From 66d845242c2935e9ff81806823782c3653303a73 Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen+git@mikaela.info>
Date: Sat, 11 May 2024 11:35:42 +0300
Subject: [PATCH] n/dns.md: compare DNS0 and Quad9

---
 n/dns.md | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/n/dns.md b/n/dns.md
index 9aceda7..c17642c 100644
--- a/n/dns.md
+++ b/n/dns.md
@@ -23,6 +23,8 @@ _For DNS resolvers, refer to [r/resolv.tsv](/r/resolv.tsv)_
   - [Why to not use ECS?](#why-to-not-use-ecs)
   - [Why to use private ECS?](#why-to-use-private-ecs)
   - [Identifying support for ECS](#identifying-support-for-ecs)
+- [[DNS0.eu] or [Quad9]?](#dns0eu-or-quad9)
+  - [Conclusion](#conclusion)
 - [Mobile applications](#mobile-applications)
   - [Android](#android)
   - [Rethink](#rethink)
@@ -178,6 +180,44 @@ dig +short TXT whoami-ecs.v4.powerdns.org.
 
 ---
 
+## [DNS0.eu] or [Quad9]?
+
+In my experience [DNS0.eu] tends to have better filtering and
+[reporting options](https://www.dns0.eu/report) than [Quad9], while [servers being located only in](https://www.dns0.eu/network) the
+[European Union]https://european-union.europa.eu/) is mildly problematic when your users start traveling
+outside it either for work or leisure, which across continents tends to bring
+round-trips overseas. Additionally private ECS (see above) tends to be bad
+poor for IPv6 and for very small AS like a school, it directs to another side
+of the country, but that is a very minor issue.
+
+Meanwhile [Quad9] blocking seems almost as good in [tests like this](https://techblog.nexxwave.eu/public-dns-malware-filters-tested-in-2024/) and they give me impression [of more transparency](https://quad9.net/about/transparency-report) (as opposed to [DNS0.eu only
+having a <del>Twitter</del> X account](https://twitter.com/dns0eu)). [Quad9] also has more options on whether to ECS or not (see above).
+
+The end-users traveling outside of the EU is also solved as they [have servers all around the world](https://quad9.net/service/locations/).
+
+Back to [DNS0.eu], while disabling private ECS is not an option, they do have other options; [default filters](https://www.dns0.eu), [no filters](https://www.dns0.eu/open), [heavier filtering (zero)](https://www.dns0.eu/zero) and [kids](https://www.dns0.eu/kids)
+
+[DNS0]: https://www.dns0.eu
+[Quad9]: https://quad9.net
+
+### Conclusion
+
+As the size and confusion this page induces to anyone else than me shows, I have spent too much time thinking about DNS and related matters.
+
+- Android: while the system only gives the option between `cloudflare-dns.com` and `dns.google` (HTTP/3, see below),
+  web browsers are free to choose the DoH server. If the device is not expected to travel far outside the EU, DNS0.eu may be a safe choice, otherwise Quad9.
+  - As I have to support devices going outside of the EU, I lean towards Quad9.
+- iOS (or Apple in general): same question, do the devices travel outside of the EU? Both provide configuration profiles.
+  - While not noticing the DNS0.eu configuration profile is difficult, [Quad9 currently hides it a bit under docs.quad9.net iOS instructions](https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_%28Encrypted%29/)
+- Personal computers: I have reached the cursed conclusion of [using Unbound upstreams DNS0 for IPv4, Quad9 ECS for IPv6](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf) and [using the hosts file to point web browsers away from DNS0.eu IPv6](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/hosts/dns) using [IPv4 addresses expressed in IPv6]().
+  - Especially the last part is cursed.
+  - Yes, ECS has privacy concerns, however _theoretically_ it's only a fallback if IPv4 goes down (very rare, has happened for short periods of time in my experience), but the environment also weights my decision. See above on whether to ECS or not.
+    - I hope to offset the risks of ECS by [not allowing TTLs below an hour](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/unbound/unbound.conf.d/min-ttl-hour.conf) so whether I have a tab open or not cannot be figured out from DNS traffic alone and somewhat relatedly [serve stale records if I must](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf)
+- Personal servers: Personal preference, you could even use all of the DNS servers or be your own recursor. I again have small preference towards Quad9 ECS as titlefetching for unencrypted IRC connection is already open for mass surveillance and there is no telling who triggered a DNS query there anyway.
+- Business/association/enterprise/whatever device: there may be free political/regulational/bureaucratic/whatever brownie points for using DNS0.eu with the queries not being transmitted outside of the EU.
+
+---
+
 ## Mobile applications
 
 _With the exception of those apps that config I remember otherwise or share it