Lots of promises but like others – no real blocking
Before you switch because the picture above shows that the resolver is faster than e.g. Google’s DNS resolver, please notice that those providers – even if they claim to be more secure – don’t block any malware (or you need to manually opt-in for this like with OpenDNS) – their security promise only applies to the DNS mechanism which excludes any blocking (by default) related to advanced threats.
The IPv6 address is 2606:4700:4700::1111 or 2606:4700:4700::1001.
Seriously, April 1?
Cloudflare explains his decision and that the launch is no april joke, which I can confirm since the resolver is real and up and running.
The only question that remained was when to launch the new service? This is the first consumer product Cloudflare has ever launched, so we wanted to reach a wider audience. At the same time, we’re geeks at heart. 184.108.40.206 has 4 1s. So it seemed clear that 4/1 (April 1st) was the date we needed to launch it.
Never mind that it was a Sunday. Never mind that it was on Easter and during Passover. Never mind that it was April Fools Day — a day where tech companies often trot out fictional services they think are cute while the media and the rest of the non-tech world collectively roll their eyes.
We justified it to ourselves that Gmail, another great, non-fictional consumer service, also launched on April 1, 2004. Of course, as Cloudflare’s PR team has repeatedly pointed out to me in the run up to launch, the Gmail launch day was a Thursday and not on Easter. Nearly every media briefing I did this week ahead of the launch the reporter made me swear that this wasn’t a joke. And it’s not. I swear. And the best way to prove that is go to 220.127.116.11, follow the instructions to set it up, and see for yourself. It’s real. And it’s awesome.
DNS-over-TLS is supported by 18.104.22.168 and 22.214.171.124 but since it uses 853/TCP which means you might run into issues if/when you encounter a wireless network that blocks outbound access to this port.
Cloudflare highlighted Turkey as a country that could benefit from access to secure DNS servers, citing 2013 Gezi protests and the 2016 military coup attempt as examples where network services were restricted. DNS is the underlying technology that allows internet and website hostnames to resolve to an IP address and is often the first protocol to be filtered by governments that seek to restrict access to online services.
However, Cloudflare’s 126.96.36.199 service will not provide users in Turkey with immediate circumvention or privacy benefits unless they take additional measures to enable one of the new secure DNS transports. Users may enable DNS-over-TLS, DNS-over-HTTPS or another secure transport to gain these benefits. The problem here is that those technologies are not yet widely supported in consumer operating systems and devices.
Things CloudFlare logs
- IP Version (IPv4 vs IPv6)
- Resolver IP address + Destination Port
- Protocol (TCP, UDP, TLS or HTTPS)
- Query Name
- Query Type
- Query Class
- Query Rd bit set
- Query Do bit set
- Query Size
- Query EDNS enabled
- EDNS Version
- EDNS Requested Max Buffer Size
- EDNS Nsid
- Response Type (normal, timeout, blocked)
- Response Code
- Response Size
- Records in Response
- Response Time in Milliseconds
- Response served from Cache
- DNSSEC Validation State (secure, insecure, bogus, indeterminate)
- PoP ID
- Server ID
- Autonomous System Number
The 188.8.131.52 DNS is a created with a partnership between Cloudflare and APNIC.
APNIC claims to be a non-profit organization managing IP address allocation for the Asia Pacific and Oceania regions.
- Function as the Regional Internet Registry for the Asia Pacific, in the service of the community of Members and others
- Provide Internet registry services to the highest possible standards of trust, neutrality, and accuracy
- Provide information, training, and supporting services to assist the community in building and managing the Internet
- Support critical Internet infrastructure to assist in creating and maintaining a robust Internet environment
- Provide leadership and advocacy in support of its vision and the community
- Facilitate regional Internet development as needed throughout the APNIC community
It takes time to analyze Cloudflare’s new service, to check if they hold what they promise, blindly trusting Cloudflare is not the best decision. Especially because except the speed there is no other noticeable benefit over other providers and why change once again a running system if they also not encrypt the DNS queries?! Right, security wise – I don’t see it.
Besides, the cool kids already know that 127.0.0.1 is the most private DNS.
- New Cloudflare DNS service filtered in Turkey on day of launch (turkeyblocks.org)
- DNS Resolvers Performance compared: CloudFlare x Google x Quad9 x OpenDNS (medium.com)
- Cloudflare makes it harder for ISPs to track your web history (engadget.com)
- DNS Root Servers (iana.org)
DNS: Do not use Google – consider OpenNIC; Use Encryption/Authentication (DNSCrypt, DNSSEC, …) (github.com)
- DNS Privacy Project (dnsprivacy.org)
A DNS-over-HTTPS Proxy – DNS-over-HTTPS with Firefox Nightly (facebookexperimental.github.io)