The sorry state of free, private, uncensored DNS services?

[Moat 11]

A while ago the Swiss Privacy foundation closed its DNS servers as per their official announcement. They told their users to use xiala.net DNS instead.

xiala.net started shutting down their DNS service November 29th 2018, completely effective the next day.

With the shutdown of xiala.net DNS I resolved the swiss privacy foundation old DNS empty.privacyfoundation.ch and found that it currently resolves to an IP address 77.58.132.26 I have not tested whether that is an actual DNS server or what it resolves to since there is no official record on DNS related web sites/lists of that IP (read: I could not find)

There is the chaos computer club in Germany, which seems well trusted and regarded.

There is unsensored by an individual in Denmark, who seems to be well respected for privacy consistently all over the net.

There is securedns.eu by an individual in the Netherlands who claims no logging but tells right on its home page whether you're using his service or not. So is there logging or no? Awkward. There's a saying, if a dutchman did not rip you off, he's forgotten about it...

There is dns.watch for which I can't really find whether their free no log claims are supported, and there seems no transparency as to who is behind it to ensure privacy and no censuring.

And then there is a plethora of DNS services which are murky, as in different references.
For instance, FoeBud's 85.214.20.141 seems to belong to Digital Courage who themselves have 46.182.19.48
Or as250.net's 194.150.168.168 reverting to chaos computer club.
Why make things murky and untransparent? Who's behind these serviecs? Are they trustworthy? If the question is raised, for me it is no.

There is Mullvad and AzireVPN who have free public no logging unsensored DNS servers, so they claim. But these unsensored DNS do somehow not resolve airvpn server addresses ... at least for me! Who can blame them, it is a competitive world ...

And there is OpenNIC highly recommended by airvpn, who argues opennic being so good is the reason airvpn does not offer a public DNS service. Unfortunately, regardless of the OpenNIC DNS server I use sooner or later I end up seeing DNS queries being routed through the UK or USA. Multicasting effect of OpenNIC or programmed IP address swaps among opennic servers or other reasons I do not understand or do not know, but do not like it one bit my DNS queries often end up in internet privacy hell locations when using OpenNIC DNS servers referenced as allegedly being outside these locations.

These are my findings and my understanding of things, not much I know.

Who do you trust your DNS queries to when airvpn does not have public DNS servers because they like opennic who, for me, always reverts sooner or later to DNS servers in internet privacy desert lands? Who's verified to have responsible behavior towards user privacy, called no logging, and no censuring and all that. And please, no suggesting Google or cloudflare honeypot dns services. Corporations do not offer a free meal, you offer them a free meal while thinking you get one.

[8nDTiLB 1]

Is there any reason to not use any of the Open NIC servers?  https://servers.opennic.org/

 

For some reason, selecting a few of those as the DNS in my router settings, in addition to the 10.4.0.1, provides for a very noticeable increase in download speed, and lower latency. That said, I don't necessarily understand why that gives me better performance than just using the built in Air DNS, and I have to manually hit apply on my router settings every time I notice a slow down in performance to bring it back.

 

The one server in that list that supports no logs and DNScrypt (in Massachusetts I believe?) often has downtime and is even slower than the Air DNS.

 

Haven't been able to change the DNS settings on the gateway I am behind as AT&T does not allow for changing DNS at the source, and I haven't bridge it since last time I tried it was essentially walled off and not guaranteed to work. Maybe that's changed.

 

Long story short, it's been informative but frustrating realizing how significant changes in DNS have been impacting my speeds/performance as a whole.

[zhang888 1065]

You can use DNS over Tor with any public resolver, whether it is Google (8.8.8.8), Cloudflare (1.1.1.1) or Quad9 (9.9.9.9).

Cloudflare made a guide for such setup, available here:

https://developers.cloudflare.com/1.1.1.1/fun-stuff/dns-over-tor/

 

All of the above services support DNS over TCP/53 as well, means you don't need additional software like socat.

The pros and cons are up to each user to consider. You add an extra complexity and latency in order to get more privacy and anonymity.

Regarding public OpenNIC and DNSCrypt resolvers, again it is entirely up to you.

Would you prefer to trust a non-profit free service, or a random individual running a resolver on some cheap VPS server?

Personally I would usually prefer to stick to the large corporations as upstream DNS in this case, since then you have higher reliability,

and higher assurance that your DNS requests will not be modified, which is not less important than logging policies.

At least the logging part is not an issue over Tor/VPN.

 

Another list to consider:

https://dnscrypt.info/public-servers/

 

However, you should always consider the "no-logging" policy of any server just as anything else written on the internet

Basically any individual can run a resolver and submit it to OpenNIC/DNScrypt, while there is no verifiable way of knowing what is there.

 

As for your general request, asking for a censorship-free DNS service, while you seem to decide to censor yourself by avoiding UK/US

locations altogether, this sounds a little contradictory. A DNS resolver, even if based/transited via those locations, does not necessarily

means your privacy is at risk.

 

/Add

As a case study, I can provide a valid attack scenario why you shouldn't probably trust "random" public resolvers that are at least not

backed by a trusted privacy focused foundation like a VPN provider behind them.

One of them you already mentioned. I am not familiar with 77.58.132.26 in OP but their ISP can decide to assign this IP to another

customer while we speak. And that customer can decide to run a DNS resolver on that IP, resolving blockchain.info (just as example)

to 11.22.33.44, which will host a redirect page to blockchain1.info with a valid SSL cert. Most users cannot notice such subtle changes.

 

I won't provide more ideas and leave it to your imagination. Same can apply to all those "volunteer" setups without personal IP space.

[Moat 11]

All that's nice, but I still struggle, and forgive the alliteration below, others claim DNS is like the phone directory of the internet.

 

When opening your old fashioned paper phone book from the years of gone by, was there anyone:

- telling you you can't see this phone number even though it is in the book, putting their sticky fingers right on the phone number so you can't see it

- taking note of each and every phone number you look up for data analysis and selling the data, regardless whether the person actually picks up the phone or not

- profiling the way in which you search for a particular number and selling that profile claiming this is who you are

 

Nah, didn't think so. Yet today we're proudly and revindicatingly accepting this intrusion in our lives.

 

Back to topic, if there are no reliable non privacy infringing and no logging and no censoring DNS services, then why bother with a VPN ? You might as well not get dressed tomorrow before going into work and show off all your privates, since you have nothing to hide Your boss might be referring you to  

[NaDre 154]

...

Back to topic, if there are no reliable non privacy infringing and no logging and no censoring DNS services, then why bother with a VPN ?

...

 

https://airvpn.org/topic/30078-dns-server-recommendations/?p=78880

 

You can run BIND (https://www.isc.org/downloads/bind/) on Windows as your own DNS resolver.

 

Have BIND listen on 127.0.0.1 with something like this:

options {
  ...
  listen-on { 127.0.0.1; };
};

Then use 127.0.0.1 as your DNS server.

 

 

https://airvpn.org/topic/30078-dns-server-recommendations/?p=78942

 

...

BIND just does the raw DNS protocol. Directly accessing the domain root servers. No encryption by BIND. But when you are using the VPN, the packets to and from BIND will go over the VPN.

 

While your ISP may log your DNS requests in their DNS server, or block some queries there, I doubt that they are inspecting or blocking raw DNS protocol packets.

 

I also doubt that AirVPN is inspecting or interfering with raw DNS protocol packets. But they could be.