[mvuksano]

I feel like it should be illegal to run misconfigured DNS servers too given they can be used to commit crime. Analogous to drugs - it's crime to produce and sell drugs.

[jen20]

Under which jurisdiction would the server have to be running in a misconfigured state? What counts as misconfiguration? Would it extend to the advertising pages that consumer ISPs in the US regularly see fit to serve when they should be returning NXDOMAIN?

[walrus01]

there are far worse things out there run by shady grey/black-market hosting companies than misconfigured DNS servers.

[autoexec]

Public DNS servers have their place. 8.8.8.8 and 4.2.2.1 are pretty popular. DDoS attacks don't depend on DNS servers either so you can't solve the underlying problem by making them go away either.

I always thought it'd be great if the EFF ran a public DNS server. At least you could trust them not to use your requests to build a profile of your online activity or redirect you to ads.

[kbuck]

8.8.8.8 and 4.2.2.1 have strict rate-limits configured that make them uninteresting/unsuitable for reflection attacks. The real issue is misconfigured resolvers exposed to the internet, not intentionally-provided recursive resolvers.

If you'd like to have a private DNS server, it's fairly easy to set up your own recursor. (Just please don't expose it to the whole internet.)

[martin_a]

> I always thought it'd be great if the EFF ran a public DNS server.

You could use the DNS server of the german non-profit "Digitalcourage": https://digitalcourage.de/support/zensurfreier-dns-server

They are taking a stance against censorship on the internet (and lots of other topics), so make sure to send them some money if you use the DNS. ;-)

[autoexec]

Thanks! I hadn't heard of them, but they seem great. I generally recommend folks use pretty much anything but Google's or their ISP's DNS servers, but this looks to be a really good option.

[iggldiggl]

One problem I've unfortunately run into with alternative DNS providers is that the "default" set of servers returned for content hosted by Akamai apparently has abysmal (not just slightly slower, but positively unusable during peak hours in the evening) peering with my ISP.

In theory EDNS Client Subnet (ECS) is supposed to work around this problem, but a) according to https://www.cdnplanet.com/blog/which-cdns-support-edns-clien... Akamai only supports this with Google and OpenDNS and b) alternative DNS providers might not support ECS anyway, whether explicitly for privacy reasons or otherwise…

Which means I'd basically have to set up a custom DNS resolver in order to special-case queries for Akamai domains…

[hsbauauvhabzb]

Not really, analogous would be arresting pharmacists who don’t lock their medicine cabinet.

[wang_li]

The real problem is ISPs that allow devices on their edge networks to send packets with spoofed IP addresses.