stubby icon indicating copy to clipboard operation
stubby copied to clipboard
verified publisher icon getdnsapi

Future change to the default stubby servers

Open saradickinson opened this issue 4 years ago • 12 comments

The existing dnsovertls*.sinodun.com servers were only expected to be used on a short-term proof of concept basis and so those servers will need to be retired later this year. The 0.4.0 release of stubby will make no change to the default server list, but will announce the intention to change it in the 0.5.0 release.

The existing default servers are all unicast and all based in Europe. Since many anycast public DoT resolvers with good privacy polices are now available, the getdns/stubby developers are discussing options for the future content of the default servers. That includes:

  1. Retaining just the getdnsapi.net server as the default and more strongly encouraging users to make their own decision about what servers to use

  2. Switching to just use a public resolver

There are several candidates for a public resolver but two under consideration are:

  • Using Quad9 (9.9.9.9). This is an anycast service with a large footprint, with an strong privacy policy, but this address does minimally filter responses on purely security grounds: https://quad9.net/ (Their 9.9.9.10 address does not filter, but does not do DNSSEC)
  • Using Adguard's 'unfiltered' service (dns-unfiltered.adguard.com). This is an anycast service, with strong privacy policy.

If users have comments or experience of these or other resolvers, please add them to this issue.

saradickinson avatar May 18 '21 14:05 saradickinson

I understand why you are doing this but would like to say that I've been a happy user of this reliable service for several years and am disappointed to discover that I'll have to find someone else to trust.

I am also very grateful, many thanks Sara and co.

inudge avatar May 20 '21 14:05 inudge

@inudge Thanks - we are sorry to have to discontinue that service but hopefully we can decide on a suitable alternative.

saradickinson avatar May 27 '21 10:05 saradickinson

AdGuard with DoQ would be nice to have as an option.

timkgh avatar Jun 13 '21 22:06 timkgh

Quad9 is not looking good to privacy oriented users not functionality wise but due to their logging policy which includes

General location (on the metropolitan level)
Timestamps
Geolocation
First seen, last seen
Requested domain name and its geolocation
Record type
Transport protocol and their encryption status
Whether it’s IPv4 or IPv6
Response code
Other (such as their machines that processed the request, etc. )

morton-f avatar Jul 01 '21 07:07 morton-f

Option 1 looks good to me [Retaining just the getdnsapi.net server as the default and more strongly encouraging users to make their own decision}

morton-f avatar Jul 01 '21 08:07 morton-f

@morton-f Thanks very much for the feedback. If you compare Quad9 to the other open resolver options that provide anycast then its privacy policy is good, and they have recently moved their HQ to Switzerland so they are no longer under US law. All those organisations minimally log such data for a short period, but not IP addresses.

The downside of retaining just the getdnsapi.net server is robustness - it becomes a single point of failure for users that don't change their settings.

saradickinson avatar Jul 02 '21 09:07 saradickinson

Thank you for the useful link to the Comparison of policy and privacy statements page. Just for the reference, the new addresses of Clouflare's Privacy https://www.cloudflare.com/privacypolicy/ (section of interest Public DNS Resolver Users ) https://developers.cloudflare.com/1.1.1.1/privacy https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver

morton-f avatar Jul 04 '21 13:07 morton-f

@morton-f Thanks for the corrected links - I've updated the relevant pages on dnsprivacy.org!

saradickinson avatar Jul 05 '21 10:07 saradickinson

Can we have the getdnsapi.net server to listen on port 443 as well then? Because currently only the sinodun ones do from the default list. I know they are other options (and I do use them), but a default server available on 443 would be nice too.

ArchangeGabriel avatar Jul 20 '21 13:07 ArchangeGabriel

@ArchangeGabriel thanks for the comment, it is a good point.

saradickinson avatar Jul 21 '21 10:07 saradickinson

Four uncited no-USA DNS options that I believe deserve to be considered or at least mentioned in this thread.

LibreDNS. Non-profit collective, supported by donations and volunteering, with no interest in trading personal information. https://libredns.gr/ 116.202.176.26

OpenNIC DNS non-profit and volunteer network, with additionally alternative no-ICANN domains. At the moment the network is made up of just over twenty independent servers, three of which provide DoT. https://servers.opennicproject.org/ ns29.de.dns.opennic.glue 194.36.144.87 2a03:4000:4d:c92:88c0:96ff:fec6:b9d ns4.fi.dns.opennic.glue 95.217.229.211 2a01:4f9:4b:39ea::301 ns4.ru.dns.opennic.glue 144.24.181.253

Tenta. A service of the antivirus company Avast. It supports ICANN and also OpenNIC. https://tenta.com/dns-setup-guides 99.192.182.200 99.192.182.201 OpenNIC: 99.192.182.100 99.192.182.101

NextDNS. Company 100% funded, owned and controlled by its founders. It is know for its customizable block lists. https://nextdns.io/

alexispm avatar Apr 04 '22 17:04 alexispm

Additional uncited no-USA DNS server alternative that I believe deserve to be considered: https://dns.sb/dot/

alexispm avatar Apr 05 '22 17:04 alexispm

Closing this as update to resolvers made in 0.4.1 release

saradickinson avatar Jan 10 '23 14:01 saradickinson