Cloudflare's 1.1.1.1: an encrypted, privacy-protecting DNS service

What I’m not getting here is: What supports DNS over HTTPS?

Because it’s not seemingly the OS (yet). Is there an application layer you install for DNS resolution, and then you point your DNS resolvers to localhost?

Or do browsers support it natively?

1 Like

So is an SSL handshake. While someone snooping my traffic can’t see where I’m going on, say, PornHub, they can still see I’m going there. That’s all in the clear.

The security angle here seems specious at best. So, your ISP can’t easily hijack your DNS traffic (good… most ISP DNS servers suck) but they can still see everywhere you go. If you truly want to prevent your ISP from seeing where you’re going, you need a VPN.

1 Like

It doesn’t go through the browser; it just uses the https protocol for the connection: https://developers.google.com/speed/public-dns/docs/dns-over-https

THough, that said, apparently it CAN be implemented in the browser: https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/

I get that. What I don’t get is: who is modifying their stack to support this, instead of the legacy UDP based dns protocol?

Best answer I can find so far is: It’s implemented at the Application level. See: Configure DNS Over HTTPS in Firefox - gHacks Tech News

Not at the OS level. So, changing your DNS settings to the 1.1.1.1 won’t encrypt your dns resolution. Unless I missed something? CoreDNS on linux, I guess? I’m primarily a Windows stack dev, and so that’s the thrust of my question: How do I utilize this in my ecosystem?, and it looks like the answer is “you can’t yet”.

As @orenwolf pointed out:

1 Like

Damnit. Damnit. Damnit.

How blatantly stupid an idea.

In this context I think that is what ‘privacy protecting’ means. Certainly inconvenient for environments where privacy is neither desired nor supported and the security team keeps a close eye on things; but there aren’t a lot of options that make their use case easier without also being pretty easy to scale up and use against much larger sets of targets whose network traffic you have at least partial access to(the closest thing to a "works at work without compromising everything elsewhere is probably adding your pet CA as a trusted root on everything you control; but even that doesn’t play terribly nicely with pinning and any other workarounds for CAs being incompetent or shady).

The uses you describe are all things that would be shady if it weren’t for the fact that they are being done by the operators of the system to the system they are operating, with at least the “or you could not work here…” consent of the end users. How could you preserve the ability to exercise those functions without leaving people open to technically similar surveillance techniques by people they haven’t authorized?

1 Like

Right, thats how networks are. Trying to change that fact is a bit flat earth-ish as I see it.

You really dont. Theres so much else an OS does besides a browser and so many points outside a users control.

Interestingly when I tested this, it seems it only works with my VPN off. When my algo VPN is on, it seems to route through Digital Ocean’s DNS server :confused:

That means they are forcing DNS traffic through their servers. On your VPN, they can’t tell it’s DNS traffic.

I’m not super networking savvy… but couldn’t they know from the port #?

Does this mean it’s merely passing through DO, then heading off to cloudflare?

Nope! Depending on the type of VPN, all traffic is usually either encapsulated into one TCP stream, or one IPSEC stream and sent to your VPN provider, encrypted. All your provider can see is those two streams.

On the other end, your VPN provider unrolls those streams and makes connections on your behalf (for example, to a DNS server). Someone monitoring your VPN endpoint can tell what port you are using, but not anyone before that. (and the person monitoring the endpoint would only know that it came from a VPN customer, not which one by traffic alone).

Likely not. They appear to be intercepting requests for DNS and redirecting them to their local server.

1 Like

It doesn’t sound like we have a disagreement about the inherent tradeoffs involved; so I have to ask; was your focus on the things that it will make more inconvenient based on those being your problem day to day, so not something you want to see get even less fun; or a general position on the value of the pros and cons across the board?

1 Like

For those who haven’t noticed the link for this BB article, whoever wrote it has a particularly pungent sense of humor.

Just an FYI, when you use Tor (I’m assuming that is the onion browser you are referring to) The DNS queries for the browsing you do get handled by the Tor exit node, and are not served by the resolver you set on your mac (1.1.1.1 or otherwise.)

Edit never mind

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.