DNS Provider Quad9 Sees Piracy Blocking Orders as "existential Threat"
Postedabout 2 months agoActiveabout 2 months ago
torrentfreak.comTechstoryHigh profile
heatednegative
Debate
80/100
DNSCensorshipCopyrightInternet Freedom
Key topics
DNS
Censorship
Copyright
Internet Freedom
Quad9, a DNS provider, views piracy blocking orders as an existential threat, sparking a discussion on DNS-level censorship and its implications on internet freedom.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
26m
Peak period
66
0-6h
Avg / period
16.1
Comment distribution113 data points
Loading chart...
Based on 113 loaded comments
Key moments
- 01Story posted
Nov 10, 2025 at 6:21 AM EST
about 2 months ago
Step 01 - 02First comment
Nov 10, 2025 at 6:47 AM EST
26m after posting
Step 02 - 03Peak activity
66 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Nov 12, 2025 at 10:03 AM EST
about 2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45874850Type: storyLast synced: 11/20/2025, 8:56:45 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
It has zero leverage. Even if you could convince 1 person in 1000 to do that, you'd represent 0.1%. And that "1 in 1000" is hopelessly optimistic as it is.
If you want to change the world, "individual action" should be at the very last place in your list of actions to take.
The heliocentric model began with one person out of the entire population of earth having the courage to publicly, loudly, and assertively disagree with TPTB.
https://en.wikipedia.org/wiki/Against_Method
"Individual action" is fucking worthless. But not all types of activism are.
I genuinely agree with this statement a lot. Also another aspect of this is that the bigger companies can somehow "legally" do things which I don't think would work but they have so many resources to strech the court case for a long time.
And the fact is that even after that, even if they are fined for some dollars. They are more than likely to just pay than try to actually fix the core issues which effects everyone harmfully except the company.
All for profit smh. I sometimes wonder if there is a word for this phenomenon for how our system has gotten into such a rotten state from lobbying to this yet at the same time genuine non profits get existential threats for the same behaviour but they simply don't have the funds...
There is, it's the system's name: Capitalism
Noone ever in the universe claimed that this system serves primarily the needs of humans. It serves profit. Now there is a ven diagram that has a union area between profits and needs, but the system does not care about making this union bigger, it cares about making the profits bigger. When that overlaps with needs... it is just a happy side effect.
People who would describe themselves as supporters of "capitalism", as well as supporters of "communism" or "socialism", are not able to admit that their belief systems are actually religious in structure. Not spiritual perhaps, but effectively "secular religions".
Both capitalism and its nemesis arose in the mid 1900s, when humanity was obsessed with modernist thinking about "solving problems once and for all". And in that context, the people fell in love with these two "clean systems". A more perfect set of rules.
Sure, capitalism doesn't claim to be the most powerful god. But in surrogacy, it claims to be "the least imperfect system". Which is structurally the same claim: declaring the scripture to be some apex that is not surpassable.
The main difference between communism and capitalism was how it was implemented. The USSR went full-tilt ideologically rigid, and collapsed very quickly. The US didn't go full-tilt capitalism. It implemented a hybrid system with a high marginal tax, welfare programs, subsidies, labour unions, public works projects, along with a market system, and that hybrid non-ideologically rigid model served it well.
Around the time it was clear the USSR was collapsing, the USA went hard tilt in favour of ideological purity in capitalism. Systematic series of clawbacks in the tax regime, privatization, elimination of labour unions.
As they leaned into the religion, it was used against them, much like the communist religion was used against the people of the USSR. And now they have been robbed of their prosperity, of the value of their efforts, much like the people in the USSR were robbed.
Theoretically we should be able to think of the majorities or ourselves and we can have a good system
but we also feel like a lack of choice I suppose, the elections feel between just two parties with choosing the lesser evil (I think zohran is cool tho in the democratic party and maybe he could signify some good things I guess)
Personally I feel like we need to focus more on the incentives and competency of people more than anything and try to vote it on that and not what they speak I suppose.
All of this is junk. Karl Polanyi famously puts the birth of capitalism very late compared to other important thinkers, in 1834, by defining it as characterised by markets of fictitious commodities, i.e. stuff like labour, land, money. More mainstream would be to point to the Renaissance or british 16th century.
The idea that capitalism and communism would be dependent on an art movement of the early 20th century is quite bizarre, the Communist Manifesto was published in 1848 and by the late 19th century when modernism started to form unions and communist parties were already common.
Actually, modernism is a reaction to the apparent stalling of 'progress', WWI and nostalgia for the optimism of the early modern period. I.e. from 1500 to late 1800s. In part it was also a reaction to what is usually called modern physics, i.e. things like newtonianism and ether hypotheses breaking down in due to Michelson-Morley and early study of quantum phenomena, relativity and so on.
Once again, I'm not referring to theorycraft here. I'm talking about the pragmatics of it.
"Capitalism" as an ideological polemic that stood opposed to "Communism" was a concept that society adopted in the mid 1900s.
What you're talking about is some labeling of some social and economic mechanisms.
Marx might have described communism. But when the USSR came to power, the specific brand of communist _ideology_ that was adopted by the government was its own thing, its own creature and entity.
Likewise, many theorists might have described a loose economic structure as "capitalism", but the "Capitalism, Freedom, and American Pie", as an ideological fixpoint that was sold to society as something to aspire to was something entirely different from the academic theorycraft you're referring to.
At "mid 1900s" Stalin had ruled the USSR for two decades.
We remember that right?
The ideology was born in the mid 1900s, in the middle of modernist fervour where humanity believed itself to be on the cusp of some sort of transformation into a kind of godhood. We had invented flight, we had harness light itself, we had controlled temperature, we had learned how to build buildings of any shape and size. And likewise we turned our attention to a machine for people.
Set up the right rules, and everything else will follow, the ideologies posit.
transitive preference satisfaction is generally a pretty good framework. if you give more people what they want, you get more of what you want in turn.
It's never the fault of the trillion dollar industries that are millions of times more powerful than any individual.
Our system get gotten into a rotten state because a tiny number of modern barons have all the power, and none of the civic responsibility. Concentration of money - when money is power, is the same as concentration of power.
A big part of this impression is that people very often very much underestimate what they can get away with, whereas big companies have lawyers to tell them ”oh yeah you can totally do this”.
Of course there are some exceptions. Uber and AirBnB are probably decent ones, in some jurisdictions anyway.
Look at Donald Trump - he failed, over and over again, but he always kept trying. Seven bankruptcies, but he never said "I'm bankrupt so I'm not allowed to do any business again" - he just kept on doing business. And look at the government shutdown - he kept saying the Democrats will eventually fold and do what he wanted, and they have now folded and done what he wanted. This is a man who doesn't understand the word "no" and look where it got him.
Not just him - you have basically every successful tech entrepreneur too. They don't ask permission. However, some people don't ask permission and as a result of not asking permission they end up in jail, like Sam Bankman-Fried, instead of as billionaires out of jail, like Larry Ellison. So it seems you need a good intuition on which things you shouldn't ask permission for, and this has very little to do with facts and very much to do with personal connections.
Disagree, anybody would have gone to prison for doing what SBF did
Ross Ulbricht had no connections prior to his imprisonment. His case demonstrates how even a man in supermax prison with essentially no money to his name was able to build good enough connections to get a presidential pardon for dealing massive amounts of drugs.
Personal connections might matter if you do decide to commit serious crimes, but as Ulbricht demonstrates, anyone can develop those connections.
If the UK government wants to ban porn but loves gambling, while the US wants to ban gambling but loves porn, a blocking mechanism that lets them have different blocklists allows both nations to get the censorship their voters have chosen.
My thoughts were that DNS-level censorship is essentially a dead end because the root servers are sacrosanct, and there will always be secondary DNS servers to query, who then use the root servers.
Sucks for DNS providers in authoritarian countries though.
But long ttls and caches would mostly break this as an approach
Better still, one can run one's own private root content DNS server. I've been doing that (in several ways) for a couple of decades. If ICANN decided to blackhole (say) www.microsoft.com. tomorrow, my DNS lookups wouldn't be affected.
To affect them, the aforementioned "court action" would have to target Verisign.
In the meantime it might be worthwhile to develop alternatives, like some kind of DNS-over-Tor or DNS-over-DHT scheme, along with normalizing Tor onion services as an alternative access method for clearnet sites.
https://www.kraken.com/learn/what-is-ethereum-name-service-e...
All the things that crypto true believers believed would happen are slowly coming to pass. It wasn't all bored apes and gambling. There was some legitimate developing going on, and still is.
I’m not ideologically against cryptocurrency-based solutions, but it isn’t a magic bullet by any means. I still think that the EU in particular isn’t done making life difficult for crypto users.
Not to discourage projects like ENS, I think it’s good to have alternatives, but I do think we need noncommercial fallbacks to the current system as well. Anything involving money will always have choke points.
This is the problem with crypto discourse - people view the guy selling snake oil on the sidewalk outside the gas station on the same level as legitimate infrastructure project that is the combined work product of hundreds of people who aren't trying to scam anyone, just make useful stuff.
The only solution to this is being willing to learn about the technology, which is a very unpopular view on HN.
Additionally, the EU could block purchase of ENS from exchanges. This added friction, though minor, is enough to slow uptake. I look at Monero as an example. It is functional and stable and it does what it claims. Yet hardly anyone uses it, because it has been effectively fenced off through a series of very low hurdles. It is not hard to swap to Monero for privacy, so why don’t more people do it?
IMHO ordinary users are much more likely to install a resolver that doesn’t have any connection to cryptocurrency. (The media campaign against crypto has been very effective.)
I do think crypto people ought to keep trying to develop their tools: there is some utility in it, and it may be more useful as things evolve. But it’s not a panacea, and the fact that it is “digital money” makes operators legally more vulnerable to attacks and regulation under current laws and legal precedents. Distributed, digital-only, non-monetary, volunteer-run networks like Tor are legally very resilient for now, at least in the West. (That could change, but it hasn’t yet.)
Registries do get block orders. When the Swedish registry got that for piratebay they choose to treat it like a domain dispute and gave ownership of the domain to the police, which the police in turn could treat like any other taken property and auction it out. The trouble is when the police wanted to destroy it, as there isn't a good definition on how to destroy a name so it can never be used again, and the registry was not keen on allowing the concept of a block.
The way you "destroy" a name is either to not delegate it or give it to the Registrar of Last Resort (https://www.rolr.eu).
In theory the law makers could specify this in law as form of registry regulation, but no one want to do that just to address one or two court cases where this question comes up. The registrar of last resort doesn't give any direct answer to those questions either.
In general, the vast majority of registries are fine with marking particular domains as "allocated but not delegated" as long as they get paid. ISTR ICANN waiving their fees, so the costs of marking a domain as undelegatable essentially turn in lost opportunity cost, which most registries are willing to eat.
However, the root server operators merely publish what ICANN (via the IANA functions) produces.
If the US (either federal or perhaps even the states of California or Virginia) were to decide to "censor" a TLD in the root zone, they would simply go to ICANN, PTI (the folks who provide the IANA functions under contract to ICANN) or, more likely, Verisign (who generate and publish the root zone under contract to ICANN) and demand the root zone be modified.
[1] https://cuii.info/en
Abstract
Some DNS recursive resolvers have longer-than-desired round-trip times to the closest DNS root server; those resolvers may have difficulty getting responses from the root servers, such as during a network attack. Some DNS recursive resolver operators want to prevent snooping by third parties of requests sent to DNS root servers. In both cases, resolvers can greatly decrease the round-trip time and prevent observation of requests by serving a copy of the full root zone on the same server, such as on a loopback address or in the resolver software. This document shows how to start and maintain such a copy of the root zone that does not cause problems for other users of the DNS, at the cost of adding some operational fragility for the operator.
This document obsoletes RFC 7706.
We can then do some guesses about size for questions like "what is the nameservers for .com". Those are a bit larger than most dns queries since the answer is a bit bigger than most, since .com has a lot of nameservers, so lets put it down to 800 bytes. Every 2 day a average use might then, using some guessing, generate maybe 10 kb of traffic, or about 0.015 seconds of watching a 1080p video on youtube.
The root Anycast clusters are absolutely designed to handle the entire internet querying them which I do from Unbound. If one wishes to help reduce load they can enable large memory caches and rewrite min-ttl to something sane to protect the root servers from Amazon EC2's default 5 second ttl and others like them. Blocking known spam and tracking domains also helps reduce the total number of queries. Groups of friends can even further reduce the load by setting up their own DoH/DoT servers using Unbound DNS and sharing the cache and using cron to keep their favorite domains hot in the cache and increasing private by making the crond queries from a VPS node.
Here's my cache stats for a 3 day uptime:
Memory usage permitting up to 1.5 GB:Not all countries or ISPs do this, but some do.
This has been the case for a very long time. Back when TBP was popular this was already the case.
The telco authority currently considers to block online casino websites[5] (gambling is illegal in Japan).
[1] https://www.kantei.go.jp/jp/singi/titeki2/tyousakai/kensho_h... [2] https://www.nic.ad.jp/ja/topics/2018/20180625-01.html [3] https://www.wide.ad.jp/News/2018/20180912.html [4] https://www.nic.ad.jp/ja/materials/iw/2018/proceedings/d3/d3... [5] https://www.soumu.go.jp/main_sosiki/kenkyu/online_casino/ind...
https://i.imgur.com/7CeydnY.png
Maybe it is fast because it is not secured at all? :D
I've also started using/testing the DNS4EU servers: https://www.joindns4.eu/
But the VPN itself is great!
Did you know Wikimedia also runs a public DNS service?
https://meta.wikimedia.org/wiki/Wikimedia_DNS
Just quoting the article, can anyone weigh in on the costs/complexity of a public DNS resolver implementing geo-fencing?
I don't know what is unique about Quad9 that they couldn't do this, but it's possible they have some technical limitation
Have you implemented something at that scale to say this is no big deal for them to do? And what about when 180 countries want their own list and maybe even states, providences, etc do as well?
Assuming this is total blocks for all of Quad9 globally? Spread this over 4 nameservers in a region (assuming anycast), with let's say 4 global regions (to be conservative)? That would be 1.985Mbps per server. That's (max!) 484 DNS requests per second, with 1/500th the bandwidth.
DNS is probably the fastest protocol on the internet other than ICMP. You can handle a ton of traffic with minimal hardware. Bump up the CPU to handle more interrupts/iptables rules. Buy a NIC with packet offload for even less CPU use (thus handling more requests). And eBPF & XDP would be much faster than netfilter.
If you were already gonna accept the request, process it, and send back a reply, dropping the packet doesn't cost you anything. It actually saves bandwidth, tx interrupts, and possibly CPU cycles.
Netfilter is plenty fast, when configured sensibly. You'd probably want script to populate a "hash:net" ipset instead, and have just one iptables rule:
(where "geoblock" is aforementioned set)Do you even know what Quad9 does or why it's a thing?
Are you honestly suggesting they just need to add a couple CPUs and some different NICs?
Also keep in mind we’re talking about Cisco here and not some Ruby on Rails shop.
Anyway, I’m a big fan of the “fuck country $x” approach
I was a small part of the original team that built OpenDNS. I also operate a less well known public resolver now.
DNS is extremely latency sensitive. You have basically a 20ms budget to work with, which includes the time the request and response traverse the internet. It is also extremely high volume, a large public service like Quad9 could easily see single digit millions of requests per second.
There is nothing that technically prevents you from doing geofencing. Cisco has the money to absorb the costs of the additional overhead - but I could not. My first stab at the problem would be to simply shut down my servers in France to try to get out of the legal jurisdiction. I don't know if that would be sufficient without paying for a lawyer.
Quad9 absolutely has a valid argument here and it pushes more of our public infrastructure into the centralized hands of a small number of players because people like me can't afford to just run free shit on the internet anymore.
While testing, I was using Google and Cloudflare as well, and started noticing something - Quad9 does not return all A records listed for a domain, the same way Google/Cloudflare do.
This gave me a weird feeling; I get there's a lot of DNS geo magic and 8.8/1.1 serve 2 different subnets, and 9.9 a third. But... where did the other 5 expected IPs from Quad9 get off to?$ dig -t A google.com @8.8.8.8 +short
142.250.184.206
$ dig -t A google.com @1.1.1.1 +short
216.58.206.46
$ dig -t A google.com @9.9.9.9 +short
142.250.185.238
Edit: in case useful to someone reading, right now I have an IP assigned out of this block:
Edit edit: in the network record is a link to the self-reported geo data, I missed that.Each service port (IP:Port) can only receive 64k connections from each NAT IP, returning more IPs from DNS makes more connections available. Google is a very popular service, so it makes sense to do. (Less so for v6, though)
Alternately, if they can't get a good feel for where you are, returning A records for multiple locations makes sense, too.
No idea why 4 AAAA vs 6 A; Google runs dual stacked and I'd expect the same number of records for both; IIRC, 8 AAAA will usually fit in a 512 byte udp reply, and anyway DNS64 might expand As into AAAAs, so you have to gauge sizes with those anyway.
Interestingly, for Tor, the lowest common denominator local port exhaustion threshold at exit is 16384.
https://spec.torproject.org/proposals/348-udp-app-support.ht...
While I'm here: Google uses edns0 client subnet to geo target your client IP.
Try a dig -t txt o-o.myaddr.l.google.com @8.8.8.8 vs the others to see the src IP of the packet sent to Google's DNS server, and any edns0 info that came along with it.
As 9.9 returned an IPv6, I tested with AAAA records just now - 1.1/8.8 respond with 4x IPs, 9.9 only 1x so it mirrors the A records in spirit.
https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
TL;DR
dns.mullvad.net - 194.242.2.2 (no blocking)
adblock.dns.mullvad.net - 194.242.2.3 (ad and tracker blocking)
base.dns.mullvad.net - 194.242.2.4 (ad, tracker, malware blocking)
And others but I primarily use the last two. They offer it as a public service, similar to quad9.
Using google is bad way to test this scenario, since they use EDNS and many other DNS load balancing methods to distribute the load.
Sanity, liberty, and censorship-resistance are virtues.
(before mental wellness people get up in my grill, by "sanity", I mean the preconditions likely to make sanity widespread)
I was getting an A record for sending I knew didn't exist. Spent quite a bit of time investigating until I just tried opening the site up in a browser. Then I saw their lovely as page. Thanks guys...
I guess some day, one political party will use it to block the websites of other political parties, etc. That's stupid to say (I know) but that seems to be the slippery slope we are sliding down.
3 more comments available on Hacker News