This is another post that started after several toots on mastodon. Most of the things presented here were already tooted by other people, but I think this is a good chance to write a mini tutorial about what to look at. We’ll use DNS, whois, BGP and your favourite search engine.

What is DNS4EU?#

To quote the web page:

Supported by the European Union Agency for Cybersecurity (ENISA), the European Union’s DNS4EU secure-infrastructure project provides a protective, privacy-compliant, and resilient DNS service to strengthen digital sovereignty and security for EU citizens, governments, and critical infrastructure.

First things first#

The first thing your computer does is to do a DNS lookup, so let’s do the same:

$ dig ns joindns4.eu +short
ns63.cloudns.net.
ns64.cloudns.uk.
ns61.cloudns.net.

Searching for clouddns you’ll find that they are a European company. Going one step further we can check the IPv4 and IPv6 addresses of the three name servers above and see that all of them are from providers within the EU.

$ for i in $(dig ns joindns4.eu +short); do host $i; done
ns61.cloudns.net has address 109.201.133.168
ns61.cloudns.net has IPv6 address 2a00:1768:1001:9::168
ns64.cloudns.uk has address 185.206.180.150
ns64.cloudns.uk has IPv6 address 2a0b:1640:1:1:1:1:15ee:539e
ns63.cloudns.net has address 51.210.104.220
ns63.cloudns.net has IPv6 address 2001:41d0:304:200::455b

You can check all of them yourself by using whois on the command line. I’m leaving that out to keep this post short.

EU:NON-EU 1:0

www.joindns4.eu

So let’s look at the website:

$ host www.joindns4.eu
www.joindns4.eu is an alias for 142290803.sites.hscoscdn-eu1.net.
142290803.sites.hscoscdn-eu1.net has address 141.101.90.98
142290803.sites.hscoscdn-eu1.net has address 141.101.90.99
142290803.sites.hscoscdn-eu1.net has address 141.101.90.96
142290803.sites.hscoscdn-eu1.net has address 141.101.90.97
142290803.sites.hscoscdn-eu1.net has IPv6 address 2a06:98c1:3200::90:0
142290803.sites.hscoscdn-eu1.net has IPv6 address 2a06:98c1:3200::90:2
142290803.sites.hscoscdn-eu1.net has IPv6 address 2a06:98c1:3200::90:3
142290803.sites.hscoscdn-eu1.net has IPv6 address 2a06:98c1:3200::90:1

For IPv4 the RIPE database seems to need some cleanup, for IPv6 we get:

$ whois 2a06:98c1:3200::90:0 | grep netname
netname:        CLOUDFLARENET-EU

Cloudflare is an American company. EU:NON-EU 1:1

What about mail?#

Let’s look at the mail servers:

$ dig mx joindns4.eu +short
1 aspmx.l.google.com.
5 alt1.aspmx.l.google.com.
5 alt2.aspmx.l.google.com.
10 aspmx3.googlemail.com.
10 aspmx2.googlemail.com.

So they are using Google for mail, which again is an American company.

EU:NON-EU 1:2

It was pointed out to me that it’s called DNS4EU and not MAIL4EU or WEB4EU, so feel free to ignore all this. Europeans can’t do web and mail. There is absolutely no provider here who can do such complicated tasks.

But let’s look at their “product”#

All the DNS resolvers that you can / should configure are in 2a13:1001::86:54:11:/64 and 86.54.11.100/24. Which are, according to whois, registered by a company from the EU. So 2:2? Not so fast. We must go one step further and look into BGP, the routing protocol used on the Internet.

There are several publicly accessible, read-only, BGP routers available to ask, see the route-views project Many providers also offer a Looking glass so you can see the provides view of the BGP world.

Note that I removed all but the relevant information so the output does not get too confusing:

$ telnet route-views.amsix.routeviews.org
route-views.amsix.routeviews.org> sh bgp ipv6 2a13:1001::86:54:11
BGP routing table entry for 2a13:1001::/48, version 327804
Paths: (22 available, best #1, table default)
[...]
15943 60068 198121
[...]
51088 60068 198121
[...]
1103 60068 198121
[...]
12779 60068 198121
[...]
38880 6939 60068 198121
[...]
60150 5405 60068 198121
[...]

BGP uses AS numbers for routing and the above output shows us the way from the Amsix route-views router to our destination in AS198121.

Once again we can use whois to query information about these ASN. You just need to put AS in front of the number when asking.

There is way more output, try for yourself:

$ whois as198121 | grep country
country:        CZ

Ah, good - EU! Not so fast… Note that the second to last AS is always the same.

$ whois as60068 | grep country
country:        GB

Last time I checked GB was not part of the EU. And it’s also a member of FIVE eyes.

So we have a service sponsored by EU, to protect the privacy of EU citizens using mainly non-EU services and routing all of their traffic, at least for the sample I took, via an non-EU provider.

So final score, depending on how you count:

EU:NON-EU 1:3

And then there is the issue of being single homed. How do they achieve availability / redundancy and avoid being DDOSed? I would expect such a service to be anycasted, available via multiple providers (all EU-based). But that’s just me doing free consulting work.