tomzin0's comments

tomzin0 · 2025-03-25T13:34:19 1742909659

Thanks but no thanks. https://www.quad9.net/news/press/quad9-faces-new-dns-censors...

vollbrecht · 2025-03-25T13:53:26 1742910806

So they provide full information on what happened, with all legal papers attached at the end, and a link to a site that gives you a list of all "blocked sites" that where effected by that order.

While the outcome is quite unfortunate, the way they provide all info here seams like a plus in my book here.

If a state/entity comes after your org tomorrow, and you got to either fight legally or leave the market (like cisco in the story), what would you do?

ratorx · 2025-03-25T13:53:59 1742910839

The French legislation is targeting all major resolvers, Quad9 is not really any better or worse than others just for this.

A niche resolver may get away under the radar, but only because they were not targeted.

fuzzy2 · 2025-03-25T13:37:34 1742909854

So then what do you use or recommend instead?

udev4096 · 2025-03-25T13:40:32 1742910032

Mullvad [1], dns.watch, dnscrypt [2]

1 - https://mullvad.net/en/help/dns-over-https-and-dns-over-tls

2 - https://dnscrypt.info/public-servers/

accrual · 2025-03-25T13:41:54 1742910114

I use a combination of 1.1.1.1, 9.9.9.11, and OpenDNS over DNSSEC via Pihole. Not sure if it's a "good" strategy, though.

ratorx · 2025-03-25T13:52:09 1742910729

I think the France legislation is aimed at most major resolvers. You might get away with more niche ones for now, but the only stable way is to self-host a recursive resolver (like unbound) that walk the DNS tree themselves.

prmoustache · 2025-03-25T14:07:51 1742911671

Host your own dns resolver. It isn't hard.

udev4096 · 2025-03-25T14:16:41 1742912201

Hosting is never hard. It's about maintainability. How do you handle HA? How will you expose the service? What about backups? How efficiently are you running it? That's just the tip of the iceberg. For an average joe, this is not something they wanna deal with

prmoustache · 2025-03-26T11:16:00 1742987760

> (1) How do you handle HA? (2) How will you expose the service? (3) What about backups? (4) How efficiently are you running it?

We are talking a DNS resolver at home or on a VPS.

1. you don't need HA, if it dies you revert back to your ISP DNS while you fix it. And you always have a secondary resolver set up anyway.

2. you just set up its ip address as first dns server on your home router and as DoH on your devices browsers.

2. you don't need to back up a local resolver, the only data it has is cache.

4. a local DNS resolver serving the needs of a household needs very little resource.

udev4096 · 2025-03-27T12:58:12 1743080292

You are doing a bare minimum job which is of course not what I intended. Your workloads doesn't seem to be that sensitive. If you can afford a few minutes of downtime, sure. I cannot afford downtime because lots of critical services will fail which will require manual intervention

DanAtC · 2025-03-26T04:35:38 1742963738

Bro it's a DNS server. People happily run Pi-holes without all that.

udev4096 · 2025-03-26T05:04:15 1742965455

Good luck when something goes wrong, which it will. At the very least, you need HA for pi-hole which is easy to do with something like nebula-sync