Cloudflare starts it’s own DNS 1.1.1.1

Cloudflare is well-known and they started their own DNS resolver which is available under 1.1.1.1 to compete against Google or QuadDNS (and no, it’s not an April joke).

Cloudflare DNS
The speed is depending on server <-> your location among some other factors. Picture Source: Cloudflare

Lots of promises but like others – no real blocking

Before you switch because the picture above shows that the resolver is faster than e.g. Google’s DNS resolver, please notice that those providers – even if they claim to be more secure – don’t block any malware (or you need to manually opt-in for this like with OpenDNS) – their security promise only applies to the DNS mechanism which excludes any blocking (by default) related to advanced threats.

You can check your DNS speed here. A setup guide is available here: https://1.1.1.1 or here https://1.0.0.1

The IPv6 address is 2606:4700:4700::1111 or 2606:4700:4700::1001.

Seriously, April 1?

Cloudflare explains his decision and that the launch is no april joke, which I can confirm since the resolver is real and up and running.

The only question that remained was when to launch the new service? This is the first consumer product Cloudflare has ever launched, so we wanted to reach a wider audience. At the same time, we’re geeks at heart. 1.1.1.1 has 4 1s. So it seemed clear that 4/1 (April 1st) was the date we needed to launch it.

Never mind that it was a Sunday. Never mind that it was on Easter and during Passover. Never mind that it was April Fools Day — a day where tech companies often trot out fictional services they think are cute while the media and the rest of the non-tech world collectively roll their eyes.

We justified it to ourselves that Gmail, another great, non-fictional consumer service, also launched on April 1, 2004. Of course, as Cloudflare’s PR team has repeatedly pointed out to me in the run up to launch, the Gmail launch day was a Thursday and not on Easter. Nearly every media briefing I did this week ahead of the launch the reporter made me swear that this wasn’t a joke. And it’s not. I swear. And the best way to prove that is go to 1.1.1.1, follow the instructions to set it up, and see for yourself. It’s real. And it’s awesome.

DNS-over-TLS

DNS-over-TLS is supported by 1.1.1.1 and 9.9.9.9 but since it uses 853/TCP which means you might run into issues if/when you encounter a wireless network that blocks outbound access to this port.

Cloudflare highlighted Turkey as a country that could benefit from access to secure DNS servers, citing 2013 Gezi protests and the 2016 military coup attempt as examples where network services were restricted. DNS is the underlying technology that allows internet and website hostnames to resolve to an IP address and is often the first protocol to be filtered by governments that seek to restrict access to online services.

However, Cloudflare’s 1.1.1.1 service will not provide users in Turkey with immediate circumvention or privacy benefits unless they take additional measures to enable one of the new secure DNS transports. Users may enable DNS-over-TLS, DNS-over-HTTPS or another secure transport to gain these benefits. The problem here is that those technologies are not yet widely supported in consumer operating systems and devices.

Things CloudFlare logs

  • Timestamp
  • IP Version (IPv4 vs IPv6)
  • Resolver IP address + Destination Port
  • Protocol (TCP, UDP, TLS or HTTPS)
  • Query Name
  • Query Type
  • Query Class
  • Query Rd bit set
  • Query Do bit set
  • Query Size
  • Query EDNS enabled
  • EDNS Version
  • EDNS Requested Max Buffer Size
  • EDNS Nsid
  • Response Type (normal, timeout, blocked)
  • Response Code
  • Response Size
  • Records in Response
  • Response Time in Milliseconds
  • Response served from Cache
  • DNSSEC Validation State (secure, insecure, bogus, indeterminate)
  • PoP ID
  • Server ID
  • Autonomous System Number

About APNIC

The 1.1.1.1 DNS is a created with a partnership between Cloudflare and APNIC.

APNIC claims to be a non-profit organization managing IP address allocation for the Asia Pacific and Oceania regions.

  • Function as the Regional Internet Registry for the Asia Pacific, in the service of the community of Members and others
  • Provide Internet registry services to the highest possible standards of trust, neutrality, and accuracy
  • Provide information, training, and supporting services to assist the community in building and managing the Internet
  • Support critical Internet infrastructure to assist in creating and maintaining a robust Internet environment
  • Provide leadership and advocacy in support of its vision and the community
  • Facilitate regional Internet development as needed throughout the APNIC community

https://www.apnic.net/about-apnic/organization/vision-mission-objectives/

Final Words

It takes time to analyze Cloudflare’s new service, to check if they hold what they promise, blindly trusting Cloudflare is not the best decision. Especially because except the speed there is no other noticeable benefit over other providers and why change once again a running system if they also not encrypt the DNS queries?! Right, security wise – I don’t see it.

Besides, the cool kids already know that 127.0.0.1 is the most private DNS. sparkle-457f8

Resource

Advertisements

One thought on “Cloudflare starts it’s own DNS 1.1.1.1

  1. 1) I set my new FIOS Quantum router to point to 1.1.1.1 for all DNS queries (replacing the defaults set by Verizon). So, now, dnsleaktest.com on my old XP machine shows only cloudflare servers. (My XP machine is updated with the POS hack.)
    2) On my newer Win 7 Pro 64-bit machine, Simple DNSCrypt is running and has 1.1.1.1 as its only resolver, and dnsleaktest.com shows only a SINGLE cloudflare server.
    3) Should I NOT use 1.1.1.1 because cloudflare is not such a good guy?
    4) I’m not a tech person. What do you recommend?
    5) Simple DNSCrypt is a bit mysterious and my experience is that its “switches” do not always work. What do you think?
    Thanks.

    Like

Comments are closed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: