New faster DNS - 1.1.1.1 by CloudFlare

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
moshe
Posts: 460
Joined: Thu Dec 12, 2013 1:18 pm
Location: Boston, MA

New faster DNS - 1.1.1.1 by CloudFlare

Post by moshe » Sun Apr 08, 2018 12:42 pm

FYI CloudFlare recently announced (Apr 1) a new globally available free DNS service at 1.1.1.1 and 1.0.0.1. They claim it is the fastest available and will not log your requesting IP for more than 24 hours.

I am trying it out and it seems to work very well.

More info here:

https://1.1.1.1/
https://blog.cloudflare.com/announcing-1111/

~Moshe
My money has no emotions. ~Moshe | | I'm the world's greatest expert on my own opinion. ~Bruce Williams

Shikoku
Posts: 270
Joined: Fri Oct 27, 2017 11:01 pm
Location: USA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Shikoku » Sun Apr 08, 2018 9:07 pm

moshe wrote:
Sun Apr 08, 2018 12:42 pm
FYI CloudFlare recently announced (Apr 1) a new globally available free DNS service at 1.1.1.1 and 1.0.0.1. They claim it is the fastest available and will not log your requesting IP for more than 24 hours.

I am trying it out and it seems to work very well.

More info here:

https://1.1.1.1/
https://blog.cloudflare.com/announcing-1111/

~Moshe
People really need to understand the purpose of DNS and how DNS works before installing the recommended software. It can be a security risk. For me, DNS lookup takes less than 25 milliseconds on average. If I visit 100 hosts every hour, my DNS lookup will take 2.5 seconds per hour. I do not want to make it any faster.
"I don't worry too much about pointing fingers at the past. I operate on the theory that every saint has a past, every sinner has a future." -- Warren Buffett

Y.A.Tittle
Posts: 76
Joined: Tue Oct 03, 2017 1:39 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Y.A.Tittle » Sun Apr 08, 2018 9:20 pm

Shikoku wrote:
Sun Apr 08, 2018 9:07 pm
moshe wrote:
Sun Apr 08, 2018 12:42 pm
FYI CloudFlare recently announced (Apr 1) a new globally available free DNS service at 1.1.1.1 and 1.0.0.1. They claim it is the fastest available and will not log your requesting IP for more than 24 hours.

I am trying it out and it seems to work very well.

More info here:

https://1.1.1.1/
https://blog.cloudflare.com/announcing-1111/

~Moshe
People really need to understand the purpose of DNS and how DNS works before installing the recommended software. It can be a security risk. For me, DNS lookup takes less than 25 milliseconds on average. If I visit 100 hosts every hour, my DNS lookup will take 2.5 seconds per hour. I do not want to make it any faster.
+1 on that. DNS is a very common attack vector. I would never put my machines at risk using this “free” service. Remember: if it purports to be free then YOU are the product.

ridebikeseveryday
Posts: 31
Joined: Sun Nov 03, 2013 6:28 am

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by ridebikeseveryday » Sun Apr 08, 2018 9:27 pm

Shikoku wrote:
Sun Apr 08, 2018 9:07 pm
People really need to understand the purpose of DNS and how DNS works before installing the recommended software.
You don't need to install any software to use alternate DNS servers.

Shikoku
Posts: 270
Joined: Fri Oct 27, 2017 11:01 pm
Location: USA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Shikoku » Sun Apr 08, 2018 9:44 pm

ridebikeseveryday wrote:
Sun Apr 08, 2018 9:27 pm
Shikoku wrote:
Sun Apr 08, 2018 9:07 pm
People really need to understand the purpose of DNS and how DNS works before installing the recommended software.
You don't need to install any software to use alternate DNS servers.
When I clicked on https://1.1.1.1/ it presented me with two options: INSTALL and INFO. I stopped there. Even I do not need to install any software, I will not use this service. Everyone should be cautious about any service like this.
"I don't worry too much about pointing fingers at the past. I operate on the theory that every saint has a past, every sinner has a future." -- Warren Buffett

jackholloway
Posts: 965
Joined: Mon Jul 08, 2013 3:45 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by jackholloway » Sun Apr 08, 2018 10:01 pm

Both install and info just scroll down to instructions on how to set up DNS.

As far as the tired aphorism about being the product, I offer Cory Doctorow’s comment at https://mobile.twitter.com/doctorow/sta ... 3273364481

mattsm
Posts: 175
Joined: Mon Jan 11, 2010 10:27 am

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by mattsm » Sun Apr 08, 2018 10:22 pm

Also, FWIW DNS queries go to your ISP if not these services. ISPs are known to do way worse things than Google DNS services for example.

Also, each page you load likely loads 100's of DNS queries not 1 per page... and not only that most browsers speculatively fetch DNS results as well. So it is a noticeable difference.

Not comparing CloudFare vs. Google but they are both likely much better than your ISP.

whomever
Posts: 784
Joined: Sat Apr 21, 2012 5:21 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by whomever » Sun Apr 08, 2018 10:26 pm

I have no knowledge of this service, but it's worth mentioning that a lot of ISPs do various unsavory shenanigans with their in house DNS services.

The new service (or google's DNS service, or others) could be better, or worse, from a security and tracking perspective than what you're using now.

tibbitts
Posts: 8120
Joined: Tue Feb 27, 2007 6:50 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by tibbitts » Sun Apr 08, 2018 10:40 pm

Remember that if you use a service that performs URL filtering like OpenDNS, you won't want to change your DNS configuration.

User avatar
dual
Posts: 542
Joined: Mon Feb 26, 2007 7:02 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by dual » Sun Apr 08, 2018 11:06 pm

jackholloway wrote:
Sun Apr 08, 2018 10:01 pm
As far as the tired aphorism about being the product, I offer Cory Doctorow’s comment at https://mobile.twitter.com/doctorow/sta ... 3273364481
Doctorow:
But they're just ahead of the curve. If you spend $500K on a John Deere tractor, you're the product. If you spend $80,000 on a luxury GM car, you're the product. If you spend $1k on an iPhone, you're the product. If you spent $400 on a Juicero, you're the product.
Huh. Mr. Doctorow is out to lunch on this.

If you do not like that "tired old aphorism" how about TANSTAAFL?

bampf
Posts: 202
Joined: Thu Aug 04, 2016 6:19 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by bampf » Mon Apr 09, 2018 12:24 am

DNS stands for Domain Name Server (or service). Think of it a contact list on your cell phone. You used to remember phone numbers. Now you just click "Dad" or "Bob Jones". Those names still resolve to a phone number. This is exactly what a DNS does for computers. You type in "Bogleheads.org" and the DNS resolves it to:

Name: bogleheads.org
Address: 66.209.71.244

Each ISP generally runs their own DNS for two reasons... 1. A local (to the ISP) dns is faster (usually) and 2. ISPs want to know where you are going so they can sell you.

Google runs a DNS: 8.8.8.8 or 8.8.4.4 (both).

There are lots of them out there. Cloudflare acts as a host and a router for many of your favorite company destinations. Essentially they provide a portal to content. Very useful if they can do that with a local DNS. It is fast. The average user won't know. You are shifting your browsing information from you local ISP to google, cloudflare or whomever. Alternatively you can run your own DNS server (checkout pihole) and run an internal VPN. That helps if you are pretty paranoid. Someone somewhere is going to get your browsing information unless you are running a fairly robust privacy net...

The point is, there is nothing very dangerous about 1.1.1.1 that you have seen almost anywhere else. Also, you have to manually insert the DNS setting (lookup "how do I set my dns on my (windows, mac, linux) computer. Cloudflare is fine. It is big enough that it isn't some little sketchy shop in RU, but, make no mistake, they are as interested in you (the product) as everyone else...

--Bampf

wootwoot
Posts: 196
Joined: Tue Jan 27, 2009 7:37 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by wootwoot » Mon Apr 09, 2018 12:41 am

Y.A.Tittle wrote:
Sun Apr 08, 2018 9:20 pm
Shikoku wrote:
Sun Apr 08, 2018 9:07 pm
moshe wrote:
Sun Apr 08, 2018 12:42 pm
FYI CloudFlare recently announced (Apr 1) a new globally available free DNS service at 1.1.1.1 and 1.0.0.1. They claim it is the fastest available and will not log your requesting IP for more than 24 hours.

I am trying it out and it seems to work very well.

More info here:

https://1.1.1.1/
https://blog.cloudflare.com/announcing-1111/

~Moshe
People really need to understand the purpose of DNS and how DNS works before installing the recommended software. It can be a security risk. For me, DNS lookup takes less than 25 milliseconds on average. If I visit 100 hosts every hour, my DNS lookup will take 2.5 seconds per hour. I do not want to make it any faster.
+1 on that. DNS is a very common attack vector. I would never put my machines at risk using this “free” service. Remember: if it purports to be free then YOU are the product.
Are you saying you pay for your DNS service? Everyone I know uses free services like Google, OpenDNS, or quad nines.

bampf
Posts: 202
Joined: Thu Aug 04, 2016 6:19 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by bampf » Mon Apr 09, 2018 12:49 am

wootwoot wrote:
Mon Apr 09, 2018 12:41 am


+1 on that. DNS is a very common attack vector. I would never put my machines at risk using this “free” service. Remember: if it purports to be free then YOU are the product.
Are you saying you pay for your DNS service? Everyone I know uses free services like Google, OpenDNS, or quad nines.
I think they mean "man in the middle attacks" and malware injections... But, I could be wrong. The internets are a funny place...

jpsc
Posts: 114
Joined: Sat Feb 10, 2018 11:05 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by jpsc » Mon Apr 09, 2018 1:18 am

heck - be a geek and create a host table with all the common host like bogleheads, google, youtube, yahoo, cnbc etc :-)
why bother with a DNS....

What? not a geek? well good luck

User avatar
oneleaf
Posts: 2351
Joined: Mon Feb 19, 2007 5:48 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by oneleaf » Mon Apr 09, 2018 3:12 am

Y.A.Tittle wrote:
Sun Apr 08, 2018 9:20 pm
+1 on that. DNS is a very common attack vector. I would never put my machines at risk using this “free” service. Remember: if it purports to be free then YOU are the product.
The security issue isn’t at all what you are implying. Cloudflare’s new Public DNS is safe and secure to use. It is an alternative to OpenDNS or Google’s DNS. That’s all. And using any of the aforementioned should be compared with using your ISP’s DNS servers, which is the default for most users. None of these options is anymore or less likely to expose you to poisoned DNS entries (where it points to a fake website that will steal your information), though one may argue that Google or Cloudflare have better security than many ISP’s. I would say this new Cloudflare is, if anything, the safest and best choice for home users right now.

If you are really concerned with security still, then Cloudflare is no worse than your ISP’s and you would then want to use a DNS resolver that will query them directly from the authoritative servers of the FQDN, along with DNSSEC. Only then can you be damn sure the website you are visiting is the one you think it is. Pfsense’s DNS resolver uses this by default, and is what I use. But I use Pfsense for other reasons and would never recommend average folks use this compared to something like Cloudflare.

Angelus359
Posts: 845
Joined: Tue Mar 04, 2014 12:56 am

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Angelus359 » Mon Apr 09, 2018 5:54 am

Cloudflare dns doesn't require you to install anything.

If you want dns over tls, or dns over https, which windows does not natively support, you need to install a tool to allow that to work.

The install guide on the cloudflare page just explains how to configure your machine to use cloudflare dns. There is no actual installed software requirement.
IT-DevOps System Administrator

bampf
Posts: 202
Joined: Thu Aug 04, 2016 6:19 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by bampf » Mon Apr 09, 2018 10:41 am

Angelus359 wrote:
Mon Apr 09, 2018 5:54 am
Cloudflare dns doesn't require you to install anything.

If you want dns over tls, or dns over https, which windows does not natively support, you need to install a tool to allow that to work.

The install guide on the cloudflare page just explains how to configure your machine to use cloudflare dns. There is no actual installed software requirement.
I have actually started to get interested in trusted DNS lately. Could be a good thing. From what I understand it is encrypted endpoint lookups that essentially obfuscate the requester through a series of interposers. Sounds like it could work and be kind of interesting. It mystifies me that anyone would browse without https... But, I am not the average monkey and I am mystified a lot.

AntsOnTheMarch
Posts: 610
Joined: Mon May 29, 2017 5:47 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by AntsOnTheMarch » Mon Apr 09, 2018 11:05 am

Can any geeks here recommend a non-geeky web source (hopefully short read) to explain the ins and outs of this? I am also interested in the “Search Domains” option under “Configure DNS” settings. Should/could this be changed as well?

FYI: if it makes a difference, I do 99% of web browsing on an iPad. I see that Cloudflare provides instructions for iOS device settings and that it’s a very easy change (can even cut and paste new DNS). Will probably trust a random service over Comcast, so I’m not convinced there’s a downside.

bampf
Posts: 202
Joined: Thu Aug 04, 2016 6:19 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by bampf » Mon Apr 09, 2018 1:23 pm

AntsOnTheMarch wrote:
Mon Apr 09, 2018 11:05 am
Can any geeks here recommend a non-geeky web source (hopefully short read) to explain the ins and outs of this? I am also interested in the “Search Domains” option under “Configure DNS” settings. Should/could this be changed as well?

FYI: if it makes a difference, I do 99% of web browsing on an iPad. I see that Cloudflare provides instructions for iOS device settings and that it’s a very easy change (can even cut and paste new DNS). Will probably trust a random service over Comcast, so I’m not convinced there’s a downside.
Here are a couple interesting reads:
https://www.howtogeek.com/167239/7-reas ... s-service/
https://computers.tutsplus.com/tutorial ... -mac-61232

You can add or remove search domains. If your default place to search is google.com and Microsoft keeps redirecting you to bing, you may wish to mess with this. Unless you are talking about "Search domains" as part of the networking stack so you can get fully qualified domain names. The former is mildly interesting and the latter is something I wouldn't much mess with. (https://en.wikipedia.org/wiki/Search_domain).

AntsOnTheMarch
Posts: 610
Joined: Mon May 29, 2017 5:47 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by AntsOnTheMarch » Mon Apr 09, 2018 1:37 pm

bampf wrote:
Mon Apr 09, 2018 1:23 pm
AntsOnTheMarch wrote:
Mon Apr 09, 2018 11:05 am
Can any geeks here recommend a non-geeky web source (hopefully short read) to explain the ins and outs of this? I am also interested in the “Search Domains” option under “Configure DNS” settings. Should/could this be changed as well?

FYI: if it makes a difference, I do 99% of web browsing on an iPad. I see that Cloudflare provides instructions for iOS device settings and that it’s a very easy change (can even cut and paste new DNS). Will probably trust a random service over Comcast, so I’m not convinced there’s a downside.
Here are a couple interesting reads:
https://www.howtogeek.com/167239/7-reas ... s-service/
https://computers.tutsplus.com/tutorial ... -mac-61232

You can add or remove search domains. If your default place to search is google.com and Microsoft keeps redirecting you to bing, you may wish to mess with this. Unless you are talking about "Search domains" as part of the networking stack so you can get fully qualified domain names. The former is mildly interesting and the latter is something I wouldn't much mess with. (https://en.wikipedia.org/wiki/Search_domain).
Thanks for the links! I’ll take a look.

Regarding, search, I was referring to “Search domains" in settings (iOS) under “Configure DNS”—not the web search engine (which I have set to DuckDuckGo). I hope that clarifies my question.

EDIT: I just finished reading the links. Exactly what I was looking for (DNS For dummies. :D)! The second link has instructions for changing DNS setting on an AirPort Extreme router—which is what I have. :beer

For now, I just changed the settings in my iPad to test it. So far it looks good. This is definitely a topic I’ve been interested in learning more about (VPN as well) so the coudfare announcement sems fortuitous.

:sharebeer
Last edited by AntsOnTheMarch on Tue Apr 10, 2018 6:49 am, edited 1 time in total.

BackOfTheNet
Posts: 186
Joined: Mon Nov 30, 2009 9:24 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by BackOfTheNet » Mon Apr 09, 2018 2:14 pm

Sort of related to this is a neat project that allows you to block all ads on your home network. You just need a pretty inexpensive Raspberry Pi.

https://pi-hole.net/

bampf
Posts: 202
Joined: Thu Aug 04, 2016 6:19 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by bampf » Mon Apr 09, 2018 2:34 pm

BackOfTheNet wrote:
Mon Apr 09, 2018 2:14 pm
Sort of related to this is a neat project that allows you to block all ads on your home network. You just need a pretty inexpensive Raspberry Pi.

https://pi-hole.net/
I run this at home on a pi and on an ubuntu server. Its pretty great, but, you have to be a geek. Also check out: https://adguard.com/en/adguard-dns/overview.html

User avatar
oneleaf
Posts: 2351
Joined: Mon Feb 19, 2007 5:48 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by oneleaf » Mon Apr 09, 2018 4:31 pm

Angelus359 wrote:
Mon Apr 09, 2018 5:54 am
If you want dns over tls, or dns over https, which windows does not natively support, you need to install a tool to allow that to work.
Since Cloudflare allows DNS over TLS, one option is to configure it with the router, and use your router's IP address for DNS from your Windows machines. pfSense can do it (I tried it temporarily and it worked well). Since pfSense might be too costly for people (you need a dedicated computer), it might be worth looking into higher end router brands (like maybe Ubiquiti) and see if it possible to get it to work.

Jeff Albertson
Posts: 588
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Jeff Albertson » Mon Apr 09, 2018 6:49 pm

CNET has a 2.5 minute video on DNS & Cloudflare -
https://www.cnet.com/videos/change-your ... -internet/

mpsz
Posts: 302
Joined: Sat Jan 09, 2016 7:11 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by mpsz » Mon Apr 09, 2018 8:02 pm

CloudFlare is responsible for an enormous amount of Internet traffic. Many of the sites you access already use CloudFlare for their traffic. They are a very reputable company. I trust them more than I trust Google at this point.

I've been using 1.1.1.1 for a few days now. It's no faster than Google DNS from what I can tell. No shadiness like Comcast DNS. Definitely good to have more of these services.

User avatar
bostondan
Posts: 513
Joined: Sun Aug 18, 2013 12:21 pm
Location: Boston, MA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by bostondan » Mon Apr 09, 2018 8:27 pm

I've noticed that pages load faster when using 1.1.1.1. I did a comparison with the Google DNS and it was noticeable. Both are extremely fast, and the difference is probably irrelevant, but 1.1.1.1 verges on instantaneous, while Google DNS clearly thinks for a a few milliseconds before loading.
“There may be times when we are powerless to prevent injustice, but there must never be a time when we fail to protest.” - Elie Wiesel

finite_difference
Posts: 1094
Joined: Thu Jul 09, 2015 7:00 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by finite_difference » Mon Apr 09, 2018 8:34 pm

Angelus359 wrote:
Mon Apr 09, 2018 5:54 am
Cloudflare dns doesn't require you to install anything.

If you want dns over tls, or dns over https, which windows does not natively support, you need to install a tool to allow that to work.

The install guide on the cloudflare page just explains how to configure your machine to use cloudflare dns. There is no actual installed software requirement.
Better yet, set it up on your router and then have all your devices just use the default settings.
The most precious gift we can offer anyone is our attention. - Thich Nhat Hanh

lazydavid
Posts: 1891
Joined: Wed Apr 06, 2016 1:37 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by lazydavid » Mon Apr 09, 2018 8:50 pm

AntsOnTheMarch wrote:
Mon Apr 09, 2018 1:37 pm
Regarding, search, I was referring to “Search domains" in settings (iOS) under “Configure DNS”—not the web search engine (which I have set to DuckDuckGo). I hope that clarifies my question.
These are domains that will be appended to requests that do not return a result. So let's say that you put the following entries in the search domains field:

bogleheads.org
microsoft.com

Then you go and type "widget" in your address bar. Your browser will attempt to connect to the following, in order:

widget
widget.bogleheads.org
widget.microsoft.com
Default search provider with keyword "widget"

The first three of those are a function of the network stack, the last a function of the browser. Since none of the first three actually exist, you'll get a Google (or whatever your browser's default search engine is) page for search term widget.

This is used primarily inside companies, so people can get to servers or services by their short name. So if I work for megacorp, I might put megacorp.com and megacorp.local in my DNS search order. Then I can access supersecretserver.megacorp.local by just typing supersecretserver in my address bar.

Y.A.Tittle
Posts: 76
Joined: Tue Oct 03, 2017 1:39 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Y.A.Tittle » Mon Apr 09, 2018 9:43 pm

oneleaf wrote:
Mon Apr 09, 2018 3:12 am
Y.A.Tittle wrote:
Sun Apr 08, 2018 9:20 pm
+1 on that. DNS is a very common attack vector. I would never put my machines at risk using this “free” service. Remember: if it purports to be free then YOU are the product.
The security issue isn’t at all what you are implying. Cloudflare’s new Public DNS is safe and secure to use. It is an alternative to OpenDNS or Google’s DNS. That’s all. And using any of the aforementioned should be compared with using your ISP’s DNS servers, which is the default for most users. None of these options is anymore or less likely to expose you to poisoned DNS entries (where it points to a fake website that will steal your information), though one may argue that Google or Cloudflare have better security than many ISP’s. I would say this new Cloudflare is, if anything, the safest and best choice for home users right now.

If you are really concerned with security still, then Cloudflare is no worse than your ISP’s and you would then want to use a DNS resolver that will query them directly from the authoritative servers of the FQDN, along with DNSSEC. Only then can you be damn sure the website you are visiting is the one you think it is. Pfsense’s DNS resolver uses this by default, and is what I use. But I use Pfsense for other reasons and would never recommend average folks use this compared to something like Cloudflare.
You many to learn a little about IP networking.

AntsOnTheMarch
Posts: 610
Joined: Mon May 29, 2017 5:47 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by AntsOnTheMarch » Mon Apr 09, 2018 9:44 pm

lazydavid wrote:
Mon Apr 09, 2018 8:50 pm
AntsOnTheMarch wrote:
Mon Apr 09, 2018 1:37 pm
Regarding, search, I was referring to “Search domains" in settings (iOS) under “Configure DNS”—not the web search engine (which I have set to DuckDuckGo). I hope that clarifies my question.
These are domains that will be appended to requests that do not return a result. So let's say that you put the following entries in the search domains field:

bogleheads.org
microsoft.com

Then you go and type "widget" in your address bar. Your browser will attempt to connect to the following, in order:

widget
widget.bogleheads.org
widget.microsoft.com
Default search provider with keyword "widget"

The first three of those are a function of the network stack, the last a function of the browser. Since none of the first three actually exist, you'll get a Google (or whatever your browser's default search engine is) page for search term widget.

This is used primarily inside companies, so people can get to servers or services by their short name. So if I work for megacorp, I might put megacorp.com and megacorp.local in my DNS search order. Then I can access supersecretserver.megacorp.local by just typing supersecretserver in my address bar.
Interesting! Thanks for taking the time to explain.

:beer

User avatar
BolderBoy
Posts: 4184
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by BolderBoy » Mon Apr 09, 2018 10:40 pm

1.1.1.1 is pretty impressive. It is just a tiny bit slower than Comcast's servers (my ISP). And just slightly faster than Google's free DNS servers (8.8.8.8 and 8.8.4.4).

(running DNSBench by GRC Research https://www.grc.com/dns/benchmark.htm)
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect

Cunobelinus
Posts: 200
Joined: Tue Dec 04, 2012 5:31 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Cunobelinus » Tue Apr 10, 2018 12:03 am

Y.A.Tittle wrote:
Mon Apr 09, 2018 9:43 pm
oneleaf wrote:
Mon Apr 09, 2018 3:12 am
Y.A.Tittle wrote:
Sun Apr 08, 2018 9:20 pm
+1 on that. DNS is a very common attack vector. I would never put my machines at risk using this “free” service. Remember: if it purports to be free then YOU are the product.
The security issue isn’t at all what you are implying. Cloudflare’s new Public DNS is safe and secure to use. It is an alternative to OpenDNS or Google’s DNS. That’s all. And using any of the aforementioned should be compared with using your ISP’s DNS servers, which is the default for most users. None of these options is anymore or less likely to expose you to poisoned DNS entries (where it points to a fake website that will steal your information), though one may argue that Google or Cloudflare have better security than many ISP’s. I would say this new Cloudflare is, if anything, the safest and best choice for home users right now.

If you are really concerned with security still, then Cloudflare is no worse than your ISP’s and you would then want to use a DNS resolver that will query them directly from the authoritative servers of the FQDN, along with DNSSEC. Only then can you be damn sure the website you are visiting is the one you think it is. Pfsense’s DNS resolver uses this by default, and is what I use. But I use Pfsense for other reasons and would never recommend average folks use this compared to something like Cloudflare.
You many to learn a little about IP networking.
You may need to use a few more words to make a point.

Regarding the first few posts, as many folks have pointed out, there is no software to install. Cloudflare does not make money by recording/selling DNS queries, as has been clearly stated by Cloudflare, and I believe they've hired an independent auditor to conduct yearly reviews as a measure of good faith. They charge unique fees to their customers for their commercial services which is how the company makes their money.

Raspberry Pi's (RPi's) do not require much more than curiosity and a little bit of tenacity to set up -- you'll need to get out of your comfort zone if you've never used anything but Windows and Microsoft products. As RPi's were designed to help teach kids, they're pretty user friendly. Installing and using Pi-Hole is rather easy too if you can follow the well-written instructions.

VaR
Posts: 585
Joined: Sat Dec 05, 2015 11:27 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by VaR » Tue Apr 10, 2018 1:24 am

This is worth looking into, but I'd recommend the following:
1. Definitely avoid the default DNS that comes from your ISP. They are the worst at trying to monetize you.
2. If you travel, also try to avoid the default DNS. But be aware that this *might* cause problems for certain services in captive cases like on the airplane. I haven't tested this, though. Would appreciate any input people have.
3. If you do choose to use CloudFlare DNS, make sure to keep on top of the happenings in DNS. I think the CloudFlare folks are on the up-and-up, but that doesn't mean they won't have specific vulnerabilities or issues.

Gryphon
Posts: 91
Joined: Sat May 07, 2016 11:43 am

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Gryphon » Tue Apr 10, 2018 9:58 am

VaR wrote:
Tue Apr 10, 2018 1:24 am
2. If you travel, also try to avoid the default DNS. But be aware that this *might* cause problems for certain services in captive cases like on the airplane. I haven't tested this, though. Would appreciate any input people have.
The announcement about 1.1.1.1 came out while I was traveling, so I tried it out while in my hotel room one evening. It worked fine that night, and for the next few days while visiting family, but when I stopped at a hotel on the way home, I was not able to get access to the hotel wifi until I switched the DNS setting back to the default provided by DHCP.

Once I got past the initial login, I was able to go back to 1.1.1.1, but for some reason authenticating with the hotel wifi required using their DNS.

lazydavid
Posts: 1891
Joined: Wed Apr 06, 2016 1:37 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by lazydavid » Tue Apr 10, 2018 12:10 pm

Gryphon wrote:
Tue Apr 10, 2018 9:58 am
The announcement about 1.1.1.1 came out while I was traveling, so I tried it out while in my hotel room one evening. It worked fine that night, and for the next few days while visiting family, but when I stopped at a hotel on the way home, I was not able to get access to the hotel wifi until I switched the DNS setting back to the default provided by DHCP.

Once I got past the initial login, I was able to go back to 1.1.1.1, but for some reason authenticating with the hotel wifi required using their DNS.
If you know the actual authentication page (which will be something like a56lksj856lnbs8y72.wayport.net), you can go directly to it without changing your DNS, and everything will work fine. When your session timed out, you needed to go back to that page to re-authorize. How they usually accomplish that is by hijacking your DNS queries. So you type google.com into your address bar, and their DNS says that google.com is really an alias for a56lksj856lnbs8y72.wayport.net. So you wind up there, sign in, and all is right with the world.

Even if you're using 1.1.1.1, once your session ends, if you have that page in your history (or still open in another tab), you can go straight to it and sign in again without changing your DNS back.

Gryphon
Posts: 91
Joined: Sat May 07, 2016 11:43 am

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Gryphon » Tue Apr 10, 2018 12:34 pm

lazydavid wrote:
Tue Apr 10, 2018 12:10 pm
Even if you're using 1.1.1.1, once your session ends, if you have that page in your history (or still open in another tab), you can go straight to it and sign in again without changing your DNS back.
This was at a different hotel than the one I had stayed at previously, so there was nothing in the history I could go to. I suppose I could have tried to look it up online, but - hey! Catch-22 strikes again.

Material Guy
Posts: 79
Joined: Sun Dec 04, 2011 12:28 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Material Guy » Tue Apr 10, 2018 12:48 pm

Here's some more information on CloudFlare and encrypted DNS.
How to keep your ISP’s nose out of your browser history with encrypted DNS

User avatar
jhfenton
Posts: 3539
Joined: Sat Feb 07, 2015 11:17 am
Location: Ohio

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by jhfenton » Tue Apr 10, 2018 2:46 pm

I have one technical question that I can't find a quick and up-to-date answer to: Do (and how do) third-party DNS services deal with CDNs and local caching servers like Netflix Open Connect, Akamai, etc.? I know my local/regional ISP--whom I work for--has numerous local caching servers. Netflix, Amazon, Hulu, etc. almost all have servers physically inside our network. My "netflix.com" will ultimately stream from a different server than your "netflix.com" on a different ISP.

I use our default DNS servers as primary and secondary. I have third party DNS servers set as tertiary and quaternary. I haven't tried Cloudfare, yet, but my local DNS servers tested out as faster like time I checked.

SittingOnTheFence
Posts: 295
Joined: Sun Sep 27, 2015 5:30 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by SittingOnTheFence » Tue Apr 10, 2018 3:46 pm

I previously used openDNS with secondary DNS of Google. I have heard that google grabs search queries but maybe this is BS.

I started using 9.9.9.9 (quad9.net - a non profit) about a month ago when I first heard about it protectings against malicious domains and not using my searches for marketing purposes.

CloudFlare's dns came online a bit later and I believe it offers the same protections.

PFInterest
Posts: 2684
Joined: Sun Jan 08, 2017 12:25 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by PFInterest » Tue Apr 10, 2018 3:54 pm

Shikoku wrote:
Sun Apr 08, 2018 9:44 pm
ridebikeseveryday wrote:
Sun Apr 08, 2018 9:27 pm
Shikoku wrote:
Sun Apr 08, 2018 9:07 pm
People really need to understand the purpose of DNS and how DNS works before installing the recommended software.
You don't need to install any software to use alternate DNS servers.
When I clicked on https://1.1.1.1/ it presented me with two options: INSTALL and INFO. I stopped there. Even I do not need to install any software, I will not use this service. Everyone should be cautious about any service like this.
That is not how this works.

Shikoku
Posts: 270
Joined: Fri Oct 27, 2017 11:01 pm
Location: USA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Shikoku » Tue Apr 10, 2018 5:30 pm

PFInterest wrote:
Tue Apr 10, 2018 3:54 pm
Shikoku wrote:
Sun Apr 08, 2018 9:44 pm
ridebikeseveryday wrote:
Sun Apr 08, 2018 9:27 pm
Shikoku wrote:
Sun Apr 08, 2018 9:07 pm
People really need to understand the purpose of DNS and how DNS works before installing the recommended software.
You don't need to install any software to use alternate DNS servers.
When I clicked on https://1.1.1.1/ it presented me with two options: INSTALL and INFO. I stopped there. Even I do not need to install any software, I will not use this service. Everyone should be cautious about any service like this.
That is not how this works.
It is true that they presented with two options: INSTALL and INFO. If they are so much smart and trustworthy, they should have presented with: CONFIGURE and INFO. INSTALL and CONFIGURE are not the same. So they have misrepresented at the first place what they like the users to do. How someone can guarantee that they are better than DNS provided by ISPs such as Comcast? Comcast has over $180 billions in assets. How much assets CloudFlare has? If there is an issue, CloudFlare can close the store but Comcast cannot! When trust is an issue, I will go with a large well-known company to run my DNS. I do not want to be the 'product' of every new company pops up and increase their IPO value.
"I don't worry too much about pointing fingers at the past. I operate on the theory that every saint has a past, every sinner has a future." -- Warren Buffett

PFInterest
Posts: 2684
Joined: Sun Jan 08, 2017 12:25 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by PFInterest » Tue Apr 10, 2018 5:37 pm

Shikoku wrote:
Tue Apr 10, 2018 5:30 pm
PFInterest wrote:
Tue Apr 10, 2018 3:54 pm
Shikoku wrote:
Sun Apr 08, 2018 9:44 pm
ridebikeseveryday wrote:
Sun Apr 08, 2018 9:27 pm
Shikoku wrote:
Sun Apr 08, 2018 9:07 pm
People really need to understand the purpose of DNS and how DNS works before installing the recommended software.
You don't need to install any software to use alternate DNS servers.
When I clicked on https://1.1.1.1/ it presented me with two options: INSTALL and INFO. I stopped there. Even I do not need to install any software, I will not use this service. Everyone should be cautious about any service like this.
That is not how this works.
It is true that they presented with two options: INSTALL and INFO. If they are so much smart and trustworthy, they should have presented with: CONFIGURE and INFO. INSTALL and CONFIGURE are not the same. So they have misrepresented at the first place what they like the users to do. How someone can guarantee that they are better than DNS provided by ISPs such as Comcast? Comcast has over $180 billions in assets. How much assets CloudFlare has? If there is an issue, CloudFlare can close the store but Comcast cannot! When trust is an issue, I will go with a large well-known company to run my DNS. I do not want to be the 'product' of every new company pops up and increase their IPO value.
Does no one understand DNS???!!

Cunobelinus
Posts: 200
Joined: Tue Dec 04, 2012 5:31 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Cunobelinus » Tue Apr 10, 2018 6:01 pm

PFInterest wrote:
Tue Apr 10, 2018 5:37 pm
Shikoku wrote:
Tue Apr 10, 2018 5:30 pm
PFInterest wrote:
Tue Apr 10, 2018 3:54 pm
Shikoku wrote:
Sun Apr 08, 2018 9:44 pm
ridebikeseveryday wrote:
Sun Apr 08, 2018 9:27 pm
You don't need to install any software to use alternate DNS servers.
When I clicked on https://1.1.1.1/ it presented me with two options: INSTALL and INFO. I stopped there. Even I do not need to install any software, I will not use this service. Everyone should be cautious about any service like this.
That is not how this works.
It is true that they presented with two options: INSTALL and INFO. If they are so much smart and trustworthy, they should have presented with: CONFIGURE and INFO. INSTALL and CONFIGURE are not the same. So they have misrepresented at the first place what they like the users to do. How someone can guarantee that they are better than DNS provided by ISPs such as Comcast? Comcast has over $180 billions in assets. How much assets CloudFlare has? If there is an issue, CloudFlare can close the store but Comcast cannot! When trust is an issue, I will go with a large well-known company to run my DNS. I do not want to be the 'product' of every new company pops up and increase their IPO value.
Does no one understand DNS???!!
Nobody knows nothing :happy

Some are more interested in resisting and arguing their beliefs than anything else. Not everyone has the desire to learn about "tech" things.

https://en.wikipedia.org/wiki/Domain_Name_System WIkipedia is a good starting place for learning about things (not just DNS).

Shikoku
Posts: 270
Joined: Fri Oct 27, 2017 11:01 pm
Location: USA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Shikoku » Tue Apr 10, 2018 6:10 pm

PFInterest wrote:
Tue Apr 10, 2018 5:37 pm
Shikoku wrote:
Tue Apr 10, 2018 5:30 pm
PFInterest wrote:
Tue Apr 10, 2018 3:54 pm
Shikoku wrote:
Sun Apr 08, 2018 9:44 pm
ridebikeseveryday wrote:
Sun Apr 08, 2018 9:27 pm
You don't need to install any software to use alternate DNS servers.
When I clicked on https://1.1.1.1/ it presented me with two options: INSTALL and INFO. I stopped there. Even I do not need to install any software, I will not use this service. Everyone should be cautious about any service like this.
That is not how this works.
It is true that they presented with two options: INSTALL and INFO. If they are so much smart and trustworthy, they should have presented with: CONFIGURE and INFO. INSTALL and CONFIGURE are not the same. So they have misrepresented at the first place what they like the users to do. How someone can guarantee that they are better than DNS provided by ISPs such as Comcast? Comcast has over $180 billions in assets. How much assets CloudFlare has? If there is an issue, CloudFlare can close the store but Comcast cannot! When trust is an issue, I will go with a large well-known company to run my DNS. I do not want to be the 'product' of every new company pops up and increase their IPO value.
Does no one understand DNS???!!
Does anyone has any clue what CloudFlare going to do with our data? :wink:

DNS query data is extremely sensitive. CloudFlare will "share query data, but only with these really trustworthy researchers". "Ironically for a project predicated on privacy, Cloudflare is sharing DNS query data with APNIC Labs, a part of Asian registry APNIC, in exchange for the use of its 1.1.1.1 network address." Source: https://www.theregister.co.uk/2018/04/0 ... s_privacy/

Our memory is very short lived. When Mark Zuckerberg just finished his testimony to Congress today on Facebook's scandal over Cambridge Analytica, we are discussing (and promoting) about a service of another data sharing company.

I will not use CloudFlare's DNS for the aforementioned reason.
"I don't worry too much about pointing fingers at the past. I operate on the theory that every saint has a past, every sinner has a future." -- Warren Buffett

Gryphon
Posts: 91
Joined: Sat May 07, 2016 11:43 am

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Gryphon » Tue Apr 10, 2018 7:51 pm

Shikoku wrote:
Tue Apr 10, 2018 6:10 pm
\
DNS query data is extremely sensitive. CloudFlare will "share query data, but only with these really trustworthy researchers". "Ironically for a project predicated on privacy, Cloudflare is sharing DNS query data with APNIC Labs, a part of Asian registry APNIC, in exchange for the use of its 1.1.1.1 network address." Source: https://www.theregister.co.uk/2018/04/0 ... s_privacy/
From that same article:
Cloudflare CTO John Graham-Cumming got in touch to clarify that while APNIC will have access to DNS query data, it will not have access to logs of IP addresses of people sending in those queries.


Shikoku wrote:
Tue Apr 10, 2018 5:30 pm
When trust is an issue, I will go with a large well-known company to run my DNS. I do not want to be the 'product' of every new company pops up and increase their IPO value.
Facebook is a large, well-known company. Would you trust them with your DNS query data? Large and well-known do not necessarily translate into trustworthy, not to me anyway.

Shikoku
Posts: 270
Joined: Fri Oct 27, 2017 11:01 pm
Location: USA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Shikoku » Tue Apr 10, 2018 9:01 pm

Gryphon wrote:
Tue Apr 10, 2018 7:51 pm
Shikoku wrote:
Tue Apr 10, 2018 6:10 pm
DNS query data is extremely sensitive. CloudFlare will "share query data, but only with these really trustworthy researchers". "Ironically for a project predicated on privacy, Cloudflare is sharing DNS query data with APNIC Labs, a part of Asian registry APNIC, in exchange for the use of its 1.1.1.1 network address." Source: https://www.theregister.co.uk/2018/04/0 ... s_privacy/
From that same article:
Cloudflare CTO John Graham-Cumming got in touch to clarify that while APNIC will have access to DNS query data, it will not have access to logs of IP addresses of people sending in those queries.
Shikoku wrote:
Tue Apr 10, 2018 5:30 pm
When trust is an issue, I will go with a large well-known company to run my DNS. I do not want to be the 'product' of every new company pops up and increase their IPO value.
Facebook is a large, well-known company. Would you trust them with your DNS query data? Large and well-known do not necessarily translate into trustworthy, not to me anyway.
CloudFlare has yet to prove trustworthiness. They have started something with a commitment to sharing DNS query data with another organization. This is a big red flag even though they are promising not to share everything.

Large and well-known companies do not mean trustworthiness, I agree, but they are better than small companies. A small company can simply declare bankruptcy and close the business after committing a breach. After a breach, a large and well-known company such as Comcast will have to testify to Congress as Zuckerberg did today, take heat from all corners, and pay monetary penalty. So I will continue to use Comcast-DNS instead of a PopUp-DNS. For the same reason, I keep my investment with Vanguard and Fidelity instead of investing with Bernie Madoff even knowing that Madoff's rate of return is better than what I will get from index funds. So I trust large and well-known.
"I don't worry too much about pointing fingers at the past. I operate on the theory that every saint has a past, every sinner has a future." -- Warren Buffett

AntsOnTheMarch
Posts: 610
Joined: Mon May 29, 2017 5:47 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by AntsOnTheMarch » Tue Apr 10, 2018 9:05 pm

I trust many small companies more than Comcast, Facebook, google or equifax.

bampf
Posts: 202
Joined: Thu Aug 04, 2016 6:19 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by bampf » Tue Apr 10, 2018 9:20 pm

Shikoku wrote:
Tue Apr 10, 2018 5:30 pm
So I will continue to use Comcast-DNS instead of a PopUp-DNS. For the same reason, I keep my investment with Vanguard and Fidelity instead of investing with Bernie Madoff even knowing that Madoff's rate of return is better than what I will get from index funds. So I trust large and well-known.
This may be the first time in my adult life I have heard anyone say something positive and comcast in the same breath. Wow. I'm literally floored. The problem with not understanding the subject matter and speaking authoritatively is that for anyone that does understand, all your opinions are immediately discounted. You mention the term breach (suggesting Facebook which wasn't a breach at least in the classical definition) and you are probably dollars to donuts requesting your DNS in the clear. That's a bit like walking around with your social security number on your back and saying you will only do it in NY, where you are safe because there are lots of police.

You may wish to understand (grok would be the term I would use) what you are talking about before you boldly claim that Comcast is your protector here.... As an aside, you are probably spending 50% or more of your time running through cloudflare. I mean literally transmitting packets back and forth to their servers. Cloudflare is the front end of a large bulk of the net. If the content was all Cloudflare, they would be the 10th largest property on the internet. They service over 7 million internet properties. They are a leading company advocating for privacy (we can argue a bit about this, but, I don't feel I am being hyperbolic).

I am really not a fanboy, I don't use their DNS. But, I understand what I am choosing.

https://techcrunch.com/2018/03/14/ibm-p ... -features/

--Bampf

KyleAAA
Posts: 6805
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by KyleAAA » Tue Apr 10, 2018 10:03 pm

CloudFlare is large and reputable and you already pass through their system daily when you visit any one of the huge number of mainstream websites they host the CDN for. This is a silly worry compared to just letting your ISP handle it. Don’t let your ISP handle it.

Shikoku
Posts: 270
Joined: Fri Oct 27, 2017 11:01 pm
Location: USA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Shikoku » Tue Apr 10, 2018 10:03 pm

bampf wrote:
Tue Apr 10, 2018 9:20 pm
Shikoku wrote:
Tue Apr 10, 2018 5:30 pm
So I will continue to use Comcast-DNS instead of a PopUp-DNS. For the same reason, I keep my investment with Vanguard and Fidelity instead of investing with Bernie Madoff even knowing that Madoff's rate of return is better than what I will get from index funds. So I trust large and well-known.
This may be the first time in my adult life I have heard anyone say something positive and comcast in the same breath. Wow. I'm literally floored. The problem with not understanding the subject matter and speaking authoritatively is that for anyone that does understand, all your opinions are immediately discounted. You mention the term breach (suggesting Facebook which wasn't a breach at least in the classical definition) and you are probably dollars to donuts requesting your DNS in the clear. That's a bit like walking around with your social security number on your back and saying you will only do it in NY, where you are safe because there are lots of police.

You may wish to understand (grok would be the term I would use) what you are talking about before you boldly claim that Comcast is your protector here.... As an aside, you are probably spending 50% or more of your time running through cloudflare. I mean literally transmitting packets back and forth to their servers. Cloudflare is the front end of a large bulk of the net. If the content was all Cloudflare, they would be the 10th largest property on the internet. They service over 7 million internet properties. They are a leading company advocating for privacy (we can argue a bit about this, but, I don't feel I am being hyperbolic).

I am really not a fanboy, I don't use their DNS. But, I understand what I am choosing.

https://techcrunch.com/2018/03/14/ibm-p ... -features/

--Bampf
When I enter vanguard.com in my browser, Comcast's DNS lookup returns IP address 192.175.191.200. I might disagree with my Comcast bill but I trust the IP address they return and the webpage I visit as a result of my browser receiving the IP address; I am happy to enter my username and password to do my business. I do not have the same level of trust with a small private company such as CloudFlare. So it is not me who is going to use 1.1.1.1 as my DNS.
"I don't worry too much about pointing fingers at the past. I operate on the theory that every saint has a past, every sinner has a future." -- Warren Buffett

Post Reply