NextDNS logging is opt-out, not opt-in as stated on PG's DNS Resolvers recommendations page

I think the main point of concern isn’t necessarily whether it’s an issue, more about how they communicate it. When they say “If not specifically requested by the user, no data is logged,” I think it’s reasonable that a user would assume that a “specific request” would involve clicking a button to turn on logs, not simply making an account. Regardless, I’m not here to dispute the original decision to remove them until they get back to us on this, I’m just more confused why the PR that involved removing them from the table for this reason also added them under the new cloud filtering category.

On the homepage nextdns.io they write:

ANALYTICS & LOGS

See what’s happening on your devices with in-depth analytics and real-time logs.
Measure the efficiency of your security, privacy and parental control strategies.
Decide how long your logs are kept — from one hour up to two years — or disable logging completely for a no-logs experience.

The issue isn’t so much that the policy is to log by default (though arguably, the default should be a shorter timeframe like a day or a week) . The issue people are rightfully concerned about is that the privacy policy very clearly and prominently states that there is no logging by default unless a user deliberately chooses to enable it.

If not specifically requested by the user, no data is logged.

Like most people using a DNS service like NextDNS or ControlD, part of the reason I use the service is for the logging and insights/personal analytics. I leave logging enabled. But regardless of that personal preference, I do strongly feel NextDNS needs to fix/clarify their privacy policy and make it clear logs are enabled by default, and until they make that clarification, I think it makes sense for PG to acknowledge the discrepancy.

2 Likes

Wait till you find out that NextDNS uses Google Cloud to deliver those logs on their dashboard which is hosted on Vercel (which itself is built on AWS) fronted by Cloudflare. :person_shrugging:

But their privacy policy mentions nothing of the sort in “sub processors” (privacyguides knows about this since I’ve reported it on GitHub before). If I’m allowed to be cynical, hiding truth by omission seems like a pattern here.

(disclaimer: I run a public DoT/DoH resolver)

@archerallstars

Respectfully, I don’t believe I’ve gotten an answer to my original question, which consists of two parts now I suppose:

  1. Has the team come to a consensus that NextDNS should be removed until they clarify their privacy policy?
  2. If so, why was it removed from the table only to be re-added under the new cloud filtering section?

You guys start to lose common sense. NextDNS is one of the best options there and logs are usefull for checking what’s going on, easy to disable or change to 1h/24h. Same could be applied to Brave, you could say they show 2 checks for opt-out after install, so that is not opt-in, but opt-out and Brave is bad.

No, @dngray is looking to get in touch with them first.

It was removed from the table for a reason unrelated to this discussion in a PR I authored last November:

2 Likes

imo if they don’t answer it should be removed. the lack of any response doesn’t look good for them

Default logging or not, the fact that NextDNS uses Google Cloud (from Firefox’s network requests tab to api.nextdns.io or MX records on nextdns.io), Cloudflare (A/AAAA records on nextdns.io, api.nextdns.io, brain.nextdns.io, favicons.nextdns.io, snapshots.nextdns.io, cortex.nextdns.io, so on…), and Vercel (A/AAAA records on my.nextdns.io) is verifiable. They also use Vultr (for steering.nextdns.io). You’ll not find a mention of these “sub processors” in their privacy policy.

Also, dns0.eu explicitly is a data-gathering op (though, for “threat-intelligence”), and I don’t think as such should be recommended as a “privacy friendly” alt (may be “security-friendly”, sure) until there’s more clarity on just what they do. I run a public-facing DoH / DoT resolver (serving 400bn+ requests per year; so not a small op), and I’ve been approached for such agreements (I’ve declined them every time given the terms invariably include “whitelisting” / “allowlisting” some domains under a strict NDA).

3 Likes

We’re not worried by GCP usage. This has been discussed thoroughly on these forums. The GCP privacy policy is in line with what other companies provide for similar commercial services. Just to be clear here the GCP privacy policy relates to the customer of GCP not service customers. For that you would need to see the individual service privacy policy of the business that is using GCP.

In other words you can have companies using GCP that are privacy friendly and have good terms or other businesses that are not. So with the NextDNS example their privacy policy is the one which is relevant. Google does not own NextDNS’s data so they cannot do anything with it they feel like, but rather provide service to NextDNS.

That information though seems to be mostly public sources and not stuff which is particularly private. I think they do that in order to track spam/botnets etc

This data originates from passive DNS data from our large-scale public DNS resolver and multiple services monitoring zone files, Certificate Transparency logs and WHOIS/RDAP. We also operate Web and DNS crawlers.

Feeds

We provide different types of data feeds, each with its specific use cases, and each available as a real-time stream and as daily downloadable feed.

Newly Registered Domains (NRD)
Newly Observed Domains (NOD)
Newly Observed Hostnames (NOH)
Newly Active Domains (NAD)
Newly Active Hostnames (NAH)
Newly Issued Certificates (NIC)
Passive DNS (RRsets)

They have their “zero” service which allows you to also use that data ZERO — Hardened security for highly sensitive environments — dns0.eu on a “higher security” DNS server.

Were you approached by dns0.eu or are you saying some other random threat intelligence companies?

1 Like

The point is about their privacy policy lacking any mention of all these “sub processors”.

Then, what’s the point of NextDNS “storing” logs in Switzerland, if they’re going to be streamed through GCP servers worldwide (because if GCP is streaming logs stored in Switzerland through Indian servers, then Indian laws apply and GCP will comply with those laws)? PrivacyGuides makes it seem as if “storing” logs in the EU etc is a positive thing: You can choose retention time and log storage location for any logs you choose to keep, or disable logs altogether.

I worked at BigCloud for more than 8 years: BigCloud don’t own ALL the infrastructure. They themselves use services of other providers who may or may not be in bed with respective governments where they operate. Besides it was routine for teams to comply with legal requests by granting access to actual customer data / metadata to the law enforcement. Some even had an automated workflow to grab all such data and bundle it up for legal. GCP I don’t think is any exception (see section 7.1.2: Cloud Data Processing Addendum  |  Google Cloud).

A concise privacy policy doesn’t mean it is complete. For reference, here’s Vercel privacy policy that clearly spells out what information is and isn’t available to various tools and services they use: Privacy Policy – Vercel

To be honest, I don’t really have a strong opinion one way or the other, but if PrivacyGuides is serious about avoiding the next Skiff, then transparency from companies must be top priority (and err on the side of caution in absence of clarity).

Can’t disclose. Under NDA.

I implore you to not assume. Ask them, and see what you get.

This is something I raised in a subsequent email to them. I really like for example how Hashicorp does this: Subprocessors

I think their policy is a bit bare bones and could do with improvements.

You could really argue that about any provider who uses any third party whether it be Azure, AWS or some other platform. If that is the new criteria we should just ban any service that doesn’t own their own servers and not single out GCP specifically.

That will basically mean we’re left with very few services/reliable services and will be throwing out a huge amount of products which actually do work well.

Every service will comply with legal requests to some degree. That is the cost of continuing business arrangements. Singling out GCP because of legal requests really doesn’t address that problem and just seems like a misguided degoogle bent.

There is also no way to ensure that doesn’t happen besides throwing all your traffic in an encrypted tunnel and routing it somewhere else. If you’re worried about legal requests and the stream of traffic is persistent, I would not necessarily rely on a VPN provider to keep that confidentiality. They are also susceptible to bribes and other forms of coercion.

There is really no substitute to using Tor for a threat model where you have sustained government interest. Encrypted DNS was never really designed to give you strong confidentiality as there are plenty of other ways in which your usage can and will leak. The point of encrypting queries is stop outside manipulation and snooping at a network level, not thwart legal requests or targeted interest. Also with DNS you often don’t have much of choice about which route those queries take as any provider of size uses anycast addresses.

I don’t think NextDNS is anywhere near a “Skiff”. If you remember Skiff was quite new and pushed their addition to numerous sites very aggressively. Almost as if they were trying to inflate their user count knowing full well that the Notion deal was going to happen.

Conversely NextDNS is not new and they haven’t asked to be mentioned anywhere that I can see. NextDNS does partner with Mozilla and other companies which do care about privacy so that has to mean something. I have sent them another email (maybe the last one went to junk).

That’s unfortunate, I have unfortunately noticed a theme with quite a few of your replies which have an element of argument from authority, without actual counter points other than “trust me, I know stuff”. In your previous reply you said:

I can’t see how you’d be bound by a NDA on an agreement you didn’t accept.

This is perhaps something that will require extra research. Are you talking about this? or something else?

We are looking to partner with national and pan‑European hosting providers, threat intelligence providers, CERTs and financial sponsors — talk to us at partners@dns0.eu.

CERTs (Computer Emergency Response Team), and “threat intelligence providers” in pan-European really can only mean one thing, and that is they want more data about threats in Europe for their Zero program.

3 Likes

Can we take a step back and also just ask, what’s wrong with threat intel companies? This dns0/ZERO initiative doesn’t seem like a bad thing – in fact it seems like a good thing, at least from a skim of the heuristics they use as well as what they ask for on their twitter.

Also, threat intel only really gets super specific to you as a random DNS user if you’re literally a major threat actor and people look into you in particular. To assume otherwise is blowing things out of proportion because like, the average person’s info would only get into a piece of shared threat intel if they were actually doing enough “interesting” things to cause an alert to fire off.

1 Like

That wasn’t my point. My point was, the part where PrivacyGuides highlights NextDNS’ “log storage location” feature is misleading in light of their use of all these other global service providers. Imagine if a VPN provider told you they stored connection logs in some location but then streamed it out to users with GCP, AWS, and Cloudflare having access to it in plaintext.

Again: It is about how transparent a provider is about the services they use. Not about what they can and can’t use.

You’ll notice that it is a separate endpoint and not the one sold to users or recommended by PrivacyGuides. Cloudflare does the same (they’ve got a Mozilla specific endpoint).

Incredible. I mention how X works because I’ve been there, done that, and this is how you insult me. What a colossal dumpster fire. I feel sorry I even bother.

NDAs are signed before you even take such meetings.

If I were to recommend something like this, I’d email the developers and clarify with them what data they collect from user requests, how they process / de-anonymize them, and how they vet who they share it with.

Privacy and security can clash at times.

Could you please elaborate on how that’s the case here? As I said, threat intel is unlikely to have people’s personal data (I guess dns requests in this case) unless they’re doing something that’d make an alert fire off, because to do otherwise would make the threat intel pretty useless and overly broad and I hate to argument from authority but this is something I’ve “been there, done that”

My point is, get more clarity before recommending dns0.eu as “no logs”. Cloudflare also gathers intel as does Quad9, and both are marked as such on PrivacyGuides: https://www.privacyguides.org/en/dns/#fn:2

Interesting. If I may, where?

Large, non-government organisation in Australia. Not willing to pinpoint more than that lol

1 Like

Wise move. If you do, you’ll be insulted.

This is largely speculation that GCP is logging everything regardless of a downstream privacy policy. One could make a similar argument that colocation isn’t even good enough because a datacenter might track incoming IPs on their firewall.

I do agree though they should be clearer about their sub processors though. Their Privacy policy is likely brief for brevity reasons (and maybe too much so).

Hopefully we hear back from them soon.

That may be so, and due to scaling and provisioning. They would still have to have some competency as a service. This isn’t really evidence that the services are run in a vastly different way.

All of this really can’t be verified, so lets drop that. I do find it odd you’d sign an NDA with a company before you even know what the meeting will be about/without contacting a lawyer though.

Their privacy policy does state though:

We do not log any Personally Identifiable Information (PII).

Our recursive DNS service, this website and other services we provide are fully compliant with the GDPR, and we welcome audits from reputable European entities.

The zero service seems to be information that isn’t specific to dns0. I don’t think you can really argue that Newly Registered Domains or Newly Active Domains are logging. Is it really logging if they look at whois records of requests going through their system? When people think of DNS logging they think of logging the client’s IP, ie who is requesting what domains. I don’t think their service is doing that. We don’t have any evidence that indicates that they do.

If you really can’t trust a privacy policy then you will have to depend on technical means for anonymity.

3 Likes