Национальная Система Доменных Имен (НСДИ) = National Domain Name System (NSDI)

[wkrp]

I just became aware of the National Domain Name System (NSDI), which in Russian is Национальная Система Доменных Имен (НСДИ). This is a DNS resolver that ISPs in Russia are forced to used as the upstream resolver for their own resolvers. If a DNS name is removed from NSDI, then it also disappears from ISP DNS resolvers. Anyone who wants to resolve such a name must look for an alternative resolver that does not use NSDI.

I learned this information from unic3rn on the Tor bug tracker.

2026-02-12 https://theins.ru/en/news/289338 (archive)

The activists have recorded disruptions in access to YouTube, linking the problem to Russia’s National Domain Name System — better known by its acronym NSDI (НСДИ) — a structure created as part of the Kremlin’s efforts to develop a so-called “sovereign internet.”

The National Domain Name System is a government-backed online infrastructure project created under Russia’s “sovereign internet” law. It mirrors the global Domain Name System (DNS), the mechanism that matches website domain names to their IP addresses, thereby enabling a user’s device to connect to the proper server.

Outside Russia, DNS records are created by domain owners and are distributed through an international system of registries and providers. Under Russian law, however, telecom operators are required to use the NSDI as the source of data on domain names.

That means if a record for a particular site is changed or removed in the NSDI, providers will pass that information on to users, even if it differs from the global DNS system. As a result, a site can “disappear” for users in Russia even if it continues to work in the worldwide DNS system.

In practice, the NSDI gives the regulator the means to exercise centralized control over which addresses “exist” for users inside the country.

The government Public Communications Network Monitoring and Control Center (ЦМУ ССОП) has a page about NSDI:

2022-08-25 https://portal.noc.gov.ru/ru/news/2022/08/25/nsdi/ (archive)

Одна из таких угроз — зависимость от глобальной инфраструктуры Сети, то есть от доступности зарубежных корневых серверов DNS, информации о сетевых адресах и автономных системах. Чтобы ее устранить и обеспечить надежность и стабильность российского Интернета, в 2021 году ввели в эксплуатацию Национальную систему доменных имен.

НСДИ показывает положительную динамику по приросту российских пользователей. Так, с января по июль 2022 года их количество выросло на 200 тыс. (с 800 тыс. до 1 млн в сутки), а всего в сутки поступает около 13 млрд запросов. Это около 6% от общемирового количества запросов к DNS-серверам.

В соответствии с требованиями законодательства к НСДИ обязаны подключаться операторы связи и компании, у которых есть номера автономных систем (ASN — специальный номер, который получают организации для своих автономных сетей в Интернете). Сегодня к НСДИ подключены все российские владельцы автономных систем, из которых 82% подключаются напрямую, а оставшиеся 18% используют DNS-серверы других операторов связи.

One such threat is dependence on the global network infrastructure, i.e., on the availability of foreign root DNS servers, information about network addresses, and autonomous systems. To eliminate this threat and ensure the reliability and stability of the Russian Internet, the National Domain Name System was launched in 2021.

The NSDI shows positive dynamics in terms of the growth of Russian users. From January to July 2022, their number increased by 200,000 (from 800,000 to 1 million per day), and a total of about 13 billion requests are received per day. This is about 6% of the total number of requests to DNS servers worldwide.

In accordance with legal requirements, telecommunications operators and companies that have autonomous system numbers (ASN — a special number that organizations receive for their autonomous networks on the Internet) are required to connect to the NSDI. Today, all Russian owners of autonomous systems are connected to the NSDI, 82% of which are connected directly, while the remaining 18% use the DNS servers of other telecommunications operators.

The NSDI system for coordinating DNS blocking rules across ISPs might be compared with the RPZ (Response Policy Zone) technique used in Indonesia: #316 (comment).

[wkrp]

The article from The Insider (archive) has a list of 13 domain names (out of 50 that were tested) that were newly blocked in NSDI in February 2026:

• www.youtube.com
• www.web.whatsapp.com
• www.windscribe.com
• www.apkmirror.com
• www.bbc.com
• www.currenttime.tv
• www.dw.com
• www.facebook.com
• www.instagram.com
• www.messenger.com
• www.svoboda.org
• www.themoscowtimes.com
• www.torproject.org

[wkrp]

There's a measurement opportunity here. An obvious idea is to query the NSDI resolvers directly to do comprehensive domain blocking measurements over time.

The Wikipedia pages for the Moscow Internet Exchange say that the NSDI nameservers are hosted there at MSK-IX:

https://ru.wikipedia.org/w/index.php?title=MSK-IX&oldid=147326994

Кроме того, именно на MSK-IX расположены альтернативные DNS сервера Национальной системы доменных имен (НСДИ), разработанной в 2019 году Роскомнадзором, на которую он обязывает переключать рекурсивные DNS сервера российских интернет-провайдеров и организаторов распространения информации (Закон о «суверенном интернете»).

https://en.wikipedia.org/w/index.php?title=Moscow_Internet_Exchange&oldid=1278248346

Also it operates alternative DNS root servers of Russian National Domain Name System for Roskomnadzor due to (Sovereign Internet Law).

In September 2021 there circulated on Telegram a leaked(?) letter about the blocking of Google, Cloudflare, and OpenDNS DNS resolvers. It also named the NSDI and listed IPv4 and IPv6 addresses of NSDI resolvers:

• 195.208.6.1
• 195.208.7.1
• 2a0c:a9c7:a::1
• 2a0c:a9c7:b::1

This is from 2021; I don't know if the addresses are still current.

https://ntc.party/t/1225/11

Перечень сервисов, к которым будут применяться ограничения по протоколам DNS, DNS-over-HTTPS (DoH) и DNS-over-TLS (DoT):
DNS-серверы Google (IP-адреса: 8:8:8:8, 8:8:4:4, dns.google);
DNS-серверы Cloudflare (IP-адреса: 1:1:1:1, 1:0:0:1);
Сервис DoH (doh.opendns.com).

Прошу проверить, что технологические сети, корпоративные сервисы и приложения не зависят от работы DNS, DNS-over-HTTPS (DoH) и DNS-over-TLS (DoT) перечисленных выше ресурсов.
Для гарантированной работы DNS-сервиса в срок до 09 сентября 2021г. необходимо подключиться к DNS-сервисам российских операторов связи или к Национальной системе доменных имён (НСДИ) по следующим IP-адресам: 195.208.6.1, 195.208.7.1, 2a0c:a9c7:a::1, 2a0c:a9c7:b::1.
Инструкция по подключению к НСДИ находится на Едином портале пользователей Центра мониторинга и управления сетью связи общего пользования (ЕПП ЦМУ ССОП) в разделе «Предоставление информации согласно приказам Роскомнадзора» по ссылке https://epp.noc.gov.ru/information.
По вопросам подключения просим при необходимости обращаться в круглосуточную дежурную смену ЦМУ ССОП по тел.: +7(495)748-13-18 или по электронной почте: ndr@noc.gov.ru. 2
Консолидированную информацию о проведении проверки DNS-сервисов и о наличии/отсутствии использования вышеуказанных иностранных DNS-сервисов в дивизионах/дирекциях прошу предоставить в электронном виде в срок до 20.09.2021

List of services to which DNS, DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) restrictions will apply:
Google DNS servers (IP addresses: 8:8:8:8, 8:8:4:4, dns.google);
Cloudflare DNS servers (IP addresses: 1:1:1:1:1, 1:0:0:1);
DoH service (doh.opendns.com).

Please verify that technology networks, corporate services, and applications are not dependent on the DNS, DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) resources listed above.
In order to guarantee DNS service operation it is necessary to connect to the DNS services of the Russian telecom operators or to the National Domain Name System (NSDI) by the following IP addresses by September 09, 2021: 195.208.6.1, 195.208.7.1, 2a0c:a9c7:a::1, 2a0c:a9c7:b::1.
Instructions on how to connect to NSDI can be found on the Single User Portal of the Public Switched Communications Network Monitoring and Control Center (EPP CMU SSOP) in the “Providing information according to Roskomnadzor orders” section at https://epp.noc.gov.ru/information.
If you have any questions regarding connection, please contact the 24/7 duty shift of the CMU SSOP by phone: +7(495)748-13-18 or by email: ndr@noc.gov.ru. 2
Please provide consolidated information about DNS checking and availability/absence of use of the above-mentioned foreign DNS services in divisions/directories in electronic form by 20.09.2021

[artenax]

My mobile ISP:
www.youtube.com OK
web.whatsapp.com / whatsapp.com NXDOMAIN
facebook.com / instagram.com 127.0.0.1 (for a long time)
messenger.com SERVFAIL
proton.me timeout > SERVFAIL

[wkrp]

In September 2021 there circulated on Telegram a leaked(?) letter about the blocking of Google, Cloudflare, and OpenDNS DNS resolvers. It also named the NSDI and listed IPv4 and IPv6 addresses of NSDI resolvers:

• 195.208.6.1
• 195.208.7.1
• 2a0c:a9c7:a::1
• 2a0c:a9c7:b::1

This is from 2021; I don't know if the addresses are still current.

$ dig +short -x 195.208.6.1
a.auth-nsdi.ru.
$ dig +short -x 2a0c:a9c7:a::1
a.auth-nsdi.ru.
$ dig +short -x 195.208.7.1
b.auth-nsdi.ru.
$ dig +short -x 2a0c:a9c7:b::1
b.auth-nsdi.ru.

The reverse DNS of 195.208.6.1 and 2a0c:a9c7:a::1 is a.auth-nsdi.ru, and the reverse DNS of 195.208.7.1 and 2a0c:a9c7:b::1 is b.auth-nsdi.ru. That's a pretty good sign that the IP addresses are still related to NSDI. Let's try some other subdomains:

for x in a b c d e f g h; do printf '%s|%s|%s\n' $x.auth-nsdi.ru $(dig +short -t A $x.auth-nsdi.ru) $(dig +short -t AAAA $x.auth-nsdi.ru); done

Domain name	IPv4	IPv6
a.auth-nsdi.ru	195.208.6.1	2a0c:a9c7:a::1
b.auth-nsdi.ru	195.208.7.1	2a0c:a9c7:b::1
c.auth-nsdi.ru	193.232.147.53	2a0c:a9c7:147:0:193:232:147:53
d.auth-nsdi.ru	193.232.253.53	2a0c:a9c7:253:0:193:232:253:53

[wkrp]

This page https://soft41.ru/services/nsdi/ (archive) has information about how to use NSDI resolvers as well as a PDF (archive):

ЦЕНТР МОНИТОРИНГА И УПРАВЛЕНИЯ
СЕТЬЮ СВЯЗИ ОБЩЕГО ПОЛЬЗОВАНИЯ
Инструкция по подключению операторов связи и владельцев АС к Национальной системе доменных имен (НСДИ)
MONITORING AND MANAGEMENT CENTER
GENERAL USE COMMUNICATIONS NETWORK
Instructions for connecting telecom operators and AS owners to the National Domain Name System (NSDI)
Instrukcija_dlja_OS_po_podkljucheniju_k_NSDI_v4.pdf

The PDF shows, for example, how to set the NSDI authoritative resolvers as a root zone in BIND:

zone "." {
  type static-stub;
  server-addresses { 195.208.6.1; 195.208.7.1; 2a0c:a9c7:a::1; 2a0c:a9c7:b::1;};
};

It also has a table of public resolvers that are at res-nsdi.ru rather than auth-nsdi.ru:

Domain name	IPv4	IPv6
a.res-nsdi.ru	195.208.4.1	2a0c:a9c7:8::1
b.res-nsdi.ru	195.208.5.1	2a0c:a9c7:9::1

Unlike the auth-nsdi.ru resolvers, you can query the res-nsdi.ru resolvers directly. And they return NXDOMAIN for the domains in the list at #580 (comment), except for www.windscribe.com:

for n in www.youtube.com www.web.whatsapp.com www.windscribe.com www.apkmirror.com www.bbc.com www.currenttime.tv www.dw.com www.facebook.com www.instagram.com www.messenger.com www.svoboda.org www.themoscowtimes.com www.torproject.org; do
	dig @a.res-nsdi.ru -t A $n
	dig @a.res-nsdi.ru -t AAAA $n
done

Domain name	IPv4	IPv6
www.youtube.com	NXDOMAIN	NXDOMAIN
www.web.whatsapp.com	NXDOMAIN	NXDOMAIN
www.windscribe.com	104.20.2.154 104.20.1.154	NOERROR
www.apkmirror.com	NXDOMAIN	NXDOMAIN
www.bbc.com	NXDOMAIN	NXDOMAIN
www.currenttime.tv	NXDOMAIN	NXDOMAIN
www.dw.com	NXDOMAIN	NXDOMAIN
www.facebook.com	NXDOMAIN	NXDOMAIN
www.instagram.com	NXDOMAIN	NXDOMAIN
www.messenger.com	NXDOMAIN	NXDOMAIN
www.svoboda.org	NXDOMAIN	NXDOMAIN
www.themoscowtimes.com	NXDOMAIN	NXDOMAIN
www.torproject.org	NXDOMAIN	NXDOMAIN

Interestingly, many of the NXDOMAIN records are specifically for the www versions of the domain names. Without the www., most of the names resolve correctly:

Domain name	IPv4	IPv6
youtube.com	NXDOMAIN	NXDOMAIN
web.whatsapp.com	NXDOMAIN	NXDOMAIN
windscribe.com	NXDOMAIN	NXDOMAIN
apkmirror.com	104.17.66.215 104.17.67.215 104.17.65.215 104.17.69.215 104.17.68.215	2606:4700::6811:42d7 2606:4700::6811:41d7 2606:4700::6811:45d7 2606:4700::6811:44d7 2606:4700::6811:43d7
bbc.com	151.101.64.81 151.101.128.81 151.101.192.81 151.101.0.81	2a04:4e42:200::81 2a04:4e42:400::81 2a04:4e42:600::81 2a04:4e42::81
currenttime.tv	2.19.183.34 2.19.183.12	2a02:26f0:e80:7b::216:910e 2a02:26f0:e80:7b::216:910d
dw.com	194.55.26.46 194.55.30.46	NOERROR
facebook.com	57.144.248.1	2a03:2880:f37c:1:face:b00c:0:25de
instagram.com	57.144.248.34	2a03:2880:f276:1e9:face:b00c:0:4420
messenger.com	57.144.248.141	2a03:2880:f083:10e:face:b00c:0:2
svoboda.org	2.22.31.64 2.22.31.56	2a02:26f0:e80:7b::216:9104 2a02:26f0:e80:7b::216:9119
themoscowtimes.com	8.47.69.0 8.6.112.0	2a06:98c1:3123:8000:: 2a06:98c1:3122:8000::
torproject.org	95.216.163.36 116.202.120.166 204.8.99.144 204.8.99.146 116.202.120.165	2a01:4f8:fff0:4f:266:37ff:feae:3bbc 2620:7:6002:0:466:39ff:fe7f:1826 2a01:4f9:c010:19eb::1 2620:7:6002:0:466:39ff:fe32:e3dd 2a01:4f8:fff0:4f:266:37ff:fe2c:5d19