A German ISP changed their DNS to block my website

The workarounds on this page mostly suggest to use large public resolvers. Feature request (not sure if the author is on HN): it would be interesting to know which domains are blocked by 9.9.9.9, 1.1.1.1, and especially the new DNS4EU service.

Thanks so much for this. I never heard about DNS4EU before.

https://www.joindns4.eu/about

Sadly dns4eu does not support dnscrypt protocol which is deal-breaker in 2025 if you ask me.

Why isn't DoT sufficient?

I am not an expert but I read this website [1] and got impression that dns-over-tls is first iteration of encrypted dns and dnscrpyt protocol is second iteration of encrypted dns fixing its problems. Also dns-over-tls is not supported by package dnscrypt-proxy2 on openwrt and I have personal bias for not configuring dns-over-https on routers (in my opinion https is too complex protocol and have risk of getting hacked). Maybe I am alone with my opinions - I do not know. I wanted to use dns4eu and got really disappointed with not supporting dnscrypt. That's all.

[1] https://dnscrypt.info/faq

By looking the list of negative sides of DNS over TLS (DoT) in there, this project seems to list artificial problems, which makes me want to avoid the whole project. Maybe there are real benefits on using this protocol, but they should not make the list of problems looking longer than it actually is.

The project especially lists the problems of TLS. TLS is one of the most understood, tested, and well-defined protocols that can be abstracted away in implementation level. Nothing also prevents forcing TLS 1.3 which removes most of the described other problems.

This especially sounds odd:

> Questionable practical benefits over DoH

But DoH brings the full TLS stack and also the HTTP stack as well? At the same time the project complains about increased attack surface in DoT, but DoH just extends it even more.

If I also look the DoH list, there is

> Requires TCP

But just few lines befeore, they say that DoH supports HTTP/3 which is UDP.

E.g. Android has supported it 3 years already:

https://security.googleblog.com/2022/07/dns-over-http3-in-an...

I think my opinion is based on idea that for connection between my pc/router and dns server certificates PKI is not needed. You can just hardcode/configure public key of dns server and that is it. Similar to wireguard or ssh server.

> The project especially lists the problems of TLS. TLS is one of the most understood, tested, and well-defined protocols that can be abstracted away in implementation level.

I agree that TLS is understood, tested, used every day etc. I do not agree that you sleep calm at night. For example a few years ago [1] or [2] mozilla removed root CA from firefox for bad behavior. And you can argue everything is working properly because bad behavior was detected and removed but the thing is - you can avoid this group of problems entirely by avoiding PKI in protocol. That is why I like dnscrypt protocol more. Less problems to worry about. You only change hardcoded/configured public key if you change which dns server you are using (not a big deal). You do not have to regularly update router to keep root ca store up-to-date. Do you update your router every month? Because I do not.

[1] https://www.feistyduck.com/newsletter/issue_53_certificate_a...

[2] https://www.itbrew.com/stories/2022/12/02/mozilla-microsoft-...