Hello.

We've been hard at work.

/

Aug 4, 2020

(6 min read)

post cover

I'd like everyone to take a deep breath and listen for a minute. - Bruce Schneier.

We are excited to share what we’ve been working on for the past few weeks at bravedns.com, a configurable DNS over HTTPS resolver and a companion Android app (both in private beta).

Our DNS over HTTPS resolver is deployed to 200+ locations to ensure low-latency and robustness. The state-of-the-art HTTP/3 and TLS v1.3 protocols are built right-in. Availability is number one priority at bravedns and our deployment strategies, development practices, and the architecture reflects that, though we realise achieving high availability is much harder and so it is pretty much a continuous and an ongoing process for us.

Our companion app is forked from the excellent getintra.org project by Jigsaw. We’ve made changes to the codebase to include a firewall and changed the UX a bit. The app doesn’t support HTTP/3, yet. The app will be open sourced under the Apache License in a few days from now and you’re very much welcome to contribute to it. Watch this space for more updates.

How it works

Once you sign-up, bravedns provisions a unique endpoint that you configure to block spyware, adware, malicious websites and more using the same blocklists that power popular content blockers like uBlockOrigin. This isn't too dissimilar to other such products on the market. More on that later. In our trials with users, we have found that a staggering 60% connections from Xiaomi and Vivo phones were blocked when the bravedns endpoint was configured to enable seven popular blocklists (totaling around 3 million entries). The numbers were lower but not stellar for Oppo (50%), Realme (50%), and Oneplus (30%) phones either. Note that, the block-count is a function of the apps installed and its usage and not just the manufacturer of the phone. Some people using Pi-Hole for DNS content blocking have reported numbers as high as 87%, and so even though it is trivial for apps to workaround DNS based content blocking, it still remains pretty effective and cheap way to block content across all applications and not just browsers.

Bravedns is a DNS stub resolver that forwards queries to 1.1.1.1 and by extension supports Query Name Minimization and DNSSEC but doesn’t support EDNS.

Bravedns doesn’t log requests by default, but you can opt-in. The logs are retained for a maximum of 3 months on our servers in the United States. The logs are de-anonymized, that is, the logs cannot be traced to a user on their own. Only access to a separate database provides information that can tie users to their logs (if stored). Logs aren’t used for any other purpose other than to provide services to the user like reports and analytics. The logs aren’t sold to third-parties or partners. The logs aren’t retained (even in a de-anonymized form) after 3 months. Currently, the retention period isn’t configurable, but soon will be.

Private beta

To try bravedns write to us at hello@celzero.com and we'd onboard you. We require that you sign-up with any email-id to use the service to fight abuse and not to track your DNS requests. Our resolver never sees any personally identifiable information other than IP address.

We are not charging our private beta customers currently as our pricing plans aren’t finalized-- but to give you an idea-- 1,000,000 uncached requests per month (around 6 to 10 devices worth of DNS traffic) may cost at least $1 per month.

Market

The effectiveness of DNS based content blocking has seen a plethora of companies building pretty impressive products in the past few years, some of them very advanced and feature rich. The point of building yet another such service stems from our frustration in using those, though we're personally big fans and inspired by NextDNS, Cloudflare Gateway, and pi-hole ourselves.

First, our DNS resolvers are built with high availability in mind. We try really hard to prioritize availability over any other decision we take. In our trial runs (albeit not internet scale), we found no traces of downtime, despite continuing to add new features. Some times focusing incessantly on availability has meant higher costs and that has meant we couldn't possibly provide the service for free, not forever at least. Our resolver, as of today, runs on Cloudflare Workers, but we have already begun exploring building a redundant architecture on top of other Serverless offerings, like fly.io and nanovms.com.

Second, we are on a mission to democratize security solutions for consumers and DNS is just the start. Our initial focus are mobile devices that are always-on, always-connected. We believe there's value in building solutions that help 2B+ users protect themselves and use security tools long relegated to the confines of large enterprises and guild of computer geeks.

Third, we deeply believe in an open internet. Routing DNS to uncensored endpoints helps circumvent censorship in countries where deep-packet inspection isn't prevalent, and with ESNI around the corner, this will prove a very cheap but effective tactic in bringing uncensored internet to billions of Android users, for a start.

Fourth, is we have abhor surveillance capitalism and would continue to build tools that expose it. For example, DNS requests reveal a lot of information that can inform the user about what's happening on their devices with the apps they've installed or ones that they didn't but came pre-installed. There's nothing distasteful about data collection done with regard for privacy (providing opt-outs) and state-of-the-art data-handling practices for the benefit of the users-- for example Google Photos app categorizing photos based on location, grouping them based on people, clustering them based on trips has a modicum of utility for folks that opt for it. Though, data collection just for the sake of it without a care in the world for user's privacy, without strict controls over its protection bounded by questionable user-agreements is what irks us, and letting users take control of their devices by giving them tools that they can use without requiring a computer science degree would hand them ability to resist such unabated inroads into their private lives, even if not by much, but it is a start. And we're excited to see how far we can get.

Who are you

We're concerned engineers willing to put in the work, I guess. That said, you shouldn't trust us anymore than you trust any other stranger on the internet, but hopefully, we are able to earn it over a period of time by engaging with the community and proving our mettle by walking the talk. bravedns is a work of three friends from India, Mohammed, Murtaza, and Santhosh with around 20 years of industry experience between them at  Amazon, IBM, and Scientific Games, who got together sometime in November last year to build this. If you were as excited as we are, you'd probably quit your job too. :)

BraveDNS

A brave new firewall for Android

5 subscribers