UncensoredDNS

UncensoredDNS was started in November 2009. At the time I was working at an ISP where one of my (reluctant) responsibilities was to administer the censored DNS servers that all Danish ISPs have to run for their customers. I have never been a fan of the Danish DNS censorship system, and working with it first hand didn't exactly help.

The 2009 DNS ecosystem was different from today. Google, Cloudflare, and Quad9 DNS services didn't exist yet. Friends and family were asking for a recommendation for an alternative to the censored ISP DNS servers and I didn't have a good answer for them.

OpenDNS (now owned by Cisco) did exist in 2009, but back then they did NXDOMAIN redirection, an advertising trick where misspelled nonexistant domains are redirected to a search page with ads instead of returning an NXDOMAIN error. They've since stopped doing it, but it showed what kind of company it was. They also didn't have ipv6 or DNSSEC, both of which are mandatory on a modern DNS server, even back in 2009.

Even if Google, Cloudflare or Quad9 DNS had existed back then I still wouldn't have felt comfortable recommending them. While they do run stable, fast and largely uncensored services, I am not convinced that it is a good idea to hand over all your DNS lookups to Google (or any other major corporation). The internet would be much better off with a bunch of smaller community-run decentral services.

I was fortunate to be in a position to do something about it, so in October 2009 I started UncensoredDNS with help from friends. After a while I also started giving talks about the service at various conferences, since people naturally have an easier time trusting a service if they know who is behind it. You can see some of my old talks online, for example from RIPE65.

In 2014 I got an IP allocation from RIPE leading to the introduction of anycast.uncensoreddns.org - initially just with two locations. Anycasting one of the nodes meant much better redundancy and performance, and also allowed me to do maintaince without interrupting service.

Since mid 2017 it has been possible to do encrypted DNS lookups. DNS-over-TLS support (RFC7858) was added using nginx (proxying to bind tcp 53), and at the same time the TLS public keys were published in TLSA records and on the website, making it possible to pin the servers public keys.

In 2020 DNS-over-HTTPS (RFC8484) support was introduced using dnsdist, and at the same time DoT was switched from nginx to dnsdist, still using bind as a backend. The introduction of dnsdist means it will be possible in the future to switch to a different backend recursor, or use different recursors on different anycast nodes for added redundancy.

In October 2022 plaintext UDP/TCP port 53 DNS was switched off, 13 years after the inception of the service. Only the modern encrypted protocols DNS-over-TLS (RFC7858) and DNS-over-HTTPS (RFC8484) will be supported going forward.