DNS pointing to a Kazakstan server: anyone seen this?

[Tech9]

Nothing much. Government agency with interesting past CEO.

Canada's .ca supremo in hot water after cyber-smut stash allegedly found on his work Mac ‒ and three IT bods fired

Board 'upset', eh, amid claims PFYs sacked after discovery

www.theregister.com

They are going to protect your privacy in the best way possible.

 

[SkippyP]

Wow. I hadn’t heard about this. Thanks for sharing. Sigh…time to ditch 3rd party resolvers and go back to my ISP’s DNS for now.

 

[Tech9]

You can try OpenDNS, it's pretty consistent and has user categories with free account. For best protection I would say perhaps CleanBrowsing, good record. Both support DoT, if you want DNS queries encrypted. Your ISP will be perhaps the fastest and will send you to right places. Quad9 was taking me on a trip across the globe previously and had some performance issues around here. Google is very fast and consistent as well, if you prefer just reliable DNS resolver, supports DoT as well. Your choice.

 

[SkippyP]

Thanks. I tried Cleanbrowsing before but found their performance a bit lacking. Pings to Google would spike to over 120ms. And I was always routed to their Piscataway server in NY/NJ. I don’t want to use Google because I just don’t trust them to not collect and retain my data. I trust them less than I trust my ISP. I’ve never had a problem with my ISP’s (Rogers) DNS. It is, indeed, the fastest. I just wanted something private with DoT support and some half-decent malware blocking. I might give OpenDNS a try.

 

[Tech9]

Pings to Google would spike to over 120ms. And I was always routed to their Piscataway server in NY/NJ.

This is strange.

IPv4:

IPv6:

 

[SkippyP]

That’s Google DNS. I was talking about Cleanbrowsing. When I was using their service, my pings to Google.ca would spike and I was routed to Piscataway.

I’ve never used Google DNS and likely never will. As I said before, I trust them even less than my ISP.

 

[RMerlin]

That’s Google DNS. I was talking about Cleanbrowsing. When I was using their service, my pings to Google.ca would spike and I was routed to Piscataway.

Any DNS server that does not support EDNS Client Subnet extension will cause that.

 

[SkippyP]

Yes. But I suspect EDNS is less private since I’m assuming additional data gets sent to the authoritative servers for more accurate geo-locating?

Out of curiosity, what DNS resolver are you using?

 

[RMerlin]

Yes. But I suspect EDNS is less private since I’m assuming additional data gets sent to the authoritative servers for more accurate geo-locating?

Yes. But that's required if you want to be pointed at a local exit node whenever accessing something behind a CDN, be it a Cloudflare-proxied site or a Google server. Otherwise the resolver will have no idea what server is considered "local" to you, and you will end up on whatever the resolver itself considers to be local (or, to a global node).

Out of curiosity, what DNS resolver are you using?

My ISP's, because I consider the performance gain of using local nodes for any major CDN is important. I did use the EDNS-enabled Quad9 servers for a while however.

 

[SkippyP]

That’s why I like my ISP’s DNS too…the performance is unmatched. It’s just a shame they don’t (and likely never will) support DoT.

 

[Tech9]

I shoot straight to the root servers with Unbound as resolver, the default DNS server in pfSense.

 

[balr0g]

Yes. But I suspect EDNS is less private since I’m assuming additional data gets sent to the authoritative servers for more accurate geo-locating?

Out of curiosity, what DNS resolver are you using?

To mitigate privacy for EDNS, have set Adguard Home in Merlin to "Use Custom IP for EDNS" where the IP Address is based in Toronto where i live and doesn't give my real ip address subnet for geo location/CDN purposes.

My use case is that youtube used to grab videos in the US when using DOH/DOT DNS, and getting video buffering at 1440p. enabling EDNS/ECS fixed that by grabbing it locally.

Am using controld+nextdns (Quad9 too, but having issues few days ago.) both obey the custom ip address for EDNS. A slight note, for nextdns free public resolvers doesn't use ECS, but getting the free account does work as shown by dnscheck.tools

 

[sfx2000]

That IP address belongs to KG-IX, an internet exchange / transit provider. Quad9 lists KG-IX as their server location for Kyrgyzstan.

Just means that the IP is in the range allocated for KG - doesn't mean it's actually hosted there...

In IPv4 space, there's a lot of leasing out of IP's these days - that IP could be anywhere - you'll need a traceroute perhaps to see where it really lands...