Future change to the default stubby servers

[saradickinson]

The existing dnsovertls*.sinodun.com servers were only expected to be used on a short-term proof of concept basis and so those servers will need to be retired later this year. The 0.4.0 release of stubby will make no change to the default server list, but will announce the intention to change it in the 0.5.0 release.

The existing default servers are all unicast and all based in Europe. Since many anycast public DoT resolvers with good privacy polices are now available, the getdns/stubby developers are discussing options for the future content of the default servers. That includes:

1. Retaining just the getdnsapi.net server as the default and more strongly encouraging users to make their own decision about what servers to use

2. Switching to just use a public resolver

There are several candidates for a public resolver but two under consideration are:

• Using Quad9 (9.9.9.9). This is an anycast service with a large footprint, with an strong privacy policy, but this address does minimally filter responses on purely security grounds: https://quad9.net/ (Their 9.9.9.10 address does not filter, but does not do DNSSEC)
• Using Adguard's 'unfiltered' service (dns-unfiltered.adguard.com). This is an anycast service, with strong privacy policy.

If users have comments or experience of these or other resolvers, please add them to this issue.

[inudge]

I understand why you are doing this but would like to say that I've been a happy user of this reliable service for several years and am disappointed to discover that I'll have to find someone else to trust.

I am also very grateful, many thanks Sara and co.

[saradickinson]

@inudge Thanks - we are sorry to have to discontinue that service but hopefully we can decide on a suitable alternative.

[timkgh]

AdGuard with DoQ would be nice to have as an option.

[morton-f]

Quad9 is not looking good to privacy oriented users not functionality wise but due to their logging policy which includes

General location (on the metropolitan level)
Timestamps
Geolocation
First seen, last seen
Requested domain name and its geolocation
Record type
Transport protocol and their encryption status
Whether it’s IPv4 or IPv6
Response code
Other (such as their machines that processed the request, etc. )

[morton-f]

Option 1 looks good to me [Retaining just the getdnsapi.net server as the default and more strongly encouraging users to make their own decision}

[saradickinson]

@morton-f Thanks very much for the feedback. If you compare Quad9 to the other open resolver options that provide anycast then its privacy policy is good, and they have recently moved their HQ to Switzerland so they are no longer under US law. All those organisations minimally log such data for a short period, but not IP addresses.

The downside of retaining just the getdnsapi.net server is robustness - it becomes a single point of failure for users that don't change their settings.

[morton-f]

Thank you for the useful link to the Comparison of policy and privacy statements page.
Just for the reference, the new addresses of Clouflare's Privacy
https://www.cloudflare.com/privacypolicy/ (section of interest Public DNS Resolver Users )
https://developers.cloudflare.com/1.1.1.1/privacy
https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver

[saradickinson]

@morton-f Thanks for the corrected links - I've updated the relevant pages on dnsprivacy.org!

[ArchangeGabriel]

Can we have the getdnsapi.net server to listen on port 443 as well then? Because currently only the sinodun ones do from the default list. I know they are other options (and I do use them), but a default server available on 443 would be nice too.

[saradickinson]

@ArchangeGabriel thanks for the comment, it is a good point.

[alexispm]

Four uncited no-USA DNS options that I believe deserve to be considered or at least mentioned in this thread.

LibreDNS. Non-profit collective, supported by donations and volunteering, with no interest in trading personal information.
https://libredns.gr/
116.202.176.26

OpenNIC DNS non-profit and volunteer network, with additionally alternative no-ICANN domains. At the moment the network is made up of just over twenty independent servers, three of which provide DoT.
https://servers.opennicproject.org/
ns29.de.dns.opennic.glue 194.36.144.87 2a03:4000:4d:c92:88c0:96ff:fec6:b9d
ns4.fi.dns.opennic.glue 95.217.229.211 2a01:4f9:4b:39ea::301
ns4.ru.dns.opennic.glue 144.24.181.253

Tenta. A service of the antivirus company Avast. It supports ICANN and also OpenNIC.
https://tenta.com/dns-setup-guides
99.192.182.200
99.192.182.201
OpenNIC:
99.192.182.100
99.192.182.101

NextDNS. Company 100% funded, owned and controlled by its founders. It is know for its customizable block lists.
https://nextdns.io/

[alexispm]

Additional uncited no-USA DNS server alternative that I believe deserve to be considered:
https://dns.sb/dot/

[saradickinson]

Closing this as update to resolvers made in 0.4.1 release