controld free plan (no logs?) about privacyguides.org HOT 9 CLOSED

Operating open DNS resolvers is hard, as they're subject to heavy abuse including but not limited to DoS, reflection attacks, etc.

I cannot share all the details of of the anti-abuse system publicly for obvious reasons however it's built on top of eBPF, and runs entirely on each edge server, with no external data sources that are read from/written to. The hosts themselves operate from RAM disk servers (using a similar system to Windscribe), and the data that is referenced solely exists in the Linux kernel space. We have limits set on packet flows to what is "reasonable" for a single IP, which triggers throttling when exceeded. If the abuse persists and increases in volume, this escalates to 2nd tier systems that refuses queries and eventually results in a nullroute of offending IPs network wide.

from privacyguides.org.

Could certainly ask them, but I'm not sure why you'd need historical data logs to block abusive IP ranges. Presumably if you're ControlD, and you're noticing lower performance or higher bandwidth usage from your servers, you can see where the traffic is coming from at that moment and block accordingly.

from privacyguides.org.

you can see where the traffic is coming from at that moment and block accordingly

Usually such abuse systems are automated and not manual, and the sophisticated ones are multi-region. Someone hints at the automation in that subreddit thread: "our anti-abuse system is trigger happy".

historical data logs to block abusive IP ranges

That's not the point of this issue, which is specifically about PG claim that ControlD Free doesn't store anything at all.

if you're ControlD, and you're noticing lower performance or higher bandwidth usage from your servers

It isn't clear if ControlD runs its own DDoS protection layer (they could be).

from privacyguides.org.

doesn't store anything at all.

It is the point of this issue. I'm saying you haven't explained why this means they do store anything. The fact that they are automated does not necessarily change the process I outlined: The process could kick in based on # of requests made within a fixed window, for example.

Unless you are saying the fact that they stored an IP range to block as an iptables rule (or whatever) counts as them storing data for this purpose? The page does not literally mean ControlD does not possess any conceivable form of data. I could rattle off all sorts of data they possess, their webservers possess the HTML data that makes up their homepage, their social media accounts possess the contents of their posts, etc. - It is not relevant to us.

In that case this issue would be a duplicate of #2484 (i.e. that the definition of logging on the page is imprecise) and that will be fixed anyways.

from privacyguides.org.

Or should we say that "store" implies "to disk"?

from privacyguides.org.

I'm saying you haven't explained why this means they do store anything.

The burden to prove whatever it is they do can't be on me, surely? To put it bluntly, most other large public resolvers elaborate exactly what they store and why, incl for DDoS. The "no logs" resolvers recommended by PrivacyGuides however seem to be lacking in transparency in that regard?

The process could kick in based on # of requests made within a fixed window, for example.

That's load shedding / admission control? DDoS prevention isn't limited to some single integer counter like some believe (for example, some may meter ingress and egress bandwidth, number of queries as opposed to number of connections, handshake / connection failures, connection stalls, query type, query name, query frequency, time-to-live abuse, non-compliant stub clients, using IP hopping services and so on). I am not privy to what ControlD does, or how it defines DDoS, for that matter.

duplicate of #2484 that the definition of logging on the page is imprecise

This issue depends on just what definition of "no logs" the community settles on, yeah. Not necessarily a dupe? In fact, following up with ControlD might help decide what "no logs" should look like. Yegor, the founder, in my interactions with him, has always been pretty nice, accommodating, and approachable.

from privacyguides.org.

The burden to prove whatever it is they do can't be on me, surely?

ControlD does share what information they store though, you're the one refuting it, so it feels like something beyond speculation should be required...

from privacyguides.org.

ControlD does share what information they store though, you're the one refuting it, so it feels like something beyond speculation should be required...

The policy (last updated 4 months ago) says the same thing as the PG page, that ControlD Free doesn't store IP addresses or timestamps or queries. Apparently these DDoS protections were put in place only recently according to the reddit thread. The only way to know for sure what they do is to ask them? If you think or strongly believe a counter or iptables is what they use and the fact that they haven't updated their privacy policy is proof of that, that also sounds reasonable.

from privacyguides.org.

I wonder if I can ping @yegors here to ask how they've implemented their DDoS protection with ControlD 👀

Otherwise I'll email them :)

from privacyguides.org.