Cloudflare's 1.1.1.1: an encrypted, privacy-protecting DNS service

Originally published at: https://boingboing.net/2018/04/02/logs-flushed-daily.html

5 Likes

This is great. I am switching stuff now.

3 Likes

y’all are not paying attention to the detail that 3rd parties will have access to the traffic on this network and some future news could reveal them “accidentally” providing decoded DNS traffic to APNIC, who could easily be in bed with any world government

We talked to the APNIC team about how we wanted to create a privacy-first, extremely fast DNS system. … We offered Cloudflare’s network to receive and study the garbage traffic in exchange for being able to offer a DNS resolver

Are you distilling the issue down to whether I trust CloudFlare or Google/My ISP more? I’m resolving 1.1.1.1 right now.

4 Likes

I just set this up on my mac, but have no idea what actually changed.
My ISP can no longer see my traffic? So 1.1.1.1 plus Onion browser means I now can have full anonymity?

1 Like

DNSSEC has privacy designed in; HTTPS has a rent generating scheme for Certificate Authorities who are little more than extortionists designed in.

1 Like

Your ISP will still see your traffic just as it has always done, the only difference is you’re hitting new DNS resolvers. Your browser actually pulling down cnn.com can still be seen as that still goes over your ISP’s pipes. If you don’t want your ISP to see your traffic, what you’re really after is a VPN.

6 Likes

the lower numbers are faster, right? /sarc

3 Likes

I’d actually recommend quad9 (9.9.9.9) instead:

It has the backing of IBM, PCH and the non-profit GCA, and doesn’t have any quid-pro-quo. unlike 1.1.1.1.

(Also, Boing Boing itself [but not the BBS] Uses Quad9.)

10 Likes

I was positive that the 1.0.0.0 class A was unassigned, but it was a fuzzy teenage memory. Sure enough, it looks like they handed out most of the remaining unassigned class A blocks back in 2010!

How come I didn’t get one! :slight_smile:

2 Likes

I’m gonna stick with OpenNIC.

Brilliant. These DNSs go up to double Eleven.

5 Likes

I came here to post this exact thing. DNSSEC, fully non-profit and very transparent with their business model.
Privacy aside, It also offers protection from a bunch of security firms

4 Likes

Is there a meaningful way to measure relative speed? For example, is “resolve time” a useful measure? In DNS jumper I get a resolve time of 70ms for 9.9.9.9, as opposed to 108ms for OpenDNS, 77ms for google, and only 2ms for the one I usually set by default (Hurricane Electric). I’d switch to quad9 but not if it is going to slow me down.

For 1.1.1.1 I get an “access error”.

How many DNS resolutions are you doing that you need to worry about 50ms in resolver time? Modern browsers and/or OSs usually cache DNS results anyway, so the number of DNS responses you’re going to be doing is (probably) pretty small.

To answer your question though, “response time” will depend very much on whether or not the resolver has to make a request back to the authoritative NS or not - if it already has the record it should serve it extremely quickly.

3 Likes

The one cited advantage to DNS-over-HTTPS is that it looks more like ordinary web-traffic if you’re in a scenario with an ISP trying to block/filter things.

1 Like

I don’t know, which is why I am asking. I’ve never personally made an explicit DNS request, though I know my system makes them regularly on my behalf. So the app I used to check this speed is just a waste of space? And there is no real-world speed reason to choose one DNS service over another?

1 Like

So, unless the delay is super long, most of the time, you won’t notice it. If you were doing a lot of queries for some reason then yes, it will matter.

1 Like

Yep, been using it all day via my open source router. Works like a charm.

Great. Yet another thing stuffed inside HTTP. Yet another thing that breaks firewalls, layer 7 inspection and IPS.

2 Likes