their domain, usual stuff, while using Quad9 as my DNS provider.
While testing, I was using Google and Cloudflare as well, and started noticing something - Quad9 does not return all A records listed for a domain, the same way Google/Cloudflare do.
dig -t A google.com @8.8.8.8 +short (6x IPs)
dig -t A google.com @1.1.1.1 +short (6x IPs)
dig -t A google.com @9.9.9.9 +short (1x IP)
This gave me a weird feeling; I get there's a lot of DNS geo magic and 8.8/1.1 serve 2 different subnets, and 9.9 a third. But... where did the other 5 expected IPs from Quad9 get off to?
While I'm here: Google uses edns0 client subnet to geo target your client IP.
Try a dig -t txt o-o.myaddr.l.google.com @8.8.8.8 vs the others to see the src IP of the packet sent to Google's DNS server, and any edns0 info that came along with it.
I used quad9 as the primary upstream DNS for my home. about 11 days ago I wasn't able to send any query to quad9, kinda blocking. Their status page was green I suspected my ip was blocked. Now I'm on quad1 :(
I'm sure geo has something to do with it - my connections generally terminate in Austin, TX but it varies around Central US. I have T-Mobile Home Internet and our IPs show up to remotes under the same general ASNs as the traditional mobile network (big huge CGNAT, my IP can change 5 times a day or whatnot and it doesn't reflect where I actually am located).
Edit: in case useful to someone reading, right now I have an IP assigned out of this block:
I actually do (did, I demoted it for now) use the unfiltered service (9.9.9.10) but find the same result on both, so I used .9 here to keep the chat more streamlined. But, could still be relevant somehow?
Effective June 28, 2024: Due to a court order in France issued under Article L.333-10 of the French Sport code and a court order in Portugal issued under Article 210-G(3) of the Portuguese Copyright Code, the OpenDNS service is not currently available to users in France and certain French territories and in Portugal. We apologize for the inconvenience.
July 23, 2024: Cisco's OpenDNS service has been reactivated in Portugal and is currently available following a decision by the Lisbon Court of Appeal.
It's laudable that Quad9 want to fight censorship, but they too could block French requests in this way. Maybe redirect to an HTTP/HTTPS IP that tells users about the issue and gives them contacts to their government representatives?
Does Quad9 run a resolver with DNSSEC but without "malware" blocking? So far I've had multiple instances (twice for a torrent tracker, once for gist.github.com) where they blocked a non-malware domain for a short while, which is really annoying to deal with.
Seems like a great use case for Pi-hole to add include lists - have files with lists of DNS entries that are delisted in some areas. Of course a VPN is probably more beneficial in general though.
Some DNS recursive resolvers have longer-than-desired round-trip times to the closest DNS root server; those resolvers may have difficulty getting responses from the root servers, such as during a network attack. Some DNS recursive resolver operators want to prevent snooping by third parties of requests sent to DNS root servers. In both cases, resolvers can greatly decrease the round-trip time and prevent observation of requests by serving a copy of the full root zone on the same server, such as on a loopback address or in the resolver software. This document shows how to start and maintain such a copy of the root zone that does not cause problems for other users of the DNS, at the cost of adding some operational fragility for the operator.
Going after DNS resolvers seems like the easy win. If a website was breaking the law so egregiously then take it to ICANN to get the domain name seized. I'd wager that's a much harder thing to prove, hence the strong arming of DNS resolvers.
Would the root DNS servers ever get modified or censored as a result of court action?
My thoughts were that DNS-level censorship is essentially a dead end because the root servers are sacrosanct, and there will always be secondary DNS servers to query, who then use the root servers.
Sucks for DNS providers in authoritarian countries though.
I suspect the US would push back on this unless they were the ones doing the censoring. So far the US has not opened that door with DNS; it’s important to make sure that the door stays closed, as this would create chaos and major fragmentation.
In the meantime it might be worthwhile to develop alternatives, like some kind of DNS-over-Tor or DNS-over-DHT scheme, along with normalizing Tor onion services as an alternative access method for clearnet sites.
Yes, some kind of alternative DNS system where domain assignment is authenticated using some kind of distributed system of ownership consensus! If only such a thing has existed for years already and was well tested and performant...
All the things that crypto true believers believed would happen are slowly coming to pass. It wasn't all bored apes and gambling. There was some legitimate developing going on, and still is.
After the Samourai case, you shouldn’t be so confident in cryptocurrency-based solutions for things like this. If devs can somehow stay anonymous and out of reach, maybe.
I’m not ideologically against cryptocurrency-based solutions, but it isn’t a magic bullet by any means. I still think that the EU in particular isn’t done making life difficult for crypto users.
Not to discourage projects like ENS, I think it’s good to have alternatives, but I do think we need noncommercial fallbacks to the current system as well. Anything involving money will always have choke points.
The root DNS servers basically only tell you where the registry servers are, they don't contain records themselves. If someone censored a domain at the registry level then the root servers would be no help
This is true but I can imagine where they might go after the lowest reachable branch of the tree, up to threatening to remove country-level TLDs from the root servers for noncompliance. Only the US really has the leverage to do this, and it would just fragment the internet, as additional root servers would pop up to serve the missing TLDs. So it’s unlikely but possible.
This all started, in earnest, with Response Policy Zones being added to BIND. RPZ allow DNS resolvers to lie to clients by returning (nxdomain or redirects to other domains) and the client does not know it is being lied to.
https://www.isc.org/docs/BIND_RPZ.pdf
At first, RPZ was used to block known malicious domains (drive by malware downloads, etc.). Then, the security weenies started using RPZ to block other things like TikTok (for administrative/legal reasons). That's when the DNS became a big lie.
I guess some day, one political party will use it to block the websites of other political parties, etc. That's stupid to say (I know) but that seems to be the slippery slope we are sliding down.
This is also why it is important for Switzerland to not sign the deal with the EU next year. The 8k+ page deal would also require Switzerland to pull the line with EU regulation regarding copyright. The freedom we have right now to download would fall away. Doesn't matter if you are left or right, the deal is bad for all of us.
> “At what point does legal compliance become de facto censorship?”
I genuinely agree with this statement a lot. Also another aspect of this is that the bigger companies can somehow "legally" do things which I don't think would work but they have so many resources to strech the court case for a long time.
And the fact is that even after that, even if they are fined for some dollars. They are more than likely to just pay than try to actually fix the core issues which effects everyone harmfully except the company.
All for profit smh. I sometimes wonder if there is a word for this phenomenon for how our system has gotten into such a rotten state from lobbying to this yet at the same time genuine non profits get existential threats for the same behaviour but they simply don't have the funds...
> Also another aspect of this is that the bigger companies can somehow "legally" do things which I don't think would work but they have so many resources to strech the court case for a long time.
A big part of this impression is that people very often very much underestimate what they can get away with, whereas big companies have lawyers to tell them ”oh yeah you can totally do this”.
Of course there are some exceptions. Uber and AirBnB are probably decent ones, in some jurisdictions anyway.
I find it amusing that it's always the governments fault. Or the users fault.
It's never the fault of the trillion dollar industries that are millions of times more powerful than any individual.
Our system get gotten into a rotten state because a tiny number of modern barons have all the power, and none of the civic responsibility. Concentration of money - when money is power, is the same as concentration of power.
> if there is a word for this phenomenon for how our system has gotten into such a rotten stat
There is, it's the system's name: Capitalism
Noone ever in the universe claimed that this system serves primarily the needs of humans. It serves profit. Now there is a ven diagram that has a union area between profits and needs, but the system does not care about making this union bigger, it cares about making the profits bigger. When that overlaps with needs... it is just a happy side effect.
I tend to agree with this sentiment, but my takeaway is slightly different.
People who would describe themselves as supporters of "capitalism", as well as supporters of "communism" or "socialism", are not able to admit that their belief systems are actually religious in structure. Not spiritual perhaps, but effectively "secular religions".
Both capitalism and its nemesis arose in the mid 1900s, when humanity was obsessed with modernist thinking about "solving problems once and for all". And in that context, the people fell in love with these two "clean systems". A more perfect set of rules.
Sure, capitalism doesn't claim to be the most powerful god. But in surrogacy, it claims to be "the least imperfect system". Which is structurally the same claim: declaring the scripture to be some apex that is not surpassable.
The main difference between communism and capitalism was how it was implemented. The USSR went full-tilt ideologically rigid, and collapsed very quickly. The US didn't go full-tilt capitalism. It implemented a hybrid system with a high marginal tax, welfare programs, subsidies, labour unions, public works projects, along with a market system, and that hybrid non-ideologically rigid model served it well.
Around the time it was clear the USSR was collapsing, the USA went hard tilt in favour of ideological purity in capitalism. Systematic series of clawbacks in the tax regime, privatization, elimination of labour unions.
As they leaned into the religion, it was used against them, much like the communist religion was used against the people of the USSR. And now they have been robbed of their prosperity, of the value of their efforts, much like the people in the USSR were robbed.
Nice read but we also have democracy to prevent things but it still feels effectively hi-jacked by such fictional constructs like capitalism and the lobbying power
Theoretically we should be able to think of the majorities or ourselves and we can have a good system
but we also feel like a lack of choice I suppose, the elections feel between just two parties with choosing the lesser evil (I think zohran is cool tho in the democratic party and maybe he could signify some good things I guess)
Personally I feel like we need to focus more on the incentives and competency of people more than anything and try to vote it on that and not what they speak I suppose.
We don't have democracy because the people with the most money can use a century of learning how to manipulate people through mass propaganda, advertising, pr, spin to get the results they want. People don't form political opinions in a vacuum, they are formed by the messages they receive.
'Both capitalism and its nemesis arose in the mid 1900s, when humanity was obsessed with modernist thinking about "solving problems once and for all". And in that context, the people fell in love with these two "clean systems". A more perfect set of rules.'
All of this is junk. Karl Polanyi famously puts the birth of capitalism very late compared to other important thinkers, in 1834, by defining it as characterised by markets of fictitious commodities, i.e. stuff like labour, land, money. More mainstream would be to point to the Renaissance or british 16th century.
The idea that capitalism and communism would be dependent on an art movement of the early 20th century is quite bizarre, the Communist Manifesto was published in 1848 and by the late 19th century when modernism started to form unions and communist parties were already common.
Actually, modernism is a reaction to the apparent stalling of 'progress', WWI and nostalgia for the optimism of the early modern period. I.e. from 1500 to late 1800s. In part it was also a reaction to what is usually called modern physics, i.e. things like newtonianism and ether hypotheses breaking down in due to Michelson-Morley and early study of quantum phenomena, relativity and so on.
I've increasingly taken the attitude that digital media is simply lost to corporate interests and there's nothing we can do about it aside from not spending money or time on the internet.
No, "not spending money or time" is utterly worthless.
It has zero leverage. Even if you could convince 1 person in 1000 to do that, you'd represent 0.1%. And that "1 in 1000" is hopelessly optimistic as it is.
If you want to change the world, "individual action" should be at the very last place in your list of actions to take.
>If you want to change the world, "individual action" should be at the very last place in your list of actions to take.
The heliocentric model began with one person out of the entire population of earth having the courage to publicly, loudly, and assertively disagree with TPTB.
Presuming you're talking Europe only, are you talking Copernicus? Brahe? Kepler? Galileo? You know that the heliocentric model had been discussed 2000 years earlier in Europe.
Pirates need to wake up to the fact that they are harming creators and people who provide the services that make modern life possible.
Governments need to wake up and follow Japan's example and criminalize this antisocial behavior.
You mean like ChatGPT? Why is it ok for them to "pirate" the entire internet and not for a small individual. Maybe the whole copyright system is broken.
Hoping the HN DNS savvy reading this can help me understand a Quad9 thing I ran into. I was debugging (as in scratching my head) a bank website login problem and ended up doing some DNS checks against their domain, usual stuff, while using Quad9 as my DNS provider.
While testing, I was using Google and Cloudflare as well, and started noticing something - Quad9 does not return all A records listed for a domain, the same way Google/Cloudflare do.
This gave me a weird feeling; I get there's a lot of DNS geo magic and 8.8/1.1 serve 2 different subnets, and 9.9 a third. But... where did the other 5 expected IPs from Quad9 get off to?Have you tested it with a static domain with multiple IPs?
Using google is bad way to test this scenario, since they use EDNS and many other DNS load balancing methods to distribute the load.
I see a single IP for all 3
While I'm here: Google uses edns0 client subnet to geo target your client IP.
Try a dig -t txt o-o.myaddr.l.google.com @8.8.8.8 vs the others to see the src IP of the packet sent to Google's DNS server, and any edns0 info that came along with it.
I used quad9 as the primary upstream DNS for my home. about 11 days ago I wasn't able to send any query to quad9, kinda blocking. Their status page was green I suspected my ip was blocked. Now I'm on quad1 :(
interestingly, i only get one IP from each command:
$ dig -t A google.com @8.8.8.8 +short
142.250.184.206
$ dig -t A google.com @1.1.1.1 +short
216.58.206.46
$ dig -t A google.com @9.9.9.9 +short
142.250.185.238
I'm sure geo has something to do with it - my connections generally terminate in Austin, TX but it varies around Central US. I have T-Mobile Home Internet and our IPs show up to remotes under the same general ASNs as the traditional mobile network (big huge CGNAT, my IP can change 5 times a day or whatnot and it doesn't reflect where I actually am located).
Edit: in case useful to someone reading, right now I have an IP assigned out of this block:
Edit edit: in the network record is a link to the self-reported geo data, I missed that.Isn't that because Quad9 does (more) filtering than the other two?
I actually do (did, I demoted it for now) use the unfiltered service (9.9.9.10) but find the same result on both, so I used .9 here to keep the chat more streamlined. But, could still be relevant somehow?
Re: "Cisco has decided to leave france": (https://web.archive.org/web/20250614052849/https://support.o...)
It's laudable that Quad9 want to fight censorship, but they too could block French requests in this way. Maybe redirect to an HTTP/HTTPS IP that tells users about the issue and gives them contacts to their government representatives?Does Quad9 run a resolver with DNSSEC but without "malware" blocking? So far I've had multiple instances (twice for a torrent tracker, once for gist.github.com) where they blocked a non-malware domain for a short while, which is really annoying to deal with.
Does anyone use Mullvad DNS servers? https://mullvad.net/en/help/dns-over-https-and-dns-over-tls#... I found them more acceptable.
Didn't know they have publicly available DNS servers. Thanks.
I've also started using/testing the DNS4EU servers: https://www.joindns4.eu/
Many ISPs in Germany have stopped fighting this fight as well and sadly have now even started to self-censor their DNS servers.[1]
[1] https://cuii.info/en
More people should run their own recursive resolvers with unbound. There’s no need to rely on centralized DNS anymore.
Seems like a great use case for Pi-hole to add include lists - have files with lists of DNS entries that are delisted in some areas. Of course a VPN is probably more beneficial in general though.
Isn't this putting unsustainable load on the root servers?(on the scenario that many people do that)
https://datatracker.ietf.org/doc/html/rfc8806
Abstract
Some DNS recursive resolvers have longer-than-desired round-trip times to the closest DNS root server; those resolvers may have difficulty getting responses from the root servers, such as during a network attack. Some DNS recursive resolver operators want to prevent snooping by third parties of requests sent to DNS root servers. In both cases, resolvers can greatly decrease the round-trip time and prevent observation of requests by serving a copy of the full root zone on the same server, such as on a loopback address or in the resolver software. This document shows how to start and maintain such a copy of the root zone that does not cause problems for other users of the DNS, at the cost of adding some operational fragility for the operator.
This document obsoletes RFC 7706.
> have now even started
This has been the case for a very long time. Back when TBP was popular this was already the case.
Going after DNS resolvers seems like the easy win. If a website was breaking the law so egregiously then take it to ICANN to get the domain name seized. I'd wager that's a much harder thing to prove, hence the strong arming of DNS resolvers.
Would the root DNS servers ever get modified or censored as a result of court action?
My thoughts were that DNS-level censorship is essentially a dead end because the root servers are sacrosanct, and there will always be secondary DNS servers to query, who then use the root servers.
Sucks for DNS providers in authoritarian countries though.
I suspect the US would push back on this unless they were the ones doing the censoring. So far the US has not opened that door with DNS; it’s important to make sure that the door stays closed, as this would create chaos and major fragmentation.
In the meantime it might be worthwhile to develop alternatives, like some kind of DNS-over-Tor or DNS-over-DHT scheme, along with normalizing Tor onion services as an alternative access method for clearnet sites.
Yes, some kind of alternative DNS system where domain assignment is authenticated using some kind of distributed system of ownership consensus! If only such a thing has existed for years already and was well tested and performant...
https://www.kraken.com/learn/what-is-ethereum-name-service-e...
All the things that crypto true believers believed would happen are slowly coming to pass. It wasn't all bored apes and gambling. There was some legitimate developing going on, and still is.
After the Samourai case, you shouldn’t be so confident in cryptocurrency-based solutions for things like this. If devs can somehow stay anonymous and out of reach, maybe.
I’m not ideologically against cryptocurrency-based solutions, but it isn’t a magic bullet by any means. I still think that the EU in particular isn’t done making life difficult for crypto users.
Not to discourage projects like ENS, I think it’s good to have alternatives, but I do think we need noncommercial fallbacks to the current system as well. Anything involving money will always have choke points.
The root DNS servers basically only tell you where the registry servers are, they don't contain records themselves. If someone censored a domain at the registry level then the root servers would be no help
This is true but I can imagine where they might go after the lowest reachable branch of the tree, up to threatening to remove country-level TLDs from the root servers for noncompliance. Only the US really has the leverage to do this, and it would just fragment the internet, as additional root servers would pop up to serve the missing TLDs. So it’s unlikely but possible.
This all started, in earnest, with Response Policy Zones being added to BIND. RPZ allow DNS resolvers to lie to clients by returning (nxdomain or redirects to other domains) and the client does not know it is being lied to.
At first, RPZ was used to block known malicious domains (drive by malware downloads, etc.). Then, the security weenies started using RPZ to block other things like TikTok (for administrative/legal reasons). That's when the DNS became a big lie.I guess some day, one political party will use it to block the websites of other political parties, etc. That's stupid to say (I know) but that seems to be the slippery slope we are sliding down.
This is also why it is important for Switzerland to not sign the deal with the EU next year. The 8k+ page deal would also require Switzerland to pull the line with EU regulation regarding copyright. The freedom we have right now to download would fall away. Doesn't matter if you are left or right, the deal is bad for all of us.
> “At what point does legal compliance become de facto censorship?”
I genuinely agree with this statement a lot. Also another aspect of this is that the bigger companies can somehow "legally" do things which I don't think would work but they have so many resources to strech the court case for a long time.
And the fact is that even after that, even if they are fined for some dollars. They are more than likely to just pay than try to actually fix the core issues which effects everyone harmfully except the company.
All for profit smh. I sometimes wonder if there is a word for this phenomenon for how our system has gotten into such a rotten state from lobbying to this yet at the same time genuine non profits get existential threats for the same behaviour but they simply don't have the funds...
> Also another aspect of this is that the bigger companies can somehow "legally" do things which I don't think would work but they have so many resources to strech the court case for a long time.
A big part of this impression is that people very often very much underestimate what they can get away with, whereas big companies have lawyers to tell them ”oh yeah you can totally do this”.
Of course there are some exceptions. Uber and AirBnB are probably decent ones, in some jurisdictions anyway.
I find it amusing that it's always the governments fault. Or the users fault.
It's never the fault of the trillion dollar industries that are millions of times more powerful than any individual.
Our system get gotten into a rotten state because a tiny number of modern barons have all the power, and none of the civic responsibility. Concentration of money - when money is power, is the same as concentration of power.
What is always the governments fault?
> if there is a word for this phenomenon for how our system has gotten into such a rotten stat
There is, it's the system's name: Capitalism
Noone ever in the universe claimed that this system serves primarily the needs of humans. It serves profit. Now there is a ven diagram that has a union area between profits and needs, but the system does not care about making this union bigger, it cares about making the profits bigger. When that overlaps with needs... it is just a happy side effect.
I tend to agree with this sentiment, but my takeaway is slightly different.
People who would describe themselves as supporters of "capitalism", as well as supporters of "communism" or "socialism", are not able to admit that their belief systems are actually religious in structure. Not spiritual perhaps, but effectively "secular religions".
Both capitalism and its nemesis arose in the mid 1900s, when humanity was obsessed with modernist thinking about "solving problems once and for all". And in that context, the people fell in love with these two "clean systems". A more perfect set of rules.
Sure, capitalism doesn't claim to be the most powerful god. But in surrogacy, it claims to be "the least imperfect system". Which is structurally the same claim: declaring the scripture to be some apex that is not surpassable.
The main difference between communism and capitalism was how it was implemented. The USSR went full-tilt ideologically rigid, and collapsed very quickly. The US didn't go full-tilt capitalism. It implemented a hybrid system with a high marginal tax, welfare programs, subsidies, labour unions, public works projects, along with a market system, and that hybrid non-ideologically rigid model served it well.
Around the time it was clear the USSR was collapsing, the USA went hard tilt in favour of ideological purity in capitalism. Systematic series of clawbacks in the tax regime, privatization, elimination of labour unions.
As they leaned into the religion, it was used against them, much like the communist religion was used against the people of the USSR. And now they have been robbed of their prosperity, of the value of their efforts, much like the people in the USSR were robbed.
Nice read but we also have democracy to prevent things but it still feels effectively hi-jacked by such fictional constructs like capitalism and the lobbying power
Theoretically we should be able to think of the majorities or ourselves and we can have a good system
but we also feel like a lack of choice I suppose, the elections feel between just two parties with choosing the lesser evil (I think zohran is cool tho in the democratic party and maybe he could signify some good things I guess)
Personally I feel like we need to focus more on the incentives and competency of people more than anything and try to vote it on that and not what they speak I suppose.
We don't have democracy because the people with the most money can use a century of learning how to manipulate people through mass propaganda, advertising, pr, spin to get the results they want. People don't form political opinions in a vacuum, they are formed by the messages they receive.
'Both capitalism and its nemesis arose in the mid 1900s, when humanity was obsessed with modernist thinking about "solving problems once and for all". And in that context, the people fell in love with these two "clean systems". A more perfect set of rules.'
All of this is junk. Karl Polanyi famously puts the birth of capitalism very late compared to other important thinkers, in 1834, by defining it as characterised by markets of fictitious commodities, i.e. stuff like labour, land, money. More mainstream would be to point to the Renaissance or british 16th century.
The idea that capitalism and communism would be dependent on an art movement of the early 20th century is quite bizarre, the Communist Manifesto was published in 1848 and by the late 19th century when modernism started to form unions and communist parties were already common.
Actually, modernism is a reaction to the apparent stalling of 'progress', WWI and nostalgia for the optimism of the early modern period. I.e. from 1500 to late 1800s. In part it was also a reaction to what is usually called modern physics, i.e. things like newtonianism and ether hypotheses breaking down in due to Michelson-Morley and early study of quantum phenomena, relativity and so on.
I've increasingly taken the attitude that digital media is simply lost to corporate interests and there's nothing we can do about it aside from not spending money or time on the internet.
No, "not spending money or time" is utterly worthless.
It has zero leverage. Even if you could convince 1 person in 1000 to do that, you'd represent 0.1%. And that "1 in 1000" is hopelessly optimistic as it is.
If you want to change the world, "individual action" should be at the very last place in your list of actions to take.
>If you want to change the world, "individual action" should be at the very last place in your list of actions to take.
The heliocentric model began with one person out of the entire population of earth having the courage to publicly, loudly, and assertively disagree with TPTB.
Guessing this might be interpreted by some as a reference to Galileo so I'll take the opportunity to mention Against Method.
https://en.wikipedia.org/wiki/Against_Method
Presuming you're talking Europe only, are you talking Copernicus? Brahe? Kepler? Galileo? You know that the heliocentric model had been discussed 2000 years earlier in Europe.
Another side effect of law makers yoloing legislation on things they don’t seem to understand
Pirates need to wake up to the fact that they are harming creators and people who provide the services that make modern life possible. Governments need to wake up and follow Japan's example and criminalize this antisocial behavior.
You mean like ChatGPT? Why is it ok for them to "pirate" the entire internet and not for a small individual. Maybe the whole copyright system is broken.
If you would like to talk about piracy, please define it first.
In my opinion it is unclear what you are referring to because many people have different views on what the term piracy actually means.
>>Pirates need to wake up to the fact that they are harming creators and people who provide the services that make modern life possible.
Could you clarify a single service that is being pirated that could be classified as "make modern life possible"? I'm just curious.