The EU wants to stop feeding your DNS queries to Silicon Valley.
DNS4EU is the European Commissionβs attempt to build a sovereign DNS resolver infrastructure that doesnβt route all your web lookups through the likes of Google, or Cloudflare.
DNS4EU aims to bring DNS resolution under EU oversight and privacy rules.
So, if you want πͺπΊ-backed ad-blocking and child protection, you may want to give it a try.
Check out DNS4EU here: https://www.joindns4.eu/for-public
Will this service allow sites and political parties that challenge EU homogeneity?
That would be the test case.
@Walker @whynothugo @gcluley the current President of the European Commission tried to censor websites before by implementing "stop signs" aka returning false DNS responses. "To stop child abuse".
It'll be a cold day in hell when I switch my DNS resolvers to this bullshit.
@whynothugo @gcluley
Hugo,
Security depends on trust. If you do not trust a service, chose another one or do it yourself (like a pihole router).
But in the latter case, you're on your own if something goes wrong.
Privacy and security have a strange relationship. Sometimes they are friends (no privacy without safety, so security with privacy). Sometimes they appose eachother.
That's the nature of the beast. There is no easy answer to this.
@kristoff @whynothugo @gcluley
and where does your pihole gets its dns data from?
@expertenkommision_cyberunfall @whynothugo @gcluley Yes,
Very valid point. π
(I guess you mean the blocklists)
@kristoff @whynothugo @gcluley
Both. Blocklists and DNS.
Are root-DNS reliable?
@expertenkommision_cyberunfall @whynothugo @gcluley Of course not.
That is the basic idea of the internet: it's a network of networks.
The only way you can be 100 % sure is by doing everything yourself.
But then you do not have an 'internet' anymore.
But, doing so does help you to appriciate how much work there goes into actually making the internet work. π
(something 99.99% of the users just take for granted)
@gcluley Trying it now. Looks like a service similar to quad-9 -which is located in Switzerland-.
What I find strange is that the IP-addresses of this service are PA addresses, i.e. allocated to one single company (Whalebone in CZ). So this service is 100 % dependend on that company.
I would expect such a service to use PI-addresses so -if needed- they can switch to another backbone provider or =simply- become multi-homed.
@kristoff @gcluley There is a lot wrong there. Only the IPs ending in .0 to .7 are actually properly "assigned". To a different company in UK, and "ADSL" according to the WHOIS entry.
The rest is, as you correctly said, only "allocated" to the LIR Whalebone. They are in violation of RIPE rules to use those IPs without properly assigning them.
And yes, it should be PI + Anycast imho to make sense.
@ripencc What's your take on what is going on here? Looks like the LIR begs for auditing.
@julijane @gcluley @ripencc Hi Jane,
The inetnum record that points to the ADSL users in the UK dates from 2006, I guess just a record that was not cleaned up. The inetnum-record for 86.54.11.0 /24 does point to CZ-WHALEBONEDNS-20050512
(so actually older then MISTRAL records)
Sloppy RIPE management by whalebone or the previous users of these addresses. ShouldnΒ΄t happen but not that uncommon. Not the end of the world.
But not a good start for such a high-profile service. That is true! π
Sure, it is not uncommon. But as you pointed out, is not good that this is PA space, allocated to this very LIR. Considering that this is likely the only /24 PA this LIR will ever get, it seems unlikely that this service will ever be Anycast, as they likely want to use the remaining iPs for themselves. But it absolutely should be Anycast, with a dedicated /24 PI and backed by a multitude of EU ISPs. And what we see so far does not induce confidence in this at all.
@kristoff @gcluley So I guess my point is, that while the lack of following proper RIPE procedures is only a lesser issue, it all adds to the bad impression here.
Now would be the time to lay proper groundwork, not later. This here feels like dead on arrival and a waste. Good idea, but bad execution.
@julijane @gcluley I completely agree,
Just plain bad project management.
This is a project of a concortium of multiple NICs, gouvernement agencies and a university. The fact that nobody seems to have done a proper technical audit is to say the least "very strange".
This project lead should have been a NIC with the backbone provider as junior partner, not the other way around. I hope they can still get their act together and correct this.
Just image whalebone gets bought by google, then what?
DNS4EU Public Service is dedicated to the citizens of the European Union.
Yay for Brexit! π€¦πΌββοΈ
Too true. π
For the rest of us, as you already know, there's Quad9, which also supports requests over HTTPS and TLS. I've used it for years. It's good.
Another alternative: https://www.dns0.eu/
It's the one I've been using for a while now; very similar projects from what I can tell.
@gcluley In addition to this; there's DNS Zero a European (French in this case) DNS network that provides some protections as well as being relatively quick and reliable.
There's also Mullvad DNS from the VPN provider in Sweden.
@gcluley I appreciate the effort to remove as much stuff from US control as possible and I would be quite happy having none of my traffic sent to the US or it's companies
My concern here is given the ongoing surveillance efforts in the EU, how is this preferable to using an independent, privacy focused, European based provider like Quad9 or Mullvad public DNS?
@rochelimit @gcluley Aka a way for abusive right-wing parents to keep their kids from accessing information about LGBTQ identities, changes their bodies are undergoing, birth control, abortion, consent, how to say no, how to deal with social threats like bullying and peer pressure, etc.
Oddly none of these mechanisms for "protecting children" keep them from being exposed to the nazi recruitment pipeline.. π€
@dalias
You may be right. βΉοΈ
I spent many years showing teens in my school how to use ssh tunnels and proxies, ostensibly for the CS courses I ran. Management didn't like it, even when every kid carried two 4g/5g phones with them - one to hand over and one to bypass the crappy bought in (American) filter system.
I live in hope, though, however foolish I seem, that one day someone manages to do stuff right.
@gcluley
this is your irregular reminder that conservatives will always categorise 2SLGBTQIA+ materials as 'adult material', claiming that we are 'groomers', 'sexual predators', and the like. they will also categorise sex education materials as such, too.
you cannot trust anyone who claims to be 'thinking of the children'.
@rochelimit @dalias @gcluley that's an extremely shit take.
What actually ends up blocked is the same stuff that is being ripped off library shelves in the US and other oppressive countries. That is resources for queer and queer-adjacent youth, educational materials that help teens address sexuality and sexual health in age-appropriate ways, resources that address surviving racist ideologies, etc.
@anelki @rochelimit @dalias @gcluley I'm also an admin of your server. And also in the queer community. We are telling you what the actual consequences of these things are and hoping you'll understand, because you seem otherwise ok.
The sales pitches for content control measures often manufacture the choice as being between "babies watching violent drug porn" and "basic civil liberties and access to necessary education that won't be available elsewhere". There's more to it than that, and "child protection" is their manipulative name for it. People buying into "but what about the children?!" is literally one of the reasons why we are all having to fight back creeping repressive authoritarianism, and I know you're not a fan of that :)
@anelki
Thanks, I appreciate that explanation. But as an anti-facist pro-lgbtq person, do I have to accept that parents cannot let young children have access to the internet unless they are happy for them to stumble across violence, porn and indeed violent porn? I'm talking about for example five-year-olds playing games - ofc parents need to supervise them themselves, but some need opt-in tools like these to help them.
The level of censorship may be too strong for comfort in this EU case, I haven't investigated, and of course censorship has been used to suppress LGBTQ and other minorities, but it is context sensitive. Not all censorship is harmful, and not all internet material is beneficial. A balance is needed, and opt-in tooling seems on the face of it to be reasonable to me.
@dalias @gcluley @el
@rochelimit @anelki @gcluley @el A big practical part of the solution, short of getting rid of bigots, is deframing as much as possible of the material from being "sex ed".
For example, a lot of it can be framed as interpersonal dynamics, standing up for yourself and others, personal space, respecting and demanding respect from others, etc.
Unfortunately even these things are difficult/controversial in a culture that's traditionally celebrated bullying, abuse, and subjugation of children.
@rochelimit @dalias @anelki @gcluley
I'm going to make a far reach of a point here; that kind of parenting, schooling, and community-wide erosion of agency in children indoctrinates them, their families, and their communities towards compliance with the mechanics of authoritarian governance.
Just look at the echos of that same infantilization in the treatment the regime here in the US is giving to California while all the reactionary red state governments are cheering it on; the citizens and residents of the state are trying to maintain their boundary (Sanctuary City status of L.A.) the regime are circumventing the state's right to decide consent (legally the fed has to wait for the governor's permission) "for their own good" and have sent in two types of fatigued military (yes, the cops are their own kind of military but we're ignoring that for the point of this analogy). Meanwhile, the state got sent to bed without dinner recently (FEMA Aid for wildfires withheld out of spite) because it is not compliant enough.
@rochelimit @anelki @gcluley @el Then, instead of "ooooh this is the secret of SEX they won't tell us about!" the first time kids see this shit it's:
"Wow, what a loser. He's not even trying to enjoy it just being an abusive jerk. Kinda like that kid who tried to bully my friends because his parents were right-wing shits who taught him to behave like that."
The ol' tealeg π‘
Graham Cluley
Hugo ι¨ζ
Walker
Dave
Kristoff Bonne πͺπΊ π§πͺ
Expertenkommision Cyberunfall
Juli Jane
genofire
Allan
javensbukan
Apicultor π
Kev Quirk
C++ Wage Slave
Skyper π»π§βπ
Seth G.
Paul Wouters
bijram
RejZoR
RΓ Rua, The.
Viral Obscurity
Leeloo
Cassandrich
Roche Limit
Haelwenn /ΡΠ»Π²ΡΠ½/ 
Katja ο½’Amethystο½£
el
anelki
LisPi