Query endpoints

Table of Contents

Public DNS resolver service

For a brief period we became an OpenNIC unadvertised public DNS server, unfortunately after discovering a too much malware, dead domains and MAGA-related content made its home on OpenNIC, it was decided we couldn't be a part of that therefore the servers were taken down.

We still liked the idea of having our own server mainly to filter traffic on Android devices that allow specifying encrypted DNS services.

It's targeted mainly at our own users but it's freely available for anybody who would like to try it.

The server is located on the US, so it could be very useful for somebody tunneling a regional streaming service that's getting blocked because of "leaky DNS" because they cannot redirect their whole network's DNS traffic, or they don't know how, or whatever the case might be.

It supports standard DNS over TCP and UDP, as well as DoT (DNS over TLS, TCP:853) and DoQ (DNS over QUIC, UDP:853), in other words, all the DNS types that do not attempt to hide queries behind web traffic.

Standard DNS

45.63.49.108:53/UDP

DNS over TCP1)

45.63.49.108:53/TCP

DNS over TLS2)

45.63.49.108:853/TCP
domain: cloudfront.vitanetworks.link

DNS over QUIC3)4)

45.63.49.108:853/UDP
domain: cloudfront.vitanetworks.link

Policies

Discriminatory, long cached, fully recursive server

This is not meant to be a non-discriminating resolver, but quite the opposite: it's meant to heavily filter traffic using the same or very similar policies that those use on the our intranet and guest networks. Additionally, it's the server it's not a forwarder either, it actually does the full resolution label by label.

Blocks

As a starting point we use one of the Steven Black's lists blocking the following:

Category Is it blocked?
Adware ✔︎
Malware ✔︎
Disinformation-heavy sites ✔︎
Gambling sites ✔︎
Explicit adult entertainment (pornography) ✖︎
Public social networks ✔︎

Reasoning (Why is porn allowed but social networks aren't?)

The goal of our blocks is several fold: - First and foremost is to clean the user's navigation experience
- To remove invasive trackers
- To save bandwidth otherwise used by autoplaying video ads and scripts for users with tight data budgets
- THIS IS NOT TRUE AT THE MOMENT BECAUSE WE'RE TEMPORARILY LOGGING QUERIES FOR INTERNAL PURPOSES - SEE MORE BELOW - To do all of this heavy filtering while anonymizing traffic; most services that block heavily need to be hosted locally or if cloud-based, they need a user account.

  1. ECS is not enabled
  2. The server perform QNAME case randomization and QNAME minimization5)

- For users outside the US that need US-targeted responses such as is the case of Netflix users and similar services, and finally
- To limit the users, as well as the resolver's own exposure6) to harmful content to

  1. The user's privacy
  2. Peace of mind or mental health
  3. The user's system and data (i.e. e.g. malware)
  4. The user's finances (i.e. e.g. ransomware)
  5. The user's attention span (i.e. e.g. ads)

This is whether whether the content might be immediately harmful or at a longer term and perhaps not to the user making the query but rather its amplified reach, i.e. to society in general such as is the case of all current public/commercial social network sites.

Adult entertainment is not weaponized, at least we don't think affecting in mass, they way malware, ransomware, social media and disinformation are. Due to its nature were users need to "process" the media, they are unlikely to go on a bank account transaction spree like they would in a gambling site or app.

Finally our last reason not to block this type of content is simply because we're not interested on being anybody's moral compass. The role is traditionally, if at all7), taken by a parental figure (i.e. more or less translates to: "we're not your mom")

LOGGING ACTIVE

ATTENTION: We're temporarily logging queries for internal testing purposes. You should not use the service until we stop doing this (this message will disappear when we do). We are not monetizing this data, nor reporting it to anybody. Currently it's only logged to a remote log server that does not log to disk, i.e. the data has to be deleted at some point.

Caching

This is a small server, in order to conserve resources and to have faster responses, the Time-to-Live of of records to remain in cache being allowed to served expired was increased substantially. This for the most part is inconsequential for most users except maybe for web developers and other who need to perform testing on a resource. This is part of the current policy:

SERVE STALE
- Serve Stale: Yes.
- Serve Stale TTL: 259200s/3d
- Serve Stale Answer TTL: 300s/5m
- Serve Stale Reset TTL: 900s/15m
- Serve Stale Max Wait Time: 1800ms

CACHING
- Cache max entries: unlimited
- Cache min TTL: 60s (vs often only 10s)
- Cache max TTL: 604800s/1w
- Cache Negative TTL: 330s
- Cache Failure TTL: 10s

TCP 45.63.49.108:53

1)
Althought it can be used for queries, DNS over TCP is normally used for server-server communications
2)
AKA DoT
3)
AKA DoQ
4)
Note: Out of respect for network admins, VitaNetworks' web services are not served over QUIC, this is the sole exception which was only made because [1.] it's not a web service, and [2.] it's not on the standard web ports
5)
This is mostly irrelevant to users as the queries all come from the servers public address without revealing the original user's address
6)
since in the end, it's the resolver that might need to answer questions
7)
given somebody capable/allowed to browse the Internet on their own should not need direction in this and many other areas
en/services/dns/public.txt · Last modified: 2025/10/16 15:26