I've lost count how often I wrote 8.8.8.8 and 1.1.1.1 somewhere. Cloudflare and Google (and Quad9) understood that you need to remove friction to get more users. I hardly remember 1.1.0.0 (or is it 1.1.1.0 ?), so I've never entered that somewhere.
*Don't make me think*
According to that rule, DNS4EU is dead in the water. It took me at least 5 clicks to see their fucking IP. And there are multiple, to choose from, oh dear lord, help me! The only thing I want to know is: which IP do I need to enter, so that I can try out their service.
Everyone else understood this. Look at Cloudflare: https://www.cloudflare.com/de-de/learning/dns/what-is-1.1.1.... the IP is RIGHT IN THE URL! I don't even need to visit their website.
But OK, I get it, I'll read their stuff. So the IP could be 84.56.11.11 I think. Could be wrong. I'm pretty sure, it is wrong, because my brain didn't bother to hold that information for 30 seconds. I have multiple working DNS IPs in my brain, the new one needs good reason to get storage space in my small, stupid brain.
I know, this is an extreme take to that matter. But when you build a product, you need to understand, that 99.9% of your potential users are apes, that are bored, stressed and angry at the same time. They don't care at all about all the stuff you care about. Give them, what they need to progress. After that, they will maybe care a little bit about your product.
Mildly unreasonable and I couldn’t agree more, This is like reading my inner monologue
i don't know what you tried, but i found it by scrolling down and then a single click. then i went back and found that two clicks without scrolling would have done it.
you are right about the problem of hard to remember IP addresses, but i don't think it is that bad.
They don't care at all about all the stuff you care about.
i don't understand this argument. users who don't care would not even bother to change the DNS. and those that do will change their settings once and be done with it. a memorable IP mainly benefits those that set up devices frequently.
As others have noted, my take is slightly unreasonable, but reflects the reality of them. To be a bit less "stressed, bored and angry ape"-ish, I still see the problem with IPs, that are not as rememberable as possible, and I also think the website should have one of their IPs front and center and reachable without scrolling.
DNS Servers are a strange product. It is very high stakes and very low stakes at the same time.
Without DNS nothing works anymore. Slow servers are a mayor pain. DNS is *the* single point of failure in our electronic lives. So everything is high stakes.
At the same time, DNS is boring as hell. Everyone can run their own DNS server in minutes, there are resolving DNS servers everywhere, you can choose whichever, they will all work like 99,999% the same. It mostly makes no difference, at all, which DNS server someone uses.
So if someone wants to break into that market, they need to be as convincing as possible. Why should I change? How much energy does it take to change? How likely is it, that this new service will be faulty, slow, or does things different, so my users and I are blocked and therefore angry? And if they are angry, can I tell them "oh, google messed up, the internet is broken, nothing I can do here, just wait a bit", or do I have to say "sorry for selecting an unreliable service, I will repair it for you (for free)".
Google DNS and Cloudflare captured the marked with "we are the fastest, and biggest, you will never experience downtime or slowness". And they proved (mostly) that I can count on that.
Quad9 take is "we are fast, big, and we will fight for freedom". Maybe. I honestly forgot, because I can already choose from two others. I just know, that if 8.8.8.8 and 1.1.1.1 fails, I try 9.9.9.9, if that also fails, my network config is definitely fried.
In this space, it is ultra hard to create a new product. Remove friction, get more users. This is all, I wanted to say.
> DNS is boring as hell.
I beg your pardon.
DNS is extremely interesting because it is a distributed network that everyone depends on. DNS has security innovations with DNSSEC, DANE, TLSA. Granted, authoritative nameservers may be more interesting than resolvers, but resolvers have a lot to them, too.
> Everyone can run their own DNS server in minutes, there are resolving DNS servers everywhere, you can choose whichever, they will all work like 99,999% the same.
I ran my own resolver for a while and the latency was terrible. A lot of effort goes into getting good latency everywhere.
> It mostly makes no difference, at all, which DNS server someone uses*
Yea it does. DNS is often the first place governments will apply censorship, since it’s easier than applying for a takedown when what they seek to censor is not illegal in the hosting country.
> DNS is boring as hell.
I beg your pardon.
you have to consider the audience. for you and me DNS is interesting. for my mother and anyone who just wants to browse websites it's boring.
"Security innovations" like DNSSEC were designed in the mid-1990s.
I also think the website should have one of their IPs front and center and reachable without scrolling.
yes.
Amen brother.
> The official EU Public DNS Resolver is basic-level protection that everyone should have. It is important to note, however, that most organisations and individuals likely require enhanced protection.
I'm confused - what "enhanced protection" do most individuals require that they aren't providing?
It's a company selling this "enhanced protection". You need it, because otherwise, they wouldn't make money.
The whole thing looks like a PR stunt for an Infosec product. Just that they somehow convinced the EU to fund it.
They don’t seem to have reverse DNS set up correctly for the resolvers yet. Nor do the host names have AAAA records pointing to the IPv6 addresses.
[deleted]
Do you mean for the IPv4 addresses? Because have you ever seen the ip6.arpa ranges?
https://en.wikipedia.org/wiki/Reverse_DNS_lookup#IPv6_revers...
The funny thing is that they’re reusing the IPv4 octets, that look like decimal notation, but in the hexadecimal Interface ID:
2a13:1001::86:54:11:100
Not to mention the unfortunate association with IPv4 in the service name. When will DNS6EU be released? More to the point, “for” is a distinctly English word, so has “4” become an international chatspeak stand-in?
> Not to mention the unfortunate association with IPv4 in the service name.
I read it as "DNS for EU" not as a hint towards IPv4.
"4" as "for" is a decades-old naming convention. Remember log4j?
You already know log4j. Now it's time for the sequel: log6j!
On select cinemas in 2026.
(It's a horror movie, don't bring the kids.)
Neither the IPv4 addresses nor the IPv6 addresses have reverse lookup set up correctly, as far as I can tell. Both are eminently, and easily, achievable.
missed opportunity to shorten the IPv6 address.
My question is, will they block sites when some e.g Greek or Spanish authority tells them too? One thing I appreciate about Cloudflare or Google's dns-over-https servers, on top of the encryption, is that they don't block sites like Anna's Archive, whereas my local ISP sometimes does.
> Legal Filtering > We do not apply any type of legal filtering.
How does this compare to https://www.dns0.eu/ which I've been using for years?
dns4eu has some public eu money backing it, while dns0.eu has nextdns money backing it
Wow, I believe they are re-writing the "new" DNS RFC standards: https://www.joindns4.eu/for-public#resolver-options
Only one DNS server is necessary, the second is optional. Let's go for the spending review eheh :)
These are resolvers, not authoritative DNS servers.
In just one phrase: Whalebone, the main contractor, is neither listed in the world's top fastest and reliable secure DNS server in the world: https://www.dnsperf.com/#!dns-resolvers
I said everything... :)
I configured my pihole to use Quad9 (filtered, DNSSEC) as upstream DNS Server and it works like a charm.
Only problem I see is that it's a difficult to remember IP address. I know cloudfare or google dns because they are extremelly simple.
Why would you need to remember it once you’ve set it up?
The techy people who are the ones who are the target for something like this aren't just setting up their home internet once, they're setting up the internet for their friends and family when they visit, getting roped in to fix the internet for their in-laws when it breaks, etc.
so you don't have to look it up every time you need to change the DNS configuration.
Because, 18 months from now, you or your executrix wakes up with a hangover, and your Internet connection is down, and you or your executrix begin troubleshooting, and poking through the DNS configuration, your executrix scratches her head and exclaims “who in the world is 2a13:1001::86:54:11:100 and why did we ever add this in here?!”
And then you or your executrix reset it to 8.8.8.8 because that is distinctly memorable and unmistakable.
Also terrible domain name, hard to remember. The DuckDuckGo mistake basically.
$ sudo apt-get install unbound
Eh, I think there's a reasonable middle ground, especially on mobile devices. It's an easy, one-time thing to set your "secure DNS" on Android, and I'm sure small but non-trivial number of people using CloudFlare or Quad9 or something for DoH.
CIRA, who run the .ca ccTLD, has a service available for Canadians:
If you're willing to setup your own DNS server (on a Pi or any (low-power) device), you don't need any forwarding DNS service. No Google DNS (8.8.8.8, 8.8.4.4) or OpenDNS (1.1.1.1). People sometimes tend to forget how DNS works.
If you setup your own DNS server without a forwarder, it just contacts the root servers and resolve domains through the regular DNS process.
A reason to use the DNS4EU serivce is if you want additional filtering that you may not be able to / or want to realise with pihole.
In my experience, recursive nameservers tend to be a bit slower than using cloud nameservers. Google and Cloudflare have most domains cached, so their responses are faster, especially for domains with authoritative DNS servers on the other side of the world.
Another advantage is that cloud servers can be contacted over ODoH, which encrypts the lookups and protects the privacy of the user (which isn't the case for normal DoH either).
1.1.1.1 is cloudflare not opendns. Also you need to use something like unbound as recursive DNS because most of people using pi hole or adguard home they are forwarded DNS and still need upstream. But I agree with you, I run unbound+ Adguard home and don't need anything. I put 9.9.9.9 as fallback however because I don't have replication of the setup yet.
well, the other reason is to avoid exposing your home IP to the DNS servers of the world.
using e.g. 8.8.8.8 means Google and your ISP can log your dns queries and tie them to your IP, running your own recursor means every DNS server you touch knows you personally looked them up.
it's important to decide your threat model.
The "Download the Threat Intelligence White Paper" 404s.
> The "Download the Threat Intelligence White Paper" 404s.
No?
https://eu1.hubs.ly/H0kGDRY0 should resolve to https://app-eu1.hubspotdocuments.com/documents/142290803/vie...
I am not sure how is moving trust from one centralized service to another will make an individual "protected".
That said current initiatives from EU are based on "Look other are evil, we are not" narrative.
Checking the website first thing I notice there are trackers embedded in the website already: 1. Google Tag Manager 2. Hubspot
Seems legit.
too much words and no IPs -_-
Why can't I have "adblock" without "protective"? I want torrents and anna's archive but I don't want advertising!
There's nothing here suggesting that 'protective' will block torrent sites or similar - AFAICT it's exclusively for recognized malicious/phishing/etc sites, like Google's safe browsing list. It specifically says below "We do not apply any type of legal filtering".
[ad filtering] Accesses are resolved with the IP address 0.0.0.0
I remember the days I was running a Pi-hole at home, and after having no web server running on my desktop machine, I started an Apache web server, and there was a surprise in store for me, as suddenly 0.0.0.0:80 was responding to HTTP GET...!
Any modern public dns needs to support DoH these days, and the setup instructions should be directing users to set it up that way.
ISPs can and do sniff and block and rewrite unencrypted dns requests and responses.
Sigh.
1. Looks like the cost of this project so far is already ~€1M. Does it really take you a million Euros to set up a DNS server?
(Just did a quick research in the EU's financial transparency system [1], I entered "dns4eu" in the subject field. €3m budgeted, €1M used already, most of it going to a company named "Whalebone sro" (?))
2. Why does every EU-funded software project have such a terrible website? As a visitor, you get the impression that the designers took great care to obfuscate the actual product as much as possible, while throwing in random text blurbs, useless buttons and boxes.
Stuff like:
> Looking for a fast, secure, and privacy-focused way to browse the internet? You're in the right place.
Yeah, sure.. just give me the product?
Reading on..
> Learn everything you need to know about DNS4EU Public Service – including where it's located, how to easily set it up on your device, and what configuration options are available to best suit your needs.
Yeah, sure.. just give me the product?
Compare this with the UI of Cloudflare's 1.1.1.1 [2] which gives visitors exactly what they need. It's awesome.
---
It's hard not to be cynical about EU projects, this one included. I've had the questionable pleasure of diving deep into EU software projects and their funding when analyzing and rebuilding [3] the EU medical device database [4], a simple database with ~500k entries (~10GB on disk), which has burned €45M (!) so far and employs a team of ~50 people. Link to website with budget tracker [5].
[1] https://ec.europa.eu/budget/financial-transparency-system/an...
[3] https://openregulatory.com/articles/beudamed-better-eudamed
> 1. Does it really take you a million Euros to set up a DNS server?
Maybe ask Cloudflare how much 1.1.1.1 costs them?
> 2. you get the impression that the designers took great care to obfuscate the actual product as much as possible
I don't see that being limited to "EU-funded software project". It seems like nobody has a clue how to make landing pages anymore.
That said: https://www.joindns4.eu/about
first Q, first sentence of A:
> What is DNS4EU?
> DNS4EU is an initiative by the European Commission that aims to offer an alternative to the public DNS resolvers currently dominating the market.
Does this service has the same user count as 1.1.1.1? If not then why should this be relevant?
I don't know the finer details of this project that's being launched, but if I'm setting up a global DNS server, I want to make sure it stays up all the time, it's kind of the point.
It's not a project that "We will scale when we reach out limit". So I imagine there's a significant initial payment.
I never said that 1M EUR is too much. And yeh you are right, you want a global DNS server to be global.
Nonetheless Cloudflare has more POPs of their DNS server as this project and a lot lot more traffic as this project just starts.
So i think that the comparison is not useful at all.
An better question is why they did not take more money and build an alternative to the root servers on top of it, or a super low cost registrar (for self cost like CF).
I would absolutely love too see more from this project and less of bad comparisons that are knee jerk comparisons.
The comparison I made was in response to:
> Does it really take you a million Euros to set up a DNS server?
The subtext of the above being that it "obviously" shouldn't cost 1M to slap BIND on a spare beige box in a closet.
The subtext in mine was to put the scale context back in, not really comparing this project to Cloudflare who has more POP but also does a lot of other things (and so providing the DNS part for free is really a rounding error in their biz bottom line and they probably couldn't really tell how much it would actually cost).
But then again the QA invites the comparison, they clearly position as challengers to 1.1.1.1/8.8.8.8/9.9.9.9
I didn't mean it to be knee jerk at all, sorry of it came across so.
Not yet obviously, they just started. 1.1.1.1 started with 0 users too.
> Does this service has the same user count as (Google DNS)? If not then why should this be relevant?
Service offered by an American company: cool and important
Service offered by literally anyone else: "why is this relevant!?!?"
I did not write this? i think this project is cool.
My point is that the cost of a well established DNS server that has POPs everywhere and maybe billions of users, is not comparable to a new project.
Or in other words, i think the comparison is not useful.
Four devs and/or sysadmins: €400k
Add management and other overhead: €100k
Overhead from "international consortium of members from 10 EU countries": €500k
I'm just making up numbers here, but this is roughly how it usually works. A lot of these EU projects are huge "design by committee" efforts, with all the associated downsides.
It's not really a "EU thing though", but more of a "government thing". Or perhaps more accurately: "private companies doing work for government" thing. Defence contractors in the US are notorious for having their snout in the trough. How much was spent on that UK Post Office accounting system? A billion pounds IIRC? And that "contact tracing" COVID app that didn't even work was a few dozen million quid IIRC. There is an endless list of examples from many countries.
> but more of a "government thing".
Commercial sector gets dependent on government, and takes on politics as part of the business. You end up with State Capture. That means that the "real world" government is shifted outside public control.
> Defence contractors in the US
Yeah, 100% agreed!
I agree 100% with everything you've said, and I'm from the EU. EU companies are burning and pocketing as much money as they can for themselves while delivering sub-par software.
I found the flow quite intuitive.
1. Open website
2. Click "Explore Options".
3. I see five options depending on if I want filter/ad-blocking/child protection. Each with a plus-button.
4. Click a plus-button and it shows what to use for IPv4, IPv6, HTTPs, and TLS.
I don't think it is perfect (step 2 feels unnecessary) but it is one of the good websites in my opinion.
Compare this with Cloudflare:
1. Open website
2. See the IP 1.1.1.1. Copy.
Done.
I do get your point - and, sure, the EU website is not catastrophically terrible. But, damn, if I'm looking for a DNS, I just want the IP, I don't want five options and the mental overhead of having to determine why the hell I now am faced with five options for a DNS, which one I should choose, how they differ, etc., etc.. Add all of the IPv4/6 stuff on top of that, and.. oh man, I feel like you've lost 90%+ of interested people already.
I agree that the DNS4EU website is not designed very well, but CF's isn't any better - sure it shows the IP up front, but immediately below is the incredibly non-descriptive tagline of "The free app that makes your Internet safer." and download links for some kind of unrelated software (looks like a proxy? CF says it helps me "Connect to the Internet faster and in a more secure way.", and that "The Cloudflare WARP client blah blah faster, more secure, and more private experience online blah blah The WARP client sits between your device and the Internet, blah blah"). I'm just looking for DNS configuration instructions, why are they asking me to download software.
From the page:
> The DNS4EU Public Service is operated by the Czech cybersecurity company Whalebone.
Given the OP just complained about reading 3 lines it's safe to assume they didn't get that far.
I am in for better public documentation about the various software initiatives the EU supports in general. The reporting seems to follow the internal governments process and structure in form, rather than having some external user in mind.
The EU funds various highly useful, difficult projects across the globe. They make use of lean foundations who are highly knowledgeable in their area of expertise with a focus on delivering improvements for the public. The EU supports even non-EU citizens open source innovations, for example projects with a focus on novel p2p techniques, open hardware etc.
I have a problem with the general "omg public good, money waste" learned response from some other commenters. Neo liberal dogma's are just that, and they end up convincing the public to give consent to State capture. To me the more interesting critique would have been why DNS is not considered public infrastructure, instead of leaving that to commercial control only.
> Does it really take you a million Euros to set up a DNS server?
Why are you acting as if the scope of this project is dumping bind on a server somewhere? They are operating filters and threat detection. The scope is obviously wider than just “setting up a DNS server”.
[deleted]
[flagged]
> as any critique of the EU seems to be met with universal outrage.
Absolutely not, in fact as an EU citizen, I am the first to call out issues and complain about things getting changed. That's why there are nicer privacy protections for example in the EU.
That said, the comment doesn't really apply to "only EU".
> a simple database with ~500k entries (~10GB on disk), which has burned €45M (!) so far and employs a team of ~50 people
"Burned €45M" with zero citiation, on even where the funding goes to, there are lot of regulations around medical databases, and for good reason.
Tell me outside the EU doesn't have overblown budgets also?
Citation #1:
Navigate to https://ec.europa.eu/budget/financial-transparency-system/an...
1. Enter "subject of grant or contract" = "eudamed" [enter]
2. Receive the numbers until 2022 inclusive (2023 is incomplete).
3. Extrapolate conservatively.
Citation #2:
We received documents as part of a "freedom of information act" request (the EU version, named differently) which we published here. Those include numbers for 2022 and the head count, among other things.
> You throw your computer out of the window, quit your regulatory job and vote "Yes" on Brexit.
Talk about throwing the baby out with the bathwater.
> Okay okay, yes, this is a bit of an apples-to-oranges comparison: The EUDAMED team had to spend time on the upfront work modelling the data structures (not that the end result is super great), and they also had to build the whole "entering data" kind of stuff which our solution doesn't have. Sure, the EUDAMED team had more work. But 300x more work?
This is something we hear all too often and it never passes the smell test.
"Well you finished that feature in 1 day so I can give you 5 features for this week"
It's not the same.
I agree it could be better, but there are graph databases with the data that work extremely well for my requests anyway. But sure, you offer a right click solution. Great, but I "imagine" it doesn't fit everyone's requirements.
Let alone any legacy integrations that might already be there.
[deleted]
[dead]
Yes, it is good to have a state-sponsored and controlled DNS service, because the state is my friend and has my best interests at heart.
If you're a criminal, a person with something to hide, or a loathsome anarchist you should go away and use unofficial and unapproved software like a local instance of unbound or https://www.dnscrypt.org/
Neither does big business, so you have to take your chances anyway (or make the extra effort to do it yourself, which just isn't worth it for many).
It's not state-controlled.