back to article Cloudflare touts privacy-friendly 1.1.1.1 public DNS service. Hmm, let's take a closer look at that

Cloudflare has revealed a deal with regional internet registry APNIC to provide a possibly more privacy-conscious DNS resolver at a prestige network address, 1.1.1.1. The biz contends DNS – which translates human-friendly domain names like theregister.com into numeric IP addresses, such as 159.100.131.165, used by software – …

  1. Voland's right hand Silver badge

    Still no go

    I will continue running my DNS on a VM in a cloud service and query that via a VPN thank you. No trusted researcher is to be trusted (one thing CA affair shows quite succinctly).

    The article missed a few points:

    1. DNS manipulation is a standard censorship method. You can still instructions on how to configure your DNS to point to Google spray painted on the walls in Turkey and a few other places. It is also used in the UK by a number of SPs to enforce various "you are not supposed to be seeing it provisions".

    2. Switching to this DNS provides Cloudflare with a unique advantage. DNS source query address is standard method for CDN optimisation. If you query via Cloudflare only they can hit you with an optimized CDN endpoint straight away. Other content delivery networks will have to achieve the same via redirects or deliver sub-optimally. So there is a very clear self-interest here as well.

    1. Anonymous Coward
      Anonymous Coward

      Re: Still no go

      and for the rest of the 99.99999999% of the population, this is a better option than Google or your local ISP.

      1. AMBxx Silver badge

        Re: Still no go

        I've been using OpenDNS for years, mostly to block some of the web's nastiest stuff. It's now owned by Cisco, so potentially looking for an alternative as their privacy policy doesn't even mention DNS, just lots of legalese.

        I've a VM on Azure running a website, so easy enough to add DNS on there. Not my thing though - surely that would still need to resolve addresses from somewhere? Anyone care to point me towards an 'idiots guide'?

      2. Symon Silver badge
        Childcatcher

        Re: Still no go

        "the rest of the 99.99999999% of the population"

        That's about 0.7 people excluded. What are you trying to say about the OP?

        1. Joe Harrison Silver badge

          Re: Still no go

          Well ninety-nine times out of a thousand I would agree with you but...

    2. Velv Silver badge
      Facepalm

      Re: Still no go

      ”I will continue running my DNS on a VM in a cloud service and query that via a VPN thank you.”

      And where does your DNS get its resolution from? What is it’s parent? Or are you one of those muppets that are hammering the root servers directly?

      1. Anonymous Coward
        Anonymous Coward

        "Or are you one of those muppets that are hammering the root servers directly?"

        What do you believe the root servers are for?

        If they can't cope with the traffic, they could use Cloudflare... <G>

      2. Daniel B.
        Boffin

        Re: Still no go

        And where does your DNS get its resolution from? What is it’s parent? Or are you one of those muppets that are hammering the root servers directly?

        Proper DNS implementation should be hammering the root servers directly. The only time you should be using a "parent" DNS is when you have your own complex DNS infrastructure inside the organization. Most orgs only have one or two DNS servers, in which case using the root.hints is the proper way of doing stuff.

    3. fidodogbreath Silver badge

      Re: Still no go

      If you query via Cloudflare only they can hit you with an optimized CDN endpoint straight away. [...] So there is a very clear self-interest here as well.

      Well, sure. So what? They're indirectly monetizing the service by making their core paid-for service more attractive. From my viewpoint as both a consumer and a CloudFlare customer, that is vastly superior to the usual "log forever - mine - resell - repeat" monetization cycle that most internet companies use...

      ...but that's only the case if CloudFlare is being truthful about their DNS log retention and data usage. They claim to have engaged a firm to conduct annual audits, but who's to say if that means anything? The junk mortgage bonds that precipitated the global housing crisis and financial collapse were audited and rated, too.

    4. asdf Silver badge

      Re: Still no go

      >DNS manipulation is a standard censorship method

      DNSSEC through unbound on your router stops most of this but privacy is still a problem unless you run all traffic though tor (VPN just shifts who to trust).

  2. A Non e-mouse Silver badge

    The privacy afforded by Cloudflare's DNS service only blinds ISPs to a small portion of data travelling to and from a device – the DNS query

    Er, isn't DNS an unencrypted protocol? So the service provider can just snoop all port 53 traffic.

    1. Anonymous Coward
      Anonymous Coward

      They could, but there is a subtle difference between your ISP (and the spooks) sniffing your network traffic to extract your usage data, and the company you are explicitly targeting and asking them for info.

      Yet again however, since this is free them YOU are the product being sold.

      1. HereIAmJH

        lazy humans

        Keep in mind that IT, and humans in general tend to be lazy. Think 80/20 rule for software development. If they can get 80% of the data from their own DNS, why bother with the outliers? Sniffing and logging traffic is expensive at scale. Logging every site their 10s of millions of customers access could run into the petabytes for 12mo of data if you are logging connections.

        And as far as who is collecting the info, your ISP can relate their data collection to the PII on your account, because your IP is associated. Google can relate their DNS data to your Google account, along with all the search data they collect. So even if Cloudflare mines the DNS data, all they can do it associate it to your IP. Lesser of evils.

        VPN to your own DNS in a cloud service? Lots of extra complexity and your cloud provider can always monitor your traffic and associate it with your billing info. Is that better? I'm not sure. Just to play devils advocate, I'll bet I could write a shim for the virtual network stack on your VM that captures #53 requests and sends them to a syslog server.

    2. Fazal Majid

      Hence the support for DNS over DTLS

      Most DNS resolvers don’t support it yet, however, so a proxy on the LAN (or in the router) will be needed.

    3. teknopaul Bronze badge

      why encrypt

      Your isp can see you hit a dns resolver then a website's ip address. Secure or not. Unless the ip is hosting lots if https websites dns privacy does not get you privacy for your isp. Using your isp potentially is safer since you probably dont do dns lookups on the internet and cant be spied on by anyone but them.

      Now if you use google dns over https then google own your whole internet experience.

      1. Anonymous Coward
        Anonymous Coward

        Re: why encrypt

        Your ISP is probably the #1 threat especially in authoritarian countries.

        1. What you need to evade surveillance (including DNS) is a good proxy. Ideally the proxy runs its own DNS and doesn't keep logs.

        2. Simply find a proxy you can trust, or build your own without leaving a trail. (I'm not being entirely facetious...)

        3. Privacy!!!

    4. JohnG Silver badge

      Not only snoop... Some ISPs even answer your DNS queries from their own DNS server, instead of the DNS server you chose, "because it is faster and more efficient". This is revealed if you try to resolve something bad and then see who has actually responded.

  3. Blockchain commentard Silver badge

    No mention of 9.9.9.9?

    Who provide a secure, free DNS server system designed to block criminal sites (spam, spoofing etc) and won't sell your browsing habits to anyone. Mainly funded by IBM.

    1. Dan 55 Silver badge
      Meh

      Re: No mention of 9.9.9.9?

      And co-founded by City of London Police.

      I remain to be convinced.

      1. EnviableOne Bronze badge
        Coat

        Re:@Dan 55 No mention of 9.9.9.9?

        And co-founded by City of London Police.

        I remain to be convinced convicted.

  4. Symon Silver badge
    Linux

    DNS over Tor.

    There's a Raspberry Pi project for that, complete with possible drawbacks, e.g. malicious exit nodes.

    https://github.com/pi-hole/pi-hole/wiki/DNS-over-Tor

  5. Chris Hills

    Ain't it funny

    They block edns client subnet, thus reducing performance for those using dns-based balancing, when they run their own anycast network. Unfortunately most end users will not realize that by using cloudflare's dns they are actually making performance worse for some sites. They argue that this is due to privacy but most dns lookups not for research purposes result in a tcp or udp connection to the domain name being queried anyway.

  6. P. Lee Silver badge
    Trollface

    1.1.1.1?

    How come they're using my default gateway?

    I'm going to have to change my internal network to 8.8.8.0/24!

    1. Alister Silver badge

      Re: 1.1.1.1?

      Why don't you use 127.0.0.0/24?

    2. David Harper 1

      Re: 1.1.1.1?

      You might want to read RFC 1918, specifically Section 3, which defines the three blocks of IP addresses that should be used for private/internal networks:

      "3. Private Address Space

      The Internet Assigned Numbers Authority (IANA) has reserved the

      following three blocks of the IP address space for private internets:

      10.0.0.0 - 10.255.255.255 (10/8 prefix)

      172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

      192.168.0.0 - 192.168.255.255 (192.168/16 prefix)"

      1. Alister Silver badge

        Re: 1.1.1.1?

        You might want to read RFC 1918

        You might want to realise that given the troll icon, he was not being serious?

        1. Yes Me Silver badge

          Re: 1.1.1.1?

          "he was not being serious?"

          Maybe not, but there are hotels and the like that NAT 1.1.1.0/24 and whose gateways sit on 1.1.1.1, so they won't be able to use this new "service".

          1. Anonymous Coward
            Anonymous Coward

            Re: 1.1.1.1?

            >Maybe not, but there are hotels and the like that NAT 1.1.1.0/24 and whose gateways sit on 1.1.1.1, so they won't be able to use this new "service".

            It's a good point. There's also nothing stopping them running a DNS server on that IP and tracking everywhere you go.

            If you use a VPN and this kind of thing matters, make sure you're routing all traffic through the VPN....

  7. Anonymous Coward
    Anonymous Coward

    I find keeping I.P. addresses of websites on post it notes on my desk means "they" have no clue what websites I go to. I also sometimes put the addresses in backwards in case they are also tracking my traffic.

    Seriously though, when someone (Cloudflare) offers a free service at a cost (albeit small) to themselves then what's in it for them? As we find time and time again there is no free lunch.

    1. Anonymous Coward
      Anonymous Coward

      as is anonymous

      anonymous is free.

  8. jchevali

    "We will never sell your data or use it to target ads" is disingenuous. A statement of extreme simplicity that hides the truth. Like when the government says "we won't wiretap phones", when they know people hardly rely on phone calls mainly anymore.

    When companies collaborate they can exchange data, but not necessarily with a price tag attached to it. It suffices it's part of a broader, mutually-beneficial interchange, no need to 'sell' specific data chunks per se.

    By the same token, when a company shows a customer information they think he'd like or potentially be interested in (based on browsing data), that facilitation, that "grease", can draw the customer closer to an experience where the product is present, even if never named as such, or only much later. Or when multiple products are present, advertisers could "pool" their fees according to each product's relative presence.

    Just as we understand the difference between product and service, we must understand that between service and 'prepping' or 'honing' a new or future customer. I don't think new advertising is going to be specifically for a brand but rather an involving experience. Just as the data you give, never clear what's going to happen to it after you give it, or how its strings are going to be pulled to drag you in.

    You don't know it, CloudFlare doesn't know it, nobody knows it. The data alchemists work behind the scenes and are always a step ahead. A new marketing for the 21st century.

  9. Anonymous South African Coward Silver badge

    So now we wait for 2.2.2.2, 3.3.3.3, 4.4.4.4 and all the way up to quad9...

    1. GruntyMcPugh Silver badge

      We already have,....

      ... 8.8.8.8.(Google DNS) and 9.9.9.9 (IBM and Packet Clearing House).

    2. aeio_
      Devil

      So now we wait....

      WAIT? No, no! _I'm_ use IPv4 address 0.0.0.0 for DNS resolution. It works great -- just TRY it.

      Try it now. Hurry up, before it becomes overloaded and slows down. Things run like they never have before -- so tell everyone you know about it. But HURRY!!!! Change and do it NOW!

      1. Claptrap314 Bronze badge

        Re: So now we wait....

        It seems like the appropriate response is to upvote & report abuse....

  10. Povl H. Pedersen

    1.1.1.1 conflict

    I have actually seen many capture-portals on WiFi redirecting users to 1.1.1.1.

    Not sure if this will be a problem, or if the 1.1.1.1 routing will work correctrly after accepting the WiFi terms&Conditions

    1. ozor
      Facepalm

      Re: 1.1.1.1 conflict

      And some ISP routers do this too.

      Wonder who's great idea that was.

    2. Mayday Silver badge

      Re: 1.1.1.1 conflict

      A few(ish) years ago I was responsible for a wide-reaching multi-campus wireless deployment.

      I made the decision to change the captive portal address from 1.1.1.1 to a 192.0.2.0/24 address to avoid this occurring.

      https://tools.ietf.org/html/rfc5737

      1. James Henstridge

        Re: 1.1.1.1 conflict

        And the RFC you referenced says "These blocks are not for local use, and the filters may be used in both local and public contexts". Unused address space has been repurposed in the past, so you may have just been kicking the problem down the road a bit.

        Why not use an address in one of the ranges explicitly reserved for private use?

        1. Mayday Silver badge

          Re: 1.1.1.1 conflict

          "Why not use an address in one of the ranges explicitly reserved for private use?"

          Fair question.

          This customer (600k+ users, education market, 100+ campuses) had a very complex (ie "shithouse") environment and renumbering the entire environment to suit was not feasible in the timeframes and budgets allowed. I wanted to go IPv6 and be done with it however the customer's systems and staff were not able to deal with it. Scope was also an issue here.

          One of these campuses had public IP addresses which belonged to another entity being used internally which "worked" until such time as they had to start doing business with this organisation on an ongoing basis <facepalm>

          The cleanup and subsequent works went reasonably well (if I do say so myself of course) considering all the issues involved.

    3. Daniel B.
      Boffin

      Re: 1.1.1.1 conflict

      There was some experiment a couple of years ago (2010) where whoever owned the 1.0.0.0/8 block experimented with advertising the 1.1.1.0/24 and 1.2.3.0/24 routes to the 'net. They got hit with a massive flow of garbage traffic due to these kind of stupid configs. It was so bad that they had to give up using those blocks. Wonder if that has been "solved" recently?

      This is the experiment.

  11. Gene Cash Silver badge

    My ISP hijacks every so many DNS queries to redirect my browser to ads. It also hijacks EVERY unresolved query, which broke SAMBA scripts that relied on stuff not resolving to redirect to WINS.

    I complained to the FTC and got a call by some self-important asshole at my ISP that declared "well everyone does it so it's ok!!" to which I pulled out the old "and if everyone jumps off a roof" chestnut.

    He argued with me over an hour to try to get me to retract my complaint. I told him when it becomes possible to not have to use Google for DNS, I'll retract my complaint.

    He was a complete twat that was very upset that I wouldn't sit still and be monetized, and I that I had the GALL to complain about it.

    So 1.1.1.1 respects my privacy enough for me.

    It's also nice to have a government regulator with enough teeth to make someone jump like that. They're no ASA.

    1. Anonymous Coward
      Anonymous Coward

      Get another ISP. Surely this would be grounds to being able to cancel any contract - they're not providing the service you purchased.

  12. mark l 2 Silver badge

    Freenom also offer anonymous DNS servers at 80.80.80.80 and 80.80.81.81

    1. Claptrap314 Bronze badge

      Freenom's front page...

      According to UMatrix, the following sites want to run scripts on http://www.freenom.com/en/index.html?lang=en:

      - pink -

      ajax.googleapis.com

      code.jquery.com

      - red -

      www.google-analytics.com

      cdn.mouseflow.com

      with a youtube frame.

      :(

      1. doublelayer Silver badge

        Re: Freenom's front page...

        They're those people who keep pushing their free top-level domains so they can randomly revoke yours and sell it to an advertiser. Fortunately, I never set mine up because the system was broken at the time and I got to the point of refreshing the page to see if any of the controls would work. Then I went and bought another domain. So I'm not going to use their DNS.

  13. Nate Amsden Silver badge

    if they really cared about being good with privacy

    I'd think they'd offer their service on another IP as well that doesn't have the data sharing, for those folks who are a bit more paranoid (not me though I have run my own DNS since 1996 along with email etc). But maybe that would confuse too many people or something.

  14. Herby Silver badge
    Joke

    Maybe someone should...

    Continue the trend and setup a DNS server at 10.10.10.10 and publicize that...

    1. Claptrap314 Bronze badge

      Re: Maybe someone should...

      You only wish you were joking...

  15. Kevin McMurtrie Silver badge
    Holmes

    Call me skeptical

    I'm not buying the argument that this is being done for privacy and performance. CloudFlare is not here to be the good guys. Has Google's 8.8.8.8 been refusing some CloudFlare domain queries because of all the cybercriminal hosting?

    "Google Public DNS is purely a DNS resolution and caching server; it does not perform any blocking or filtering of any kind, except that it may not resolve certain domains in extraordinary cases if we believe this is necessary to protect Google’s users from security threats"

  16. LateAgain

    If you want a "prestigious" service....put it on 0.0.0.0 :-)

  17. LateAgain

    Honest DNS should reply "not found"

    This is the problem with any DNS that is "helpful" it returns the address of the website that says "this is blocked" or "were you looking for"

  18. Slabfondler
    Facepalm

    Ah...um?

    I'm no DNS expert, but shouldn't they be authoritative for their own DNS server?

     nslookup 1.1.1.1 1.1.1.1

    Server: 1.1.1.1

    Address: 1.1.1.1#53

    Non-authoritative answer:

    1.1.1.1.in-addr.arpa name = 1dot1dot1dot1.cloudflare-dns.com.

    Authoritative answers can be found from:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019