[dns-operations] Can Root DNS server modify the response?

Jeroen Massar jeroen at massar.ch
Tue Mar 26 09:36:38 UTC 2019

On 2019-03-26 04:06, Dave Warren wrote:
> On 2019-03-23 16:32, SM wrote:
>> Hello,
>> At 07:09 PM 22-03-2019, solvepuzzle at secmail.pro wrote:
>>> Now the E root and F root are Cloudflare's server, should I
>>> change my DNS software to lookup other alphabet root server?
>>> Cloudflare's DNS service is censoring so using it as a root DNS
>>> is really bad news.
>> The above question is ambiguous as it might be about the Root Servers or a DNS recursive resolver (
> Is there any evidence of censorship on Cloudflare's resolver or root servers?

Unless we get a leaker telling the truth..... one will never know, to easy to avoid any kind of monitoring of the results and SERVFAIL can be that you got censored or that well, there was a packet dropped and something was b0rked for a bit.

While censorship is one part that could happen, the tracking of people/devices is another... and something can go mostly unnoticed as it is server-side.

Noting that Mozilla with their firefox is clearly steering towards DoH, "as ISPs are not to be trusted" (but a big hoster with a bunch of criminal/DoS-booter websites is?) and they are per-default selecting a certain provider that is outside of non-US jurisdiction even though serving customers around the world...

And now, they have added themselves in the mix of playing root server (with or without telemetry that mixes into other 'products').

Commercialization of the Internet is the question there... at least your local (sometimes monopolistic) ISP is the one you pay, but in the case of this situation you do not have any actual agreement with them...

The fun of the worlds....

In the end: unless one is there and actually has typed the command, outsiders will never know what really happens with the queries unfortunately.

Thus even what I type above is purely FUD in a way, as I cannot know.

Would be really cool if we had a framework that gave us some kind of assurance though.


More information about the dns-operations mailing list