
DNS.watch – Fast, free and uncensored - captn3m0
https://dns.watch/index
======
tptacek
DNSSEC in 2014 is a liability, not a benefit. Essentially, all you're signing
up for when you use a 3rd-party DNSSEC server is that someone's
misconfiguration is silently going to break your queries.

Virtually no important services on the Internet rely on DNSSEC. Using it now
is pure downside.

What's especially funny about this is that your DNS queries to these third-
party servers _are not themselves encrypted_ ; in other words, you're sending
your DNS UDP packets halfway across the Internet for the _pretense_ of
cryptographic security.

~~~
growse
> Essentially, all you're signing up for when you use a 3rd-party DNSSEC
> server is that someone's misconfiguration is silently going to break your
> queries.

Isn't this literally true of any service?

> What's especially funny about this is that your DNS queries to these third-
> party servers are not themselves encrypted;

This would be relevent if people were aiming to protect the confidentiality of
their DNS queries. They're not though. They're trying to protect the integrity
of the DNS queries.

Anyhow, I find it useful in that I can store SSHFP records in my DNS zone and
then use `VerifyHostKeyDNS` when I'm sshing into servers. This becomes
especially useful if I've got servers sshing into other servers and I don't
want to have to lug around a known_hosts file on every server.

Saying things like "using DNSSEC is pure downside" is so easily demonstrably
false and hyperbolic that it may cause people to ignore the rest of your
argument. Which is a shame, because I know you have very insightful and
interesting things to say about a lot of things.

~~~
tptacek
I believe DNSSEC is, across the board, pure downside. But that statement is
especially true here, in the case of a third-party resolver with DNSSEC
enabled. And that's the case I was talking about. I don't think we have to
reach the wisdom of SSHFP records to refute your rebuttal.

~~~
opendais
[https://eprint.iacr.org/2010/115.pdf](https://eprint.iacr.org/2010/115.pdf)

I'm just going to leave this here and let people make up their own minds. I
don't really have an opinion but I think you are being excessively negative
without presenting any evidence.

~~~
cnst
[http://cr.yp.to/talks.html#2009.08.11](http://cr.yp.to/talks.html#2009.08.11)

Downsides of DNSSEC are pretty well known, actually.

If you're worried about security yet still want to use a third-party DNS
resolver, might much better off with OpenDNS.com and their DNSCurve client
(called DNSCrypt), which encrypts and authenticates all communications.

[http://blog.opendns.com/2010/02/23/opendns-
dnscurve/](http://blog.opendns.com/2010/02/23/opendns-dnscurve/)

[http://www.opendns.com/about/innovations/dnscrypt/](http://www.opendns.com/about/innovations/dnscrypt/)

------
jedisct1
No DNSCrypt support yet?

Here are some DNSCrypt-enabled public resolvers, most of them without logs,
and some supporting DNSSEC and/or Namecoin:
[https://github.com/jedisct1/dnscrypt-
proxy/blob/master/dnscr...](https://github.com/jedisct1/dnscrypt-
proxy/blob/master/dnscrypt-resolvers.csv)

Adding DNSCrypt support is as easy as running a small daemon (dnscrypt-
wrapper) forwarding the queries to the actual resolver.

------
desireco42
While indeed slower then Google ones for example, like double the speed, still
I would argue that it doesn't really change that much when you are loading the
page.

For most part, entries a cached locally and in single visit, you are not
visiting more then one domain.

I think we should welcome this line of thinking and acting, internet is
becoming less free place every day. Not the same, but I was reading this
article about a guy who is on Verizon and gets better Netflix when he uses his
VPN.

~~~
rakoo
> internet is becoming less free place every day.

And DNS.watch isn't solving anything. It only moves your dependency from one
third-party (your ISP, Google, OpenDNS) to another one (DNS.watch).

If we _really_ want to keep internet the way it was intended, we must run our
own resolvers. That will most certainly defeat the cacheability of DNS but it
is very much needed.

~~~
pedrogpimenta
I like this idea.

Any links as to how to build your own DNS resolver? I already have some things
on my own "cloud", this would be one thing more :)

~~~
danyork
A great place to start would be to install Unbound - a great resolving caching
server from NLNet Labs:

[http://unbound.net/](http://unbound.net/)

They also have a version focused on providing DNSSEC validation called
"DNSSEC-Trigger":

[http://www.nlnetlabs.nl/projects/dnssec-
trigger/](http://www.nlnetlabs.nl/projects/dnssec-trigger/)

Wikipedia also has a decent comparison of a wide range of different resolvers:

[https://en.wikipedia.org/wiki/Comparison_of_DNS_server_softw...](https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software)

The key is that in the "Feature matrix" table there you need to have a "Yes"
in the "Recursive" column.

------
fzerorubigd
Our problem here (Iran) is they change dns packet, so whatever you censor the
result or not, its always censored here.
[https://gist.github.com/fzerorubigd/7a5a7a3d3bcdde982067](https://gist.github.com/fzerorubigd/7a5a7a3d3bcdde982067)

Thank you, but PLEASE provide dnscrypt service too.

------
indeyets
What about DNSCrypt support? [http://dnscrypt.org/](http://dnscrypt.org/)

------
TheCraiggers
I can't seem to find any privacy agreements or EULAs anywhere on the site. I
can no longer tell if that pleases me or scares me.

~~~
ldng
At the very least you're covered by german privacy laws I guess. As to their
strength ... I don't know.

------
nodesocket
165ms ping from San Francisco. Mostly likely not using anycast, not
distributed.

------
tlrobinson
Is there a good reason to not have a streaming update protocol for DNS? Surely
it wouldn't be that difficult to prefetch the top N million DNS queries, then
subscribe to a stream to keep them updated as TTLs expire? This would give you
both privacy and speed (for the majority of queries)

IPv4 address = 4 bytes

Avg domain length = ~14 characters
([http://datagenetics.com/blog/march22012/](http://datagenetics.com/blog/march22012/))

So ~20MB per million domain names (assuming 1 IPv4 address per domain name)

------
philip1209
I wonder if it is anycasted. It appears to be on the Accelerated IT Services
ASN - if they do not explicitly own the IP addresses and they lose control of
them, that would be a disaster.

~~~
skrause
It doesn't seem to use anycast. I've done a traceroute from different
worldwide locations using [http://lg.he.net/](http://lg.he.net/) and they all
get routed to Frankfurt, Germany.

Here in Germany I get a very good latency to this service (22 ms, almost as
good as my ISP's resolver's 18 ms), but if you don't live in or close to
Germany this service probably isn't for you, at least as long as they haven't
implemented anycast with multiple world wide locations.

------
diaz
I have no idea about people complaining about high latency, but for me it has
around the same ping of google dns (from Portugal) - google 40ms, this 43ms.
Lately I've been using google ones because the previous I was using got more
latency.

For reference I was using for a while dns from here
[http://wiki.opennicproject.org/Tier2](http://wiki.opennicproject.org/Tier2)
after testing which ones had less ping.

~~~
Nyr
You have low latency since Portugal is pretty close to Germany where the
servers are, compared to America or Asia.

If they want to promise low latency, they should use anycast with servers
around the world. Google for example does this.

I compiled a list of reliable, anycast DNS recursors some time ago:
[http://wiki.nyr.bz/dns_publicos](http://wiki.nyr.bz/dns_publicos)

------
witty_username
I just want to note that the servers have a ping of ~150 here from India,
which is not that fast, but OK. Hopefully some DNS servers will be placed in
Asia.

~~~
alexnewman
I ain't changing my dns server to a server in Germany

6 50.242.148.34 (50.242.148.34) 11.825 ms 23.165 ms 11.936 ms 7
vlan60.csw1.sanjose1.level3.net (4.69.152.62) 167.163 ms 173.912 ms
vlan80.csw3.sanjose1.level3.net (4.69.152.190) 179.634 ms 8
ae-61-61.ebr1.sanjose1.level3.net (4.69.153.1) 166.071 ms 166.300 ms
ae-81-81.ebr1.sanjose1.level3.net (4.69.153.9) 166.493 ms 9
ae-2-2.ebr2.newyork1.level3.net (4.69.135.186) 166.700 ms 167.425 ms 168.243
ms 10 ae-62-62.csw1.newyork1.level3.net (4.69.148.34) 168.031 ms 167.538 ms
ae-82-82.csw3.newyork1.level3.net (4.69.148.42) 168.819 ms 11
ae-71-71.ebr1.newyork1.level3.net (4.69.134.69) 168.592 ms
ae-81-81.ebr1.newyork1.level3.net (4.69.134.73) 166.472 ms
ae-61-61.ebr1.newyork1.level3.net (4.69.134.65) 167.677 ms 12
ae-41-41.ebr2.london1.level3.net (4.69.137.65) 167.766 ms
ae-43-43.ebr2.london1.level3.net (4.69.137.73) 167.754 ms
ae-42-42.ebr2.london1.level3.net (4.69.137.69) 167.882 ms 13
vlan103.ebr1.london1.level3.net (4.69.143.93) 167.297 ms
vlan101.ebr1.london1.level3.net (4.69.143.85) 167.796 ms
vlan103.ebr1.london1.level3.net (4.69.143.93) 166.458 ms 14
ae-23-23.ebr2.frankfurt1.level3.net (4.69.148.194) 165.179 ms
ae-24-24.ebr2.frankfurt1.level3.net (4.69.148.198) 168.929 ms
ae-23-23.ebr2.frankfurt1.level3.net (4.69.148.194) 165.134 ms 15
ae-72-72.csw2.frankfurt1.level3.net (4.69.140.22) 166.229 ms 171.583 ms
ae-62-62.csw1.frankfurt1.level3.net (4.69.140.18) 166.542 ms 16
ae-3-80.edge4.frankfurt1.level3.net (4.69.154.136) 168.808 ms 167.824 ms
ae-2-70.edge4.frankfurt1.level3.net (4.69.154.72) 177.082 ms 17
accelerated.edge4.frankfurt1.level3.net (212.162.25.6) 167.854 ms 182.773

~~~
deathanatos
Because of the latency? Doesn't that traceroute indicate that most of the
delay was just getting to Level 3 in San Jose, through your ISP? (Isn't that
50.242.148.34 node right between level3 and your ISP? Sadly it lacks a name,
so hard to say who owns it.)

Or because of trust? You're in the US.

------
jarnix
.watch would not be the extension I would choose for a service that does not
spy on me. Ironic isn't it.

------
lvillani
Hey guys, your How-Tos page has some problems:

    
    
      - Window: points to FritzBox howto
      - OS X: 404
      - Linux: 404
    

You may want to run linkchecker
([http://wummel.github.io/linkchecker/](http://wummel.github.io/linkchecker/))
next time :)

~~~
Amfy
Yeah, right now only the how-to for Fritz.box exists. Should probably write
the others up, that's right :)

[https://twitter.com/mamunabms/status/490867160227409920](https://twitter.com/mamunabms/status/490867160227409920)

> You may want to run linkchecker
> ([http://wummel.github.io/linkchecker/](http://wummel.github.io/linkchecker/))
> next time :)

Hehe :)

------
nix1
Is there any way for you to prove that you don't log stuff? In the sense of
[1].

[1]
[https://www.schneier.com/blog/archives/2013/10/can_i_be_trus...](https://www.schneier.com/blog/archives/2013/10/can_i_be_truste.html)

~~~
TheCraiggers
"Prove" is a pretty strong word. I looked for and didn't find a lawyeresque
privacy agreement, but even if I did that's not proof either since they could
lie. They could invite you to their data center, show you their code, etc, but
that is still not proof since they could be hiding things from you, or simply
wait until you leave to flip the "log all data" switch.

It always eventually comes down to trusting a company, or trusting strangers.
You're already doing this, because you are viewing this on some form of a
computer that you didn't completely hand-build, and are running software that
you didn't build from scratch using your own, self-built compilers.

I say a potentially better way of looking at this problem is: I _know_ Comcast
logs my DNS queries and who knows what else. I however don't know that this
site does. From a pure privacy standpoint, I have nothing to lose by switching
over and everything to gain.

------
TBastiani
I expected the 'why?' page to explain how (or by who) they are funded/how they
make money. I've never heard of these guys before and until they explain that,
I have no reason to trust them more than other non-ISP DNS provider...

------
cnst
Nowadays, I often find ordns.he.net to be quite useful. HE.net is getting to
be a pretty big carrier nowadays, and they generally have better latency and
locality than other resolvers. Will never use 8.8.8.8 ever again.

------
tomjen3
That is pretty sweet, but is there any browser that does DNSSEC by default?

And even if there is aren't we back to trusting whomever signs DNSSEC? No
doubt some US corp that had their private key national security lettered?

~~~
spindritf
The browser doesn't need to do anything. The resolver will simply not pass an
unsigned or incorrectly signed record from a signed zone. You can test yours
here[1]. Google DNS[2] supports DNSSEC.

Were you thinking about DANE?

[1] [http://dnssec.vs.uni-due.de/](http://dnssec.vs.uni-due.de/)

[2] [https://developers.google.com/speed/public-
dns/](https://developers.google.com/speed/public-dns/)

------
niaher
Possibly I am just a noob, but at least for me having a simple "how to use"
page with some info would be very useful.

~~~
CMCDragonkai
Best place to start would be setup your own DNS server. On Windows use
Acrylic, on Linux you have a number of options like MariaDNS.

------
drdaeman
ISP resolvers are significantly faster for me due to being close by. Yet,
indeed, some ISPs may do evil things.

Wonder whenever there's a piece of software that'd retroactively verify every
query done by my resolver against a set of supposedly-uncensored public third-
party resolvers (like this DNS.watch) and raise an alarm in case of
inconsistencies. (Although I have no idea how to deal with multitude of false
alarms that would be there due to DNS load balancing)

------
axyjo
There's a small typo on the homepage: "chrarge" should be "charge", I presume.

------
tete
DNSCrypt would be nice.

[http://dnscrypt.org/](http://dnscrypt.org/)

------
iancarroll
Just curious, not nitpicking - how are you calculating the statistics without
logs?

~~~
nightcracker
You store simple counts, and whenever a particular type of query is made you
increment the relevant count(s).

You can count all the red cars that pass by without logging their license
plates, model type and number of passengers.

~~~
mootothemax
_You store simple counts, and whenever a particular type of query is made you
increment the relevant count(s)._

Exactly.

As a plus, precise accuracy isn't necessary here, no-one's going to care if
you report 39,893 instead of 19,898 queries per minute.

Simple counters + regular reset to zero would do the job well enough.

------
specto
Seems really slow now, guessing it's overwhelmed.

------
known
dig @8.8.8.8 facebook.com is much quicker than dig @84.200.69.80 facebook.com
for me.

~~~
Amfy
Yes, but which one do you think is censored/manipulated first? There are
times, when it's better to use something not that popular ;)

Couple of other arguments: The internet is built around decentralization...
now all people use the same resolvers. Great. It's good to have proper
alternatives.

~~~
spacefight
Why do you assume that you can withstand government censorship longer than
Google? I'm really curious - sometimes size is good, sometime it isn't.

