New DNS Service from Cloudflare

I am putting this out here because, for some reason, Cloudflare released this on April 1st. I do not know enough to know whether this is real or just a real elaborate April Fool's joke.

Cloudflare launches 1.1.1.1 DNS service that will speed up your internet

That looks real, although the speedup is just for lookup times lol.

It definitely seems to be real, and quite interesting.

Just changing to using 1.1.1.1 alone is only a partial solution, because DNS traffic is unencrypted. This means that your ISP can still see and log your lookups; they have to work a little harder than if you're hitting their servers, but they can easily do it, as can any government monitoring systems in your area.

To take full advantage, you'll want a local client that serves as a proxy, taking the normal unencrypted DNS queries and forwarding them over HTTPS and/or TLS. (they support either.) The Developer docs list some here, although I haven't experimented with any of them, yet:

https://developers.cloudflare.com/1....

Running a proxy like that, and configuring your local machines to use that proxy for DNS resolution, will give you the best overall security. Because so many people will be using that server with encrypted links, determining what, specifically, you're looking up will become fairly difficult. It will also be vastly, vastly harder to spoof your network with bogus DNS replies, which is a technique that some hackers and even state-sponsored attackers use (like the Great Firewall of China, IIRC.) It should be almost impossible, assuming that the proxy is well-written. They'd have to succeed in an attack against Cloudflare's servers, and would thus have to poison the results for many thousands of people, where with an unencrypted link they can invisibly target just you without impacting anyone else. (Much easier to convince, say, a FISA court, or some equivalent in a different country, that surveilling you is justified, when they can demonstrate that it would be just you being affected. ) So, this is good both to make mass AND targeted surveillance difficult.

IMO, this is kind of a big deal, and I plan to look further into the proxies, hopefully over the next few days. I run a local domain, so figuring out how to do split resolution will be key to whether or not I can use it. (in other words, my local DNS servers should be authoritative for my local domain and the private IP address ranges, but should forward all other queries to Cloudflare.) That's actually pretty simple in terms of code, but I'm not sure if their proxies support that feature.

If you don't have a local domain, then just running the proxy client should be a great way to improve both privacy and security, with few other issues. Cloudflare's network is freaking everywhere, so it should likely work as well or better than anything your ISP provides.

What is the advantage of this over say OpenDNS?

TheGameguru wrote:

What is the advantage of this over say OpenDNS?

Encryption, and they wipe records every hour.

EDIT: I considered speed (which is the point they're trying to make), but few people have a reason to care about "super speedy" vs "normal speedy" lookups. For most of us it's only something that sounds good.

TheGameguru wrote:

What is the advantage of this over say OpenDNS?

Beyond the available encryption, no more fooling around with supplying NXDOMAIN errors to drive advertising revenue. Cloudflare will really tell you if a domain doesn't exist, instead of trying to pull you to a landing page where they can advertise at you.

Noob question. If I just set this IP address as DNS in my main router, I will not need to change it on each client on my home LAN?

But then you won't get the encrypted part, I don't think...?

Right. I believe that you either need to run a local proxy on every machine in your network OR setup a proxy (cheap raspberry pi should do the job) on your network and then set that address as your DNS.

Edit: Also note that both OpenDNS and Google's DNS service support encryption as well.

billt721 wrote:

Right. I believe that you either need to run a local proxy on every machine in your network OR setup a proxy (cheap raspberry pi should do the job) on your network and then set that address as your DNS.

Edit: Also note that both OpenDNS and Google's DNS service support encryption as well.

Correct (subscribe to her/his newsletter). Until various OSes start supporting the "proposed standard" in their DNS client, you will need to either compile/install the appropriate agent on every endpoint (obviously some endpoints you will not be able to do this with) or build a centralized device on your network that you point all your endpoints to. The latter option is probably the better play at this time. Spend $25 on a Pi and off you go.