[HN Gopher] Quad9 public DNS moves to Switzerland
___________________________________________________________________
Quad9 public DNS moves to Switzerland
Author : chronogram
Score : 161 points
Date : 2021-02-17 11:54 UTC (9 hours ago)
(HTM) web link (www.quad9.net)
(TXT) w3m dump (www.quad9.net)
| pupdogg wrote:
| Boy, I love their website. It's so fast and snappy when it comes
| to browsing. A hard to find gem nowadays since most sites are
| infected with trackers and third-party ad engines.
| [deleted]
| teloli wrote:
| The point is not if Switzerland is better than the US or Saudi
| Arabia. What is crucial is sovereignty: giving away all EU dns
| requests to the US by using google public dns or cloudflare is a
| huge loss of sovereignty for EU countries. The American
| government would never accept, say, if Chrome were to send
| American DNS queries to a non-US entity by default. EU countries
| shouldn't accept that either.
| albertgoeswoof wrote:
| Switzerland isn't in the EU
| teloli wrote:
| When it comes to geopolitical spheres of influence, which is
| what digital sovereignty is about, it doesn't matter.
| Switzerland is part of Schengen, the European single market,
| the EFTA, ... It's Europe.
| mellamoyo wrote:
| Quad9, like most global DNS providers uses anycast to provide
| redundancy and low latency. My connection to them still
| terminates in Chicago. If my DNS queries are answered in the US,
| surely they are under some type of US Gov authority and
| regulation?
|
| I think I agree with others, seems like a publicity stunt with
| very little real-world impact.
| middleclick wrote:
| Has the case for Switzerland's strong privacy laws been
| established and more importantly, has it been tested?
| throwaway9d0291 wrote:
| I'm not sure what you're asking for specifically. The Swiss
| data protection act is here [0] and is reasonably
| comprehensive, especially compared to the US, in which data
| protection is essentially nonexistent.
|
| As for it being tested, I can assure you that it's taken very
| seriously. One ruling that demonstrates that is [1], in which
| Switzerland's highest court ruled that an individual's right to
| privacy has higher precedence than a copyright-owner's right to
| police copyright infringement.
|
| There's also a constitutional right to privacy [2], though the
| Swiss constitution is a little different to the American one.
|
| One notable and enormous hole in Switzerland's record however
| is the BUPF [3], which, as I understand it, requires ISPs to
| log DNS requests, among other things. That shouldn't be
| relevant here though, so long as Quad9 doesn't become a
| telecommunications provider.
|
| [0]: https://www.fedlex.admin.ch/eli/cc/1993/1945_1945_1945/en
|
| [1]: https://www.swissinfo.ch/eng/privacy-triumphs-in-internet-
| pi...
|
| [2]: https://www.fedlex.admin.ch/eli/cc/1999/404/en#art_13
|
| [3]: https://www.fedlex.admin.ch/eli/cc/2018/31/en
| post-factum wrote:
| Looking at https://dnscrypt.info/public-servers, why quad9
| doesn't have both DNSSEC and nofilter at the same time?
| chronogram wrote:
| 9.9.9.9 is supposed to have a filter against malware, phishing
| and exploit websites. That's supposed to be its unique selling
| point.
| post-factum wrote:
| I understand that, but similarly to cloudflare/nextdns they
| could just provide unfiltered anycast service (with DNSSEC).
| tumblewit wrote:
| I made an open source DoT/DoH app for iOS called PrivateDNS (more
| lists and turning off on wifi coming soon just submitted for
| review) that includes Quad9. However from India I get very high
| latencies accessing some of the DNS (needed for testing my app)
| especially the adblocking one. NextDNS is good since it has local
| servers. But otherwise pretty much Google and Cloudflare is the
| only option that works well with Cloudflare sometimes flaky. At
| home I can have PiHole + unbound but I would like to have a
| decent fast adblocking dns while on mobile data (whenever I am
| outside anyway these days) because wireguard is really high
| latency for me and my home internet is worse than mobile
| sometimes.
| jedisct1 wrote:
| There are some other encrypted DNS servers in India, at least
| arapurayil in Mumbai and arvin in Bangalore.
|
| https://dnscrypt.info/map
| tumblewit wrote:
| Thanks ill be adding more to the app and look into some local
| ones possibly add region specific tabs for those interested
| in using something local for better performance. I just added
| popular ones to avoid any controversy (not that these DNS
| aren't without controversy but at least I am not the complete
| blame). I am looking for adblocking and tracking prevention
| DNS actually like NextDNS but free and fast. Adguard seems to
| be the only one globally with the same IPs (since its
| hardcoded).
| gzer0 wrote:
| Have you considered creating a wireguard tunnel to your home
| network?
| tumblewit wrote:
| When i'm on mobile data I can barely get it to send imessage.
| I have a Pi4 right now on which I plan to install it (diet pi
| seems to have really easy setup for wire guard since i had
| trouble on the raspios aarch64 lite image, i think headers
| were missing) but for now nextdns seems to be okay. NextDNS
| has their own app for iOS but I sometimes have trouble on
| that too so i just switch DNS and see what works best. The
| ISP DNS are definitely worse than anything.
| adamdoran wrote:
| You need to install linux-headers-rpi to build wireguard on
| Raspberry Pi OS - should be good then.
| tumblewit wrote:
| Yes actually I tried it last when the raspios 64 beta was
| just released and didn't have an SSD for the pi (SD cards
| are really slow). I plan on adding another pi for
| building and one for DNS so that if the Pi is compiling
| it won't slow down any DNS queries (which it shouldn't
| but you never know).
| willis936 wrote:
| pivpn makes wireguard very easy to set up.
| tumblewit wrote:
| I found dietpi to offer a very friendly home server
| setup. RaspiOS is of course great if you want to do
| things manually but dietpi seems to have taken
| r/homeserver crowd very seriously.
| willis936 wrote:
| I'm sure, but for anyone reading these comments thinking
| that they still need to compile the linux kernel to run
| wireguard on any debian distro: they don't. For 32-bit,
| at least. I have not tried 64-bit yet. I'm letting that
| one marinate.
| Terretta wrote:
| What about AdGuard's performance in your area? They seem to
| have DNS profiles similar to Quad9 but that also include ad and
| tracker blocking:
|
| https://kb.adguard.com/en/dns/setup-guide
|
| They're Russian if that matters to you one way or the other:
| https://adguard.com/en/our-partners.html
| tumblewit wrote:
| My next update will get Adguard, Cleanbrowsing with all types
| of filters that they offer and both DoT and DoH (assuming
| apple is okay with it). It's not too bad when it comes to
| latency but they don't have servers here so anything that is
| outside the country won't be fun to use. But if anyone is
| using them in the country they have servers in it would be
| great to know how they work. Using root servers with pihole
| is usually best of both worlds when it comes to latency and
| privacy.
|
| Edit: I made the app because I wanted a simple 30 second
| solution for anyone to improve their privacy without any VPN
| profiles and using a fast DNS. I tried a few free apps on the
| App Store but they didn't work well or were not updated in
| months. So I decided Ill make one.
| nitrohorse wrote:
| Nice app! I created configuration profiles for convenience
| at https://encrypted-dns.party but an app with providers
| pre-configured is way more convenient. Some smaller
| providers that come to mind for ad-blocking: Adhole,
| AhaDNS, BlahDNS, LibreDNS, and Usable Privacy DNS.
| tumblewit wrote:
| Thank you. I have put these in a list I'm creating to add
| to the app. I only recently learned to make iOS apps and
| SwiftUI is rather still new. Rather I wanted to learn how
| make apps so I thought might as well make something
| people can use. I plan on making it much better UI wise
| along with region-specific DNS lists or some method of
| sorting them.
| adamcstephens wrote:
| I get significantly higher latency with quad9 here in the US
| too, compared to Google or Cloudflare.
| tumblewit wrote:
| Personally I have found Google to work well almost always.
| The reason I like DNS on iPhone itself is because assuming
| the iPhone is super optimised for handling https traffic and
| also an extremely fast device, not to mention a very stable
| software platform compared to the terrible home networking
| gear people own that has some outdated linux firmware that
| can be buggy at dns resolution. For most on HN its probably
| not the case but I've seen too many people use old hardware
| for a basic home internet setup and I'm hoping using on
| device DNS can greatly improve the experience. At the cost of
| small hit to the battery life of course but I would have to
| test that which would be a fun test to do.
| paulcarroty wrote:
| Great news, 'cause I had the issue with their DoT servers several
| weeks ago - 3-5s latency. Now using Cloudflare.
|
| P.S. Another free alternative capable to cut off ads&porn -
| https://cleanbrowsing.org/
| IdontRememberIt wrote:
| In Switzerland, a policeman investigating a criminal offense
| (delit penal), can simply request all the data about someone
| without the need of an explicit Juge order... How is it that
| great?
| throwaway5033 wrote:
| Not true, a public prosecutor can, not a police officer. A
| police officer may request the data on behalf of a public
| prosecutor. Every canton is organized somewhat differently, so
| it depends on the canton who does the actual work in the end.
| The letter often states the case number opened by the public
| prosecutor. Depending on the organization, the public
| prosecutor will ask the police in writing what to request.
| fefe23 wrote:
| I love the Swiss, I really do, but their reputation has been in
| tatters since the Crypto AG fiasco. Crypto AG basically sold
| backdoored crypto hardware to foreign governments, at the behest
| of CIA and BND (German foreign intelligence agency). It recently
| came to light that the Swiss knew and let it happen.
|
| In fact, the Swiss government also bought machines from them, on
| a wink wink nudge nudge sort of understanding that they would get
| the non-compromised ones.
|
| Now this company could still be excellent, but that would not be
| because it is Swiss. I have no reason to distrust their claims.
|
| However I would like to point out that they give you censored DNS
| data, with supposed malware sites being removed. Be aware of this
| when you use them. Their web site is very up front about it.
| saiya-jin wrote:
| With that kind of logic every single country is a fail. Which
| is also a valid viewpoint, as they can be one-eyed amongst the
| blind.
|
| Its not perfect place, but by huge margin the most free society
| by quite a few criteria. I've come here 11 years ago just to
| make quick buck and move back, then I've seen first hand how
| actually society works here and decided to settle here and
| raise my kids here. I've traveled quite a bit all around the
| world, and no other place compares. For somebody who can
| literally spin the globe and move anywhere, that's quite a
| recommendation if I may say so.
| thisiscorrect wrote:
| "I love the Swiss, I really do, but their reputation has been
| in tatters since the Crypto AG fiasco."
|
| Crypto AG is certainly an awful event but this seems like an
| impossible standard to hold a nation of millions to. Which
| country doesn't have some equivalent scandal?
| rodgerd wrote:
| > I love the Swiss, I really do, but their reputation has been
| in tatters since the Crypto AG fiasco.
|
| I can think of a few mid-20th century events that caused some
| more significant reputational hits.
| WarOnPrivacy wrote:
| I'd like to thank Quad9 for being an adversary to bad actors,
| like my government.
| throwaway5033 wrote:
| What some people may underestimate is the hands-off approach by
| the Swiss authorities. In short, in Switzerland you don't land in
| jail if you don't kill someone or do a bank robbery. If you don't
| have the data, you don't have it. I prefer to deal with the Swiss
| authorities than with the German authorities (which take things
| much more serious). And Crypto AG was founded by a foreigner who
| was not even trusted by the Swiss military. Do you really think
| that in a small town like Baar CIA and BND agents visit and
| nobody knows who the company belongs to? In serious, you must
| have watched too many James Bond movies. Yes, what is not ok that
| nobody stepped in from the military intelligence and kicked them
| out.
| TZubiri wrote:
| While I apreciate this from a perspective of neutrality. I think
| expecting privacy in a DNS is a pathological expectation, like
| expecting that all communications be encrypted.
| Proven wrote:
| > Switzerland has a legal privacy regime harmonized with the
| European-standard General Data Protection Regulation.
|
| Who gives a crap about GDPR - I don't plan to sue my DNS provider
| and the fact that they are in Swiss is good enough for me.
|
| I don't use Quad9 because they have built in security (potential
| for censorship - is Parler.com in their opinion a "safe" site?)
|
| I use 1.1.1.1.
| IdontRememberIt wrote:
| Historically, the data protection law (LPD) was more intended to
| protect the individual vs the State, than the individual vs
| private companies.
|
| This was due to the Secret files Scandal in 1989
| (https://en.wikipedia.org/wiki/Secret_files_scandal ).
|
| Regulators are now working on aligning the aging laws with the
| European GDPR to better protect individuals against private
| companies.
| lawl wrote:
| I'm not convinced, and I'm a swiss citizen. Germany frankly seems
| to do better.
|
| Germans go out on the streets, while swiss people are way more
| content with whatever shady surveillance shit the government
| does.
|
| E.g. We have the mandatory data retention bullshit, I'm not sure
| if this is covered by this law, but if it is they'd have to save
| all logs for 6 months. Iirc the germans successfully fought this.
| Btw. these records can be stored outside of switzerland.
|
| Smells like a PR stunt without any substance.
| tumblewit wrote:
| Some of the dns like clean browsing use german servers and
| netherlands from my testing.
| DyslexicAtheist wrote:
| The recently discussed Quantum Terra AG has its HQ in CH even
| only 3 out of the claimed 80 people are based in CH. It seems
| companies think that the location-reputation will rub off on
| the product. Also ProtonMail is another company which until
| today benefits from having a letter-box presence so they can
| profit from the "data-center inside the Swiss mountain meme".
|
| _Security made in <foo>_ is always a PR stunt. Deutsche
| Telecom, 1&1 and others tried it by pouring huge sums into an
| _" Email made in Germany"_ campaign that only benefited a
| particular consulting company. It utterly failed because their
| geo-fencing idea was technically unenforcable.
|
| CH is more dangerous because the same idiotic ideas brought to
| Switzerland will often take off. Most EU security companies I
| know would not easily consider CH as a great location unless it
| has something to do with business strategy: 1) tax, 2) location
| of a holding company see #1, or 3) sell into the CH market.
|
| On the other hand many non EU based security start-up CEO's
| often talk about it as it had some security benefit. But as you
| say this is a huge lie since data protection has nothing to do
| with banking secrecy and even when the latter is in question a
| New Mexico LLC is a much more secretive vehicle than a Swiss
| GmbH/Srl
|
| [0] https://de.wikipedia.org/wiki/E-Mail_made_in_Germany
|
| [1] https://www.telekom.com/en/media/media-
| information/archive/d...
| petre wrote:
| Switzerland also gets to do stuff the EU way or the highway.
| They're just not part of the EEA because they don't want
| uncontrolled immigration.
|
| https://blogs.lse.ac.uk/brexit/2020/07/21/the-choice-
| britain...
| sschueller wrote:
| ProtonMail doesn't even know what the Swiss Flag looks like:
| https://twitter.com/sschueller/status/1309429286655479808
| took them for ever to "fix" it (The flag might show the
| correct cross now but it should be square!).
| kube-system wrote:
| Emoji packs often take artistic license with the ideas they
| are trying to represent, including flags. It is fairly rare
| for flag emojis to be vexillologicaly accurate. For
| example, the Twitter emoji for the US flag is missing 32
| stars, and the corners should not be rounded. I doubt
| ProtonMail made their own emoji pack anyway.
| _jal wrote:
| Corporations have been known to hire out for content,
| from time to time, when communicating via emoji limits
| their range of expression.
| Shacklz wrote:
| As a Swiss, I never got the insistence on the square
| thingie... A lot of Swiss flags that people fly on their
| poles aren't a square either, and nobody cares. Actually,
| I'd prefer it if it weren't square, it always gives me this
| odd-one-out impression in lists of flags
| nix23 wrote:
| Google has the main-hub for Europe located in Zurich, EFL and
| ETH are one of the best University's, it's not a big secret
| where zoepfli und broetli where developed.
|
| >CH is more dangerous because
|
| Well opposed to germany we don't have a Staatstroyaner (i
| hope), and we don't force company's to break encryption ->
| tutanota
| lawl wrote:
| > Well opposed to germany we don't have a Staatstroyaner (i
| hope), and we don't force company's to break encryption ->
| tutanota
|
| We do have gov malware, it was also legalized with BUPF.
| greatpatton wrote:
| Protonmail do not have a letter-box presence in CH... They
| have real employees there. That's quite a misinformed
| comment. (I said that knowing multiple ex colleague working
| there in CH).
| DyslexicAtheist wrote:
| I was unaware they had any meaningful presence. according
| to their PR/marketing they do stress since now a few years
| that they're a globally distributed workforce which happens
| to be HQ'ed in CH. Looking at their LinkedIn this seems to
| be correct.
| snovv_crash wrote:
| I also have ex-colleagues working there... in Switzerland.
| eeZah7Ux wrote:
| > Security made in <foo> is always a PR stunt
|
| That's a very big generalization. Citizen's rights vary
| wildly across countries, both in theory and in practice.
| a1369209993 wrote:
| The fact that they call it "Security made in <foo>" is what
| justifies the generalization. If their security was any
| good, they'd be explaining how and why (and how they plan
| to remain incapable of backdooring it), not invoking
| cognitive biases of innocence-by-association.
| BrandoElFollito wrote:
| Banking secrecy in Switzerland is not different today than
| the one in France or Germany.
| lawl wrote:
| > Security made in <foo> is always a PR stunt.
|
| I mean to a degree. There's other talk about some countries
| wanting to require backdoors in end to end encryption
| products. If you're in a country that doesn't have that and
| offer an E2E product, i mean yeah, that can be a selling
| point. And you should probably point out that your regulated
| in a country that doesn't require backdoors.
|
| But in this case, the laws in Switzerland are frankly just...
| shit between the mandatory data retention (BUPF) and DNS
| censorship under the guise of preventing gambling
| (Glucksspielgesetz). Yeah, it's a negative for me if my DNS
| is regulated here.
| j3th9n wrote:
| Even a "9-eyes" country like the Netherlands doesn't have a
| data retention law in place anymore since 2015. I wonder which
| one is better then.
| tssva wrote:
| I agree that this announcement is mostly a PR stunt. I find it
| more likely that the truth is more along the lines that the
| Quad9 foundation found themselves with a lack of funding from
| the original founders and SWITCH agreed to provide additional
| funding but required them to relocate to Switzerland to do so.
| forks34 wrote:
| And what did protesting do? BND is still helping the NSA,
| Americans still kill People via Rammstein. Unlawfully that is.
| [deleted]
| vinay427 wrote:
| I'm not sure this will affect my latency here in Zurich. Quad9 is
| already impressive with a 2ms ping, which is surprisingly a bit
| faster than Google DNS and a few other major providers from my
| home.
___________________________________________________________________
(page generated 2021-02-17 21:01 UTC)