
Freenom World – A fast and anonymous Public DNS resolver - quiche
http://www.freenom.world/en/index.html?lang=en
======
nsebban
Writing "fast" and "anonymous" on a product doesn't magically make it fast or
anonymous. Why would I trust this service ?

~~~
VMG
Well the first attribute can at least be measured independently.

~~~
gtirloni
Numbers from South America:

    
    
        Freenom: ~260msec
        Google: ~70msec
        Local ISP: ~6msec

~~~
tdkl
It still baffles me why would someone use Google DNS over local ISPs and
8.8.8.8 being advertised anywhere make me cringe.

~~~
WildUtah
My ISP's DNS inserts advertising into query results. Google's doesn't.

~~~
tdkl
Sorry to hear that then. I'm positive this doesn't happen in the EU though,
yet we're willingly giving Google more data.

~~~
minxomat
It does happen:
[https://news.ycombinator.com/item?id=13038500](https://news.ycombinator.com/item?id=13038500)

------
tomkwok
Freenom appears to be the company managing the (in)famous "free" ccTLD .tk

No, thanks.

[http://www.freenom.com/en/aboutfreenom.html](http://www.freenom.com/en/aboutfreenom.html)

~~~
minxomat
Elaborate? I have dozens of freenom domains (not just .tk, but also the other
free TLDs like .ga et al.). I don't use them for critical (or commercial)
services, but I've never had any issues - they are free after all.

DotTK and now Freenom have been great enablers for many smaller hobby sites.
Get free webspace from bplaced, domain from freenom and CDN from CloudFlare
and you have a pretty decent, ad-free infrastructure for a quick-and-dirty web
project. A scratchpad solution basically.

Anyhow, that doesn't change the fact that the above DNS is still way too slow
to be useful in the first place, at least from here.

~~~
tomkwok
> DotTK and now Freenom have been great enablers for many smaller hobby sites.
> Get free webspace from bplaced, domain from freenom and CDN from CloudFlare
> and you have a pretty decent, ad-free infrastructure for a quick-and-dirty
> web project. A scratchpad solution basically.

Agreed. But never use free .tk domains for anything serious. DotTK is
notoriously for deleting domains registered for free from a user's account
without any notification to the user as soon as the domain gets some amount of
traffic according to many reports online.

~~~
teddyh
I know of exactly one site which had a .tk TLD. Here’s why they switched to a
.com:

[http://tailsteak.com/archive.php?num=388](http://tailsteak.com/archive.php?num=388)

“ _tailsteak.com

Alright, so I'm finally fed up with Tokelau.

Don't get me wrong, it's a nice island, but they just aren't answering my
mail.

I suppose most of you have noticed, by now, the fifteen-second ads that
present you with beautiful women and fish when you surf to tailsteak.tk. Those
are not my ads. I do not obtain revenue from them. Tokelau's domain name
referral service just started putting them up there without so much as a by-
your-leave. I have contacted their tech support and enquired if, perhaps, they
might consider removing them for customers willing to pay a certain amount.
They have not responded.

Of course, I have had access to tailsteak.com for some time now. So
henceforth, I will be directing my viewers there. It's the same site, the same
host, and, in truth, the .tk address has been sending you there for months.
But now it's official. Note the change in title graphic:

tailsteak.com_”

------
scarlac
It'd be interesting to know what their business model is. Traffic isn't free
and neither are world-wide servers. They are not run by ads, they are not a
paid service, so how do they cover their expenses?

~~~
raphman
As wila pointed out in this thread, Freenom has been connected to
cybersquatting [1]. Operating a widely used DNS server might allow them to
register commonly mistyped domains (?). Not sure whether this is indeed
sensible.

[1] [http://domainincite.com/18797-freenom-suspended-for-
cybersqu...](http://domainincite.com/18797-freenom-suspended-for-
cybersquatting-rival-registrars)

~~~
wheelerwj
clever. shady, but clever.

------
brandon272
Round trip time for me to 80.80.80.80 is double what it is to 8.8.8.8. So I'm
not convinced on the "fast" claim.

~~~
kyrra
Google has the advantage to anycast their DNS server IP addresses. Use a ping
service that will ping an IP from around the globe and you'll see that 8.8.8.8
has sub 20ms RTT time for pings reguardless of country. So you will likely
always hit the closest Google datacenter when using 8.8.8.8.

80.80.80.80 seems to be served out of a single datacenter. Based on ping times
I'm seeing, it looks like they are hosted in Amsterdam. So it will be slow for
most of Asia and the Americas.

~~~
corobo
For this same reason you'll also get better results from CDN services with
Google DNS. 8.8.8.8 will lookup a geo record from (almost) your actual
location. 80.80.80.80 will look it up from the USA.

Any CDNs that are using geo-dns will be way slower than they should be outside
the US as you'll have been given a US IP to load the content from.

~~~
sajal83
Google actually implements a workaround to this issue.its called EDNS client
subnet. Freenom does not.

~~~
corobo
Ah nice, I'll have to remember that one.

------
AdamGibbins
So I should just send you all my DNS queries because you said so? Ur, I'd
rather not, thanks.

~~~
dschulz
Aren't you doing exactly that with another recursive resolver?

~~~
halomru
With many other providers I can make deductions about likely threat scenarios.
For example I know about both my ISP and about Google that it is in their best
interest to serve me correct DNS entries: they have no obvious motive to do
otherwise. On the other hand I can be fairly certain that my DNS queries will
be fed into Google's database if I use their DNS: they have an obvious motive,
have the capability and no obvious disincentive. Etc.

With some new, unknown service with unknown associations I can't reason much
about the threat model.

~~~
uiri
Many ISPs abuse DNS to serve ads. One method is to rewrite all NXDOMAIN
responses to an ad server. Another involves injecting ads into HTTP responses
by hijacking DNS.

Although your points about capability and motive are valid, I don't think that
Google does feed DNS queries into a database. Given all the evil DNS servers
out there, I think that it is in Google's best interest to provide a clean
alternative and contribute to better internet infrastructure.

~~~
dingaling
"After keeping this data for two weeks, we randomly sample a small subset for
permanent storage."

[https://developers.google.com/speed/public-
dns/privacy](https://developers.google.com/speed/public-dns/privacy)

------
Libre___
I would encourage fairly tech-savvy users to set up their own DNS resolvers -
fast, more private and a way of bypassing your ISPs censorship.

Just make sure to configure ACLs so recursive queries are limited to you and
not part of a botnet. Also BIND9 might not be a good idea for a low-
maintenance solution.

~~~
Thaxll
It's a bad idea for performance, because your ISP has caches for Google,
Netflix ect .. so you probably won't get them.

~~~
Libre___
That's not how Google GGC and their LB works, the authoritative NSes looks at
the IP of the querying resolver and hands out a response depending on that

~~~
Thaxll
Well if you use a generic DNS server you won't get DNS answers that are geoip
based because you will hit the cache of that DNS server and since they don't
query google servers with your ISP IP you will get a generic endpoint.

------
Zash
Personally I'm a fan of running unbound locally. DNSSEC verification on the
same machine is pretty nice, but you lose the benefits of sharing the cache
with many others.

------
contingencies
In mainland China try 114.114.114.114 + 114.114.115.115...

114.114.114.114 = 52ms

80.80.80.80 = 240ms

8.8.8.8 = 416ms

Just sayin'...

~~~
donretag
It's funny, I was thinking precisely of China when I saw the numbers, due to
the use of 8s (considered lucky). And here you are, saying the number 4
(considered unlucky) is actually used in China?

~~~
lhr0909
The phone number 114 in China is just like the 411 in the US, it is a
directory service, so that's why China uses 114 for the DNS servers.

On that note, the Chinese DNS would not resolve google or facebook properly
due to the Great Firewall of China, I wonder if Freenom can resolve those
domains within China without any proxy solutions.

------
jaysoncena
From Singapore

    
    
      ~188ms -> dig yahoo.com @80.80.80.80
      ~3ms -> dig yahoo.com @8.8.8.8
      ~2ms -> dig yahoo.com @(ISP's DNS)
    
    

MTR to Google DNS

    
    
      $ mtr -wrc10 8.8.8.8
      Start: Fri Jan 13 22:22:56 2017
      HOST: -                            Loss%   Snt   Last   Avg  Best  Wrst StDev
        1.|-- My PublicIP gateway           0.0%    10    1.9  11.3   1.3  22.5   6.5
        2.|-- Singapore1.vqbn.com           0.0%    10    1.3   4.0   0.9  28.3   8.5
        3.|-- 132.147.112.194               0.0%    10    2.6   1.6   1.0   3.3   0.7
        4.|-- 108.170.240.173               0.0%    10    1.7   1.8   1.6   2.3   0.0
        5.|-- 209.85.243.215                0.0%    10    1.5   1.8   1.5   2.0   0.0
        6.|-- 216.239.48.73                 0.0%    10    2.0   2.0   1.8   2.2   0.0
        7.|-- ???                          100.0    10    0.0   0.0   0.0   0.0   0.0
    
    

MTR to Freenom DNS

    
    
        $ mtr -wrc10 80.80.80.80
        Start: Fri Jan 13 22:37:58 2017
        HOST: -                                 Loss%   Snt   Last   Avg  Best  Wrst StDev
          1.|-- My PublicIP gateway                0.0%    10    0.9   8.2   0.8  56.9  17.8
          2.|-- amsterdam1.vqbn.com                0.0%    10  187.3 187.2 186.9 187.8   0.0
          3.|-- br1.ams-ix.dc2.ams.denit.net       0.0%    10  198.7 191.9 187.7 199.2   4.6
          4.|-- 62-148-189-36-hosted-by.denit.net  0.0%    10  187.9 189.6 187.9 199.2   3.5
          5.|-- 80.80.80.80                        0.0%    10  187.9 188.1 187.9 188.5   0.0

------
cpswan
It's not very encouraging that they don't have reverse DNS for their own IPs

------
i_have_to_speak
There's also DNS.Watch: [https://dns.watch/index](https://dns.watch/index)

------
beardog
I don't think I want to use a DNS server from a company that revoked a domain
name from me for inactivity, which is now being used to push pornography.

Also, I love how in their promotional video on the website they say using
their DNS service will make your internet usage "anonymous". Lol.

------
CiPHPerCoder
Do they support DNSCrypt? If not, what would be the main draw to use this
over, say, 8.8.8.8?

~~~
phpnode
Using 8.8.8.8 gives google even more insight into your internet habits, even
if you're using e.g. firefox on a webpage that includes no google assets at
all (no web fonts, no google analytics etc), google will still know you've
been there. Whether that matters to you or not depends on you.

~~~
beejiu
> We don't correlate or combine information from our temporary or permanent
> logs with any personal information that you have provided Google for other
> services.

[https://developers.google.com/speed/public-
dns/privacy](https://developers.google.com/speed/public-dns/privacy)

~~~
a3n
I have no idea what goes on in google. That said, even if they don't correlate
with "personal information that you have provided," you as an IP address are
still identifiable as that IP address, and correlatable with yourself, for as
long as that IP lasts for you.

Which means Google _could_ cause ads to follow you around, for example. Again,
I don't know what all they actually do or don't do with their DNS logs, but
the quoted "promise" doesn't promise anonymity, just separation of you as a
known Google user from you as a semi-anonymous but specific DNS user.

I'm reminded of the early days of the Snowden revelations, when the NSA was
saying "it's just metadata."

~~~
beejiu
They do not log the user's IP address. It says so on the page I linked.

------
jdemler
They could get rid of google-analytics on their site to make it even more
anonymous.

------
eeZah7Ux
There is no such thing as anonymous DNS resolution unless we use Tor to
perform resolution for all applications.

~~~
wheelerwj
some sort of blockchain based dns would be killer

------
Meegul
How can we be sure that their claims are true?

~~~
ekianjo
How can you be sure your own DNS resolver is doing what they are saying?

~~~
Meegul
I have no way of doing this currently, the point is just that without some
form of verification, I can't be sure that this is any better than what I'm
using now.

------
bradknowles
If you want to benchmark nameservers, queryperf is the tool that was designed
to do that years ago -- see my presentation at [http://shub-
internet.org/brad/papers/dnscomparison/](http://shub-
internet.org/brad/papers/dnscomparison/)

EDIT1: The folks at SolveDNS.com also have some interesting reports on some of
these machines. Among others, see:
[http://www.solvedns.com/dnsspeedtest/freenom.world](http://www.solvedns.com/dnsspeedtest/freenom.world)
[http://www.solvedns.com/dnsspeedtest/freenom.com](http://www.solvedns.com/dnsspeedtest/freenom.com)
[http://www.solvedns.com/nameserver/ns01.freenom.com](http://www.solvedns.com/nameserver/ns01.freenom.com)
[http://www.solvedns.com/nameserver/ns11.cloudns.net](http://www.solvedns.com/nameserver/ns11.cloudns.net)

EDIT2: And also
[http://www.solvedns.com/freenom.world](http://www.solvedns.com/freenom.world)
[http://www.solvedns.com/freenom.com](http://www.solvedns.com/freenom.com)

EDIT3: And [http://www.solvedns.com/dns-
comparison/2016/12](http://www.solvedns.com/dns-comparison/2016/12)

EDIT4: TurboBytes.com also has an interesting page at
[http://www.turbobytes.com/reports/dns-
performance/#US](http://www.turbobytes.com/reports/dns-performance/#US)

EDIT5: And don't miss the page at
[http://www.dnsperf.com/](http://www.dnsperf.com/)

------
chrisper
Does it support those geoip(?) things? Like I know that Netflix uses "DNS" to
provide you with the closest netflix streaming server. So if the DNS server is
located in NYC, but I am in SF, then it won't work.

I am not sure what the term for this is, but Google DNS supports it.

~~~
corobo
Doesn't look like it with a cursory test

    
    
      $ host cdn.pdcast.net 8.8.8.8
      Using domain server:
      Name: 8.8.8.8
    
      cdn.pdcast.net is an alias for pdcast-1e5f.kxcdn.com.
      pdcast-1e5f.kxcdn.com is an alias for p-uklo00.kxcdn.com.
      p-uklo00.kxcdn.com has address 188.227.185.218
    
      $ host cdn.pdcast.net 80.80.80.80
      Using domain server:
      Name: 80.80.80.80
    
      cdn.pdcast.net is an alias for pdcast-1e5f.kxcdn.com.
      pdcast-1e5f.kxcdn.com is an alias for p-usat00.kxcdn.com.
      p-usat00.kxcdn.com has address 64.38.250.98
    

My closest server being the "uklo" (London, UK) as reported by 8.8.8.8.

Using 80.80.80.80 means I'd be loading content from Atlanta(?), USA.

~~~
chrisper
Thanks. Yeah. I'd not use it then.

What's the tool you used for this? Nslookup?

~~~
corobo
The Linux equivalent of nslookup yeah. I believe nslookup has the same basic
syntax for querying a specific server so you'd replace "host" with "nslookup"

    
    
      nslookup cdn.pdcast.net 80.80.80.80

------
benmcnelly
Nice try NSA

~~~
achairapart
From T&C:

> Freenom is a registered trademark of OpenTLD B.V. [...] a Netherlands
> company.

~~~
tlrobinson
I'm not saying I believe this is an NSA operation, but it's certainly not
beyond governments' capabilities to secretly register foreign companies.

~~~
Nadya
Like the FBI spy planes registered to 13 companies... I don't imagine it is
much of a stretch to register under a foreign company instead.

Also not saying I believe it is an NSA operation - just providing an example
of another 3-letter agency registering fake companies in an attempt to mask
their operations.

------
analogmemory
If I had to I'd rather use Open DNS.
[https://use.opendns.com/](https://use.opendns.com/)

But I have MonkeyBrains as an ISP, i'm getting 10msec from their DNS resolver.

------
sajal83
So they are new and their network needs a lot of work. But claiming to be fast
is dishonest
[https://pulse.turbobytes.com/results/5879a1e3ecbe40377300a80...](https://pulse.turbobytes.com/results/5879a1e3ecbe40377300a80f/)

Also any public recursive that does not do EDNS client subnet does not belong
in 2017.

------
pfarnsworth
What's most important is "trustworthy". The last thing I want is gmail.com to
be resolved to another server.

------
chaz6
What are the addresses of the IPv6 resolvers?

Edit: the resolver at 80.80.80.80 has ipv6 connectivity since I was able to
resolve a dns record on a domain with only ipv6 authoritative servers. The
queries originated from 2a00:ec8:400:ff04::3e (LeaseWeb Network B.V.,
Amsterdam).

------
xxdesmus
Actually rather slow, at least in the San Francisco area over Comcast.

[https://gist.github.com/xxdesmus/336af4b717fdb719f20e9ef284c...](https://gist.github.com/xxdesmus/336af4b717fdb719f20e9ef284c2249a)

------
snehesht
If anyone interested in running a DNSCrypt enabled DNS resolver, try
[https://github.com/jedisct1/dnscrypt-server-
docker](https://github.com/jedisct1/dnscrypt-server-docker)

------
newsat13
Cool. What exactly does anonymous mean in this context? Why should I use this
resolver instead of my router's/ISP?

------
arielm
The copyright on the site says 2016. The internet has been around for too long
for a hardcoded copyright notice...

------
captainju
I don't trust them

------
ReedJessen
ummm... Honey Pot Much?

