New faster DNS - 1.1.1.1 by CloudFlare

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
oneleaf
Posts: 2343
Joined: Mon Feb 19, 2007 5:48 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by oneleaf » Tue Apr 10, 2018 10:14 pm

Cloudflare has been around, and are one of the most trusted authoritative DNS providers in the world and have been for years (the recursive DNS offering we are talking about in this thread is new). Their CDN and free SSL certificates have also been trusted around the world. This new service of theirs offers DNSSEC, which like Google's and Comcast's (but not every ISP), assures you the IP addresses you are receiving have not been altered. It also offers DNS over TLS, which offers more security and privacy. They also state they will not sell your data to advertisers, and on this issue, they are being audited by a reputable company. And their servers around the world (being a leading authoritative DNS and content delivery network provider, they have more than enough resources), they will be blazingly fast. There are no red flags. It really is that simple. And in the end of the day, if you are still concerned, than I have no idea why you would trust Comcast over Cloudflare.

KyleAAA
Posts: 6675
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by KyleAAA » Tue Apr 10, 2018 10:41 pm

Shikoku wrote:
Tue Apr 10, 2018 10:03 pm
bampf wrote:
Tue Apr 10, 2018 9:20 pm
Shikoku wrote:
Tue Apr 10, 2018 5:30 pm
So I will continue to use Comcast-DNS instead of a PopUp-DNS. For the same reason, I keep my investment with Vanguard and Fidelity instead of investing with Bernie Madoff even knowing that Madoff's rate of return is better than what I will get from index funds. So I trust large and well-known.
This may be the first time in my adult life I have heard anyone say something positive and comcast in the same breath. Wow. I'm literally floored. The problem with not understanding the subject matter and speaking authoritatively is that for anyone that does understand, all your opinions are immediately discounted. You mention the term breach (suggesting Facebook which wasn't a breach at least in the classical definition) and you are probably dollars to donuts requesting your DNS in the clear. That's a bit like walking around with your social security number on your back and saying you will only do it in NY, where you are safe because there are lots of police.

You may wish to understand (grok would be the term I would use) what you are talking about before you boldly claim that Comcast is your protector here.... As an aside, you are probably spending 50% or more of your time running through cloudflare. I mean literally transmitting packets back and forth to their servers. Cloudflare is the front end of a large bulk of the net. If the content was all Cloudflare, they would be the 10th largest property on the internet. They service over 7 million internet properties. They are a leading company advocating for privacy (we can argue a bit about this, but, I don't feel I am being hyperbolic).

I am really not a fanboy, I don't use their DNS. But, I understand what I am choosing.

https://techcrunch.com/2018/03/14/ibm-p ... -features/

--Bampf
When I enter vanguard.com in my browser, Comcast's DNS lookup returns IP address 192.175.191.200. I might disagree with my Comcast bill but I trust the IP address they return and the webpage I visit as a result of my browser receiving the IP address; I am happy to enter my username and password to do my business. I do not have the same level of trust with a small private company such as CloudFlare. So it is not me who is going to use 1.1.1.1 as my DNS.
Cloudflare has revenue well in excess of $100mm and its major shareholders are Microsoft and Fidelity. The only thing Comcast has that Cloudflare lacks is a history of shady business practices. Seriously, Cloudflare is an 800lbs gorilla in the industry. Your mistrust is misplaced. Besides, if your criteria is large public company wouldn’t you use Google’s DNS service instead? Google is much larger.

bampf
Posts: 198
Joined: Thu Aug 04, 2016 6:19 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by bampf » Tue Apr 10, 2018 10:50 pm

Shikoku wrote:
Tue Apr 10, 2018 10:03 pm
bampf wrote:
Tue Apr 10, 2018 9:20 pm
Shikoku wrote:
Tue Apr 10, 2018 5:30 pm
So I will continue to use Comcast-DNS instead of a PopUp-DNS. For the same reason, I keep my investment with Vanguard and Fidelity instead of investing with Bernie Madoff even knowing that Madoff's rate of return is better than what I will get from index funds. So I trust large and well-known.
This may be the first time in my adult life I have heard anyone say something positive and comcast in the same breath. Wow. I'm literally floored. The problem with not understanding the subject matter and speaking authoritatively is that for anyone that does understand, all your opinions are immediately discounted. You mention the term breach (suggesting Facebook which wasn't a breach at least in the classical definition) and you are probably dollars to donuts requesting your DNS in the clear. That's a bit like walking around with your social security number on your back and saying you will only do it in NY, where you are safe because there are lots of police.

You may wish to understand (grok would be the term I would use) what you are talking about before you boldly claim that Comcast is your protector here.... As an aside, you are probably spending 50% or more of your time running through cloudflare. I mean literally transmitting packets back and forth to their servers. Cloudflare is the front end of a large bulk of the net. If the content was all Cloudflare, they would be the 10th largest property on the internet. They service over 7 million internet properties. They are a leading company advocating for privacy (we can argue a bit about this, but, I don't feel I am being hyperbolic).

I am really not a fanboy, I don't use their DNS. But, I understand what I am choosing.

https://techcrunch.com/2018/03/14/ibm-p ... -features/

--Bampf
When I enter vanguard.com in my browser, Comcast's DNS lookup returns IP address 192.175.191.200. I might disagree with my Comcast bill but I trust the IP address they return and the webpage I visit as a result of my browser receiving the IP address; I am happy to enter my username and password to do my business. I do not have the same level of trust with a small private company such as CloudFlare. So it is not me who is going to use 1.1.1.1 as my DNS.
I’m glad you are skeptical. Really i am. Skepticism means you can learn and make a rational decision. Please research Comcast dns redirection. By the way I bet you a nickel you walk through the cloudflare stack to get to Vanguard. Don’t care what you use. Really. But knowledge is good. Sounds like you would benefit immeasurably from secure dns and trusted computing. I applaud that. But, really, Dns redirect, ad insertion, mal formed address spoofing, cookie propagation. Dangerous world out there. Time to arm yourself with knowledge.

Peace.

z91
Posts: 248
Joined: Fri Mar 07, 2014 1:19 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by z91 » Wed Apr 11, 2018 12:19 am

I understand how DNS systems work, but what exactly is in it for CloudFlare? It costs them money to run this service and to retain KPMG to do the audits.

Are they looking to use this as a channel to re-route mass users in case of a DDoS attack to a site they provide CloudFlare service to?

VaR
Posts: 583
Joined: Sat Dec 05, 2015 11:27 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by VaR » Wed Apr 11, 2018 2:36 am

z91 wrote:
Wed Apr 11, 2018 12:19 am
I understand how DNS systems work, but what exactly is in it for CloudFlare? It costs them money to run this service and to retain KPMG to do the audits.

Are they looking to use this as a channel to re-route mass users in case of a DDoS attack to a site they provide CloudFlare service to?
That might be one reason. Other possibilities are:
1. Faster serving of content that they host on their content delivery network (CDN) to end users. If they are the fastest DNS they will speed up all DNS queries, but queries about sites using their CDN could be even faster, particularly because of the way that CDNs use DNS.
2. Brand recognition.
3. Marginal costs may not be that high because they probably need all these DNS servers on the edge for their CDN service.

BTW, Comcast betrayed all its customers with the DNS hijacking in their Comcast Domain Helper service. This wasn't just a mistake, it was a willful sellout of their customers. Note that they turned the service off after several years because it was determined to be indistinguishable from "malicious" DNS hijacking.

lazydavid
Posts: 1759
Joined: Wed Apr 06, 2016 1:37 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by lazydavid » Wed Apr 11, 2018 5:40 am

Shikoku wrote:
Tue Apr 10, 2018 10:03 pm
When I enter vanguard.com in my browser, Comcast's DNS lookup returns IP address 192.175.191.200. I might disagree with my Comcast bill but I trust the IP address they return and the webpage I visit as a result of my browser receiving the IP address; I am happy to enter my username and password to do my business. I do not have the same level of trust with a small private company such as CloudFlare. So it is not me who is going to use 1.1.1.1 as my DNS.
This further confirms that you do not have the slightest clue what you are talking about. DNS is quite literally the least secure protocol on the entire internet. It's incredibly easy to hijack, and nearly every ISP (including Comcast) has been caught tampering with it. We have been trying with very limited success to add some level of security to DNS for almost two decades. If you are relying on a DNS response from ANYONE to establish trust, you are doing it wrong. It is not intended for that purpose and EVERY SINGLE security expert will tell you this is a bad idea.

Trust is established by the certificate that Vanguard.com presents being issued by a Certificate Authority that you (via your browser) trust. it confirms their identity because a trusted 3rd party has signed it, and only Vanguard is capable of communicating using that certificate.
Last edited by lazydavid on Wed Apr 11, 2018 5:47 am, edited 1 time in total.

lazydavid
Posts: 1759
Joined: Wed Apr 06, 2016 1:37 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by lazydavid » Wed Apr 11, 2018 5:44 am

z91 wrote:
Wed Apr 11, 2018 12:19 am
Are they looking to use this as a channel to re-route mass users in case of a DDoS attack to a site they provide CloudFlare service to?
This is one possibility, though it would be challenging because the bad actors could use their lookups as well. My guess is analytics, and not in the privacy-invasion sense. If there is a sudden spike in lookups for a new domain, that could be the new hottest thing, but more likely is a malware C&C point. Seeing that spike in real-time can help them respond more quickly, and protect both their paying and free (DNS users) customers very rapidly. Likewise if there's a massive spike in lookups for one of their customers, that could be a first warning of a DDoS attack, and they can engage their standard protection mechanisms sooner.

Shikoku
Posts: 270
Joined: Fri Oct 27, 2017 11:01 pm
Location: USA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Shikoku » Wed Apr 11, 2018 10:52 am

lazydavid wrote:
Wed Apr 11, 2018 5:40 am
Shikoku wrote:
Tue Apr 10, 2018 10:03 pm
When I enter vanguard.com in my browser, Comcast's DNS lookup returns IP address 192.175.191.200. I might disagree with my Comcast bill but I trust the IP address they return and the webpage I visit as a result of my browser receiving the IP address; I am happy to enter my username and password to do my business. I do not have the same level of trust with a small private company such as CloudFlare. So it is not me who is going to use 1.1.1.1 as my DNS.
This further confirms that you do not have the slightest clue what you are talking about. DNS is quite literally the least secure protocol on the entire internet. It's incredibly easy to hijack, and nearly every ISP (including Comcast) has been caught tampering with it. We have been trying with very limited success to add some level of security to DNS for almost two decades. If you are relying on a DNS response from ANYONE to establish trust, you are doing it wrong. It is not intended for that purpose and EVERY SINGLE security expert will tell you this is a bad idea.

Trust is established by the certificate that Vanguard.com presents being issued by a Certificate Authority that you (via your browser) trust. it confirms their identity because a trusted 3rd party has signed it, and only Vanguard is capable of communicating using that certificate.
Last time I checked few years ago, Comcast was using Domain Name System Security Extensions (DNSSEC). If it is not good enough, IETF will develop a new set that ISPs will adopt. Comcast has about 25 million broadband subscribers, and I am glad to use their default ISP. Hopefully, I am not the only one to use their default ISP!

The market is efficient. If CloudFlare is the best thing in town, ISPs like Comcast will use CloudFlare services to keep their customers happy. Until then, I will not jump to the every mom-and-pop technology that come out every day.
"I don't worry too much about pointing fingers at the past. I operate on the theory that every saint has a past, every sinner has a future." -- Warren Buffett

invst65
Posts: 644
Joined: Thu Nov 27, 2014 11:04 am

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by invst65 » Wed Apr 11, 2018 11:47 am

Google has a free program called namebench you can download. It runs benchmarks from your computer to determine which DNS server will be the fastest for your location.

I was using the DNS automatically provided by the cable provider's router and it seemed to be taking a long time connecting to websites. When I switched to the one suggested by namebench it did seem to speed things up a bit, though not dramatically so.

Gryphon
Posts: 63
Joined: Sat May 07, 2016 11:43 am

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Gryphon » Wed Apr 11, 2018 11:59 am

Shikoku wrote:
Wed Apr 11, 2018 10:52 am
The market is efficient. If CloudFlare is the best thing in town, ISPs like Comcast will use CloudFlare services to keep their customers happy.
"Best thing in town" - best for who? What's best for the cable company is not necessarily what's best for you, which you don't seem to realize. And around these parts, cable is the only halfway decent high speed internet available. Folks who are unhappy with the internet service provided by cable have nothing better to turn to; their only competition is DSL which is about 1/3 the speed for almost the same price. So the cable company settles for sucking just a bit less than the other guy, because they can. Making the customers actually happy doesn't seem to be part of the equation.

lazydavid
Posts: 1759
Joined: Wed Apr 06, 2016 1:37 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by lazydavid » Wed Apr 11, 2018 12:12 pm

Shikoku wrote:
Wed Apr 11, 2018 10:52 am
Last time I checked few years ago, Comcast was using Domain Name System Security Extensions (DNSSEC). If it is not good enough, IETF will develop a new set that ISPs will adopt. Comcast has about 25 million broadband subscribers, and I am glad to use their default ISP. Hopefully, I am not the only one to use their default ISP!
Have you installed and configured a DNSSEC resolver on all of your machines? Because it's not built in to most operating systems. If you haven't--which I assume is the case since you flipped out when you saw the word INSTALL associated with this topic--then it doesn't really matter if they support DNSSEC or not. Which they do, but they sign their own sites and strip the security from any ones they don't own. So it doubly doesn't matter, because you can't actually directly use it anyway. It buys you almost nothing.

Don't get me wrong, I use Comcast's DNS too. Because I'm lazy and it works well enough. But rejecting any other option because of some sort of sense of trust or inherent security is at best misguided. Especially when they've been caught multiple times manipulating DNS queries to display advertising, or to limit access to high-bandwidth services. And given that your machine never sees the DNSSEC validation, you still have no assurance that the result you receive is the same one Comcast did. It could have been manipulated by them, or any of your neighbors.

I'm also not saying that CloudFlare is the best thing out there. But they're far from some unknown upstart as you keep implying. They do have an almost decade-long history of actions that increase general internet security, in a wide variety of aspects. Cloudflare is both the world's second largest DDoS security provider with 7+ million corporate customers, as well as the 5th largest content distribution network. A full 10% of all web traffic passes through their servers. This is not a guy working out of his mom's basement. Comcast on the other hand has a multi-decade long history of actions that increase its profitability, in most cases at its consumer expense (both literally and figuratively) in the form of higher prices and reduced competition. So much so that it had to abandon its merger plans with Time Warner to avoid a DOJ antitrust lawsuit. They prove on an almost daily basis that they do not have your best interests in mind.

bampf
Posts: 198
Joined: Thu Aug 04, 2016 6:19 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by bampf » Wed Apr 11, 2018 12:36 pm

lazydavid wrote:
Wed Apr 11, 2018 12:12 pm
Shikoku wrote:
Wed Apr 11, 2018 10:52 am
Last time I checked few years ago, Comcast was using Domain Name System Security Extensions (DNSSEC). If it is not good enough, IETF will develop a new set that ISPs will adopt. Comcast has about 25 million broadband subscribers, and I am glad to use their default ISP. Hopefully, I am not the only one to use their default ISP!
Have you installed and configured a DNSSEC resolver on all of your machines? Because it's not built in to most operating systems. If you haven't--which I assume is the case since you flipped out when you saw the word INSTALL associated with this topic--then it doesn't really matter if they support DNSSEC or not. Which they do, but they sign their own sites and strip the security from any ones they don't own. So it doubly doesn't matter, because you can't actually directly use it anyway. It buys you almost nothing.

Don't get me wrong, I use Comcast's DNS too. Because I'm lazy and it works well enough. But rejecting any other option because of some sort of sense of trust or inherent security is at best misguided. Especially when they've been caught multiple times manipulating DNS queries to display advertising, or to limit access to high-bandwidth services. And given that your machine never sees the DNSSEC validation, you still have no assurance that the result you receive is the same one Comcast did. It could have been manipulated by them, or any of your neighbors.

I'm also not saying that CloudFlare is the best thing out there. But they're far from some unknown upstart as you keep implying. They do have an almost decade-long history of actions that increase general internet security, in a wide variety of aspects. Cloudflare is both the world's second largest DDoS security provider with 7+ million corporate customers, as well as the 5th largest content distribution network. A full 10% of all web traffic passes through their servers. This is not a guy working out of his mom's basement. Comcast on the other hand has a multi-decade long history of actions that increase its profitability, in most cases at its consumer expense (both literally and figuratively) in the form of higher prices and reduced competition. So much so that it had to abandon its merger plans with Time Warner to avoid a DOJ antitrust lawsuit. They prove on an almost daily basis that they do not have your best interests in mind.
I believe that there is literally nothing you can say will change this individuals mind. I won't tell you to stop since it is probably educating other folks, but, or as Scott Adams put it, "Nothing makes [someone] argue harder than being proven wrong."

bampf
Posts: 198
Joined: Thu Aug 04, 2016 6:19 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by bampf » Wed Apr 11, 2018 12:43 pm

Shikoku wrote:
Wed Apr 11, 2018 10:52 am
lazydavid wrote:
Wed Apr 11, 2018 5:40 am
Shikoku wrote:
Tue Apr 10, 2018 10:03 pm
When I enter vanguard.com in my browser, Comcast's DNS lookup returns IP address 192.175.191.200. I might disagree with my Comcast bill but I trust the IP address they return and the webpage I visit as a result of my browser receiving the IP address; I am happy to enter my username and password to do my business. I do not have the same level of trust with a small private company such as CloudFlare. So it is not me who is going to use 1.1.1.1 as my DNS.
This further confirms that you do not have the slightest clue what you are talking about. DNS is quite literally the least secure protocol on the entire internet. It's incredibly easy to hijack, and nearly every ISP (including Comcast) has been caught tampering with it. We have been trying with very limited success to add some level of security to DNS for almost two decades. If you are relying on a DNS response from ANYONE to establish trust, you are doing it wrong. It is not intended for that purpose and EVERY SINGLE security expert will tell you this is a bad idea.

Trust is established by the certificate that Vanguard.com presents being issued by a Certificate Authority that you (via your browser) trust. it confirms their identity because a trusted 3rd party has signed it, and only Vanguard is capable of communicating using that certificate.
Last time I checked few years ago, Comcast was using Domain Name System Security Extensions (DNSSEC). If it is not good enough, IETF will develop a new set that ISPs will adopt. Comcast has about 25 million broadband subscribers, and I am glad to use their default ISP. Hopefully, I am not the only one to use their default ISP!

The market is efficient. If CloudFlare is the best thing in town, ISPs like Comcast will use CloudFlare services to keep their customers happy. Until then, I will not jump to the every mom-and-pop technology that come out every day.
To see if you benefit from dnssec resolver you can run the dns resolver test:
https://dnssec.vs.uni-due.de/

RetiredAL
Posts: 134
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by RetiredAL » Wed Apr 11, 2018 3:29 pm

A good DNS source is important to all users.

Businesses are willingly pays big bucks to get a managed/secure DNS service 1) to protect their systems from potentially harmful sites that serve up malware, 2) to prevent employees from going to Intellectual Property Sites, movies, music, Ect., that could result in them substantial $ in"shakedown" fees by the IP owners, 3) to prevent employees from accessing gray sites such as porn and hate. They pay for this service because it saves them money in the long run.

The site one gets junk from is not be the page they requested. It's the plethora of linked data requests on that page, none of which you know of their credibility. Every wonder where that offensive add/picture came from when you accessed a legitimate page? Or you cell phone screen was taken over by the threatening screen that does not close. It most likely came from somewhere in all those buried links. It is not unusual for a page to have dozens of embedded hidden links in it.

So for home users, getting a decent DNS service helps protect your computers. If applied this decent DNS to your home router, you can help prevent your kids from looking at sites you don't approve, and depending on who you select, you could review DNS request logs. Your business likely already does this. There have been a few posts here about people caught up at work from communicating with competitors. This is one way they find out.

Companies like Cloudfare offer both regular DNS and Secure DNS. In Secure DNS, the DNS request is encrytped, but they both use the same filtered/managed DNS list. They are not the only ones who offer free personal use DNS. Others are OpenDNS (Cisco), Comodo, Norton, and Google, to name a few. At a minimum, personal users should use Google DNS, if for no other reason than it's managed, although what they log is an unknown.

The absolute last person I'd trust for DNS is you ISP provider. The major Cable Companies will milk your data for the last cent they can get. They may be worse than the Social Media Company in the news right now.

User avatar
oneleaf
Posts: 2343
Joined: Mon Feb 19, 2007 5:48 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by oneleaf » Wed Apr 11, 2018 4:13 pm

I agree Google or Cloudflare DNS are probably the way to go for most consumers. But if anyone is still concerned about relying on a 3rd party, you can actually resolve all of your queries without a public DNS server if you have the right router. With the default install of pfSense, you get a fantastic DNS Resolver, which will resolve all queries directly for you and cache it for your local network. I use it and have not noticed it to be any slower than using the Comcast or Google DNS servers. And by default, it also has DNSSEC enabled. Doing it this way with your own resolver trumps any DNS server in regards to reliability and accuracy, with a theoretical hit in performance, but should be negligible for most users.

Of course, this is more expensive and requires some more knowledge. You need a spare computer with two network jacks. I run my pfSense installation on an old Intel atom motherboard with two network jacks. I threw in a spare drive and spare RAM and got it up in running for dirt cheap. And pfSense is easy to install and should work upon first-boot with very good default settings, in regards to security.

Of course, this is hardly worth the hassle for this purpose alone, but it is one of many advantages to having high quality router software. You will have many more capabilities at your fingertips with pfSense, like content filtering, ad blocking, anti-virus, VPN.

bampf
Posts: 198
Joined: Thu Aug 04, 2016 6:19 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by bampf » Wed Apr 11, 2018 4:24 pm

oneleaf wrote:
Wed Apr 11, 2018 4:13 pm
I agree Google or Cloudflare DNS are probably the way to go for most consumers. But if anyone is still concerned about relying on a 3rd party, you can actually resolve all of your queries without a public DNS server if you have the right router. With the default install of pfSense, you get a fantastic DNS Resolver, which will resolve all queries directly for you and cache it for your local network. I use it and have not noticed it to be any slower than using the Comcast or Google DNS servers. And by default, it also has DNSSEC enabled. Doing it this way with your own resolver trumps any DNS server in regards to reliability and accuracy, with a theoretical hit in performance, but should be negligible for most users.

Of course, this is more expensive and requires some more knowledge. You need a spare computer with two network jacks. I run my pfSense installation on an old Intel atom motherboard with two network jacks. I threw in a spare drive and spare RAM and got it up in running for dirt cheap. And pfSense is easy to install and should work upon first-boot with very good default settings, in regards to security.

Of course, this is hardly worth the hassle for this purpose alone, but it is one of many advantages to having high quality router software. You will have many more capabilities at your fingertips with pfSense, like content filtering, ad blocking, anti-virus, VPN.
Ah darn. (I would use another word but that would annoy the moderators). Now I have to go do this. You have tweaked my inner geek child. Will let you know what I figure out.

User avatar
oneleaf
Posts: 2343
Joined: Mon Feb 19, 2007 5:48 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by oneleaf » Wed Apr 11, 2018 4:37 pm

bampf wrote:
Wed Apr 11, 2018 4:24 pm
oneleaf wrote:
Wed Apr 11, 2018 4:13 pm
I agree Google or Cloudflare DNS are probably the way to go for most consumers. But if anyone is still concerned about relying on a 3rd party, you can actually resolve all of your queries without a public DNS server if you have the right router. With the default install of pfSense, you get a fantastic DNS Resolver, which will resolve all queries directly for you and cache it for your local network. I use it and have not noticed it to be any slower than using the Comcast or Google DNS servers. And by default, it also has DNSSEC enabled. Doing it this way with your own resolver trumps any DNS server in regards to reliability and accuracy, with a theoretical hit in performance, but should be negligible for most users.

Of course, this is more expensive and requires some more knowledge. You need a spare computer with two network jacks. I run my pfSense installation on an old Intel atom motherboard with two network jacks. I threw in a spare drive and spare RAM and got it up in running for dirt cheap. And pfSense is easy to install and should work upon first-boot with very good default settings, in regards to security.

Of course, this is hardly worth the hassle for this purpose alone, but it is one of many advantages to having high quality router software. You will have many more capabilities at your fingertips with pfSense, like content filtering, ad blocking, anti-virus, VPN.
Ah darn. (I would use another word but that would annoy the moderators). Now I have to go do this. You have tweaked my inner geek child. Will let you know what I figure out.
Hah! Well, if you have a spare computer, you might only need to buy a NIC card to get a second ethernet port in there and you are good to go (pfSense is free). However, do be sure you stick with Intel NIC's. I was lucky enough that my old cheapo Atom motherboard had two Intel NIC's already on it, so I got mine running easily and cheaply (a year and a half, running smooth).

SittingOnTheFence
Posts: 294
Joined: Sun Sep 27, 2015 5:30 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by SittingOnTheFence » Wed Apr 11, 2018 4:44 pm

oneleaf wrote:
Wed Apr 11, 2018 4:13 pm
got it up in running for dirt cheap. And pfSense is easy to install and should work upon first-boot with very good default settings, in regards to security.
+1
Rather than build, I bought their appliance. Not that expensive, love it.
But there is a learning curve if you want to go beyond default settings.
Very nice firewall.

RetiredAL
Posts: 134
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by RetiredAL » Wed Apr 11, 2018 6:41 pm

oneleaf wrote:
Wed Apr 11, 2018 4:13 pm
I agree Google or Cloudflare DNS are probably the way to go for most consumers. But if anyone is still concerned about relying on a 3rd party, you can actually resolve all of your queries without a public DNS server if you have the right router. With the default install of pfSense, you get a fantastic DNS Resolver, which will resolve all queries directly for you and cache it for your local network. I use it and have not noticed it to be any slower than using the Comcast or Google DNS servers. And by default, it also has DNSSEC enabled. Doing it this way with your own resolver trumps any DNS server in regards to reliability and accuracy, with a theoretical hit in performance, but should be negligible for most users.......
oneleaf,

What you are missing by doing yourself with pfSense or similar, is the professional list management, where badboy Addresses/Names are blocked ( not resolved ) because somebody already knows that address is a trouble-maker. That managed list is the added security you get. Remember, a typical viewed page may have many 10's of buried links on it, and those are much more risky than the prime page.

As a side-shoot example, the company I worked for before retiring, according to the in-house security people, rejected 98% of the inbound e-mail because the "bought e-mail filter service" knew what originating addresses were spam mail or worse. When I left, they were installing a Cisco Internet Gateways with managed DNS to prevent any company computer from accessing a site that the company thought might cause risk to the company, relying heavily of that vendor's list of known addresses to avoid. After all, the vendor ( Cisco ) has the advantage of seeing a much wider range of requests from its many other customers, not just one company.

Dakotah
Posts: 67
Joined: Sun Jun 13, 2010 9:28 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Dakotah » Wed Apr 11, 2018 6:56 pm

I made the switch to CloudFlare from OpenDNS today. It's probably a coincidence, but the buffering issues I've been having on Playstation Vue the last few weeks seems to have disappeared. One reason I liked OpenDNS was the anti-malware aspect of it, but I think I have enough defense-in-depth in place to be able to sacrifice that in exchange for a bit of privacy and speed.

Shikoku
Posts: 270
Joined: Fri Oct 27, 2017 11:01 pm
Location: USA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Shikoku » Wed Apr 11, 2018 7:42 pm

lazydavid wrote:
Wed Apr 11, 2018 12:12 pm
Shikoku wrote:
Wed Apr 11, 2018 10:52 am
Last time I checked few years ago, Comcast was using Domain Name System Security Extensions (DNSSEC). If it is not good enough, IETF will develop a new set that ISPs will adopt. Comcast has about 25 million broadband subscribers, and I am glad to use their default ISP. Hopefully, I am not the only one to use their default ISP!
Have you installed and configured a DNSSEC resolver on all of your machines? Because it's not built in to most operating systems. If you haven't--which I assume is the case since you flipped out when you saw the word INSTALL associated with this topic--then it doesn't really matter if they support DNSSEC or not.
Of course, I did. And I have been using DNSSEC resolver for a long time. Here is my test result dated 4/11/2018: DNSSEC-Resolver-Test--Shikoku.pdf
We make so many assumptions.
"I don't worry too much about pointing fingers at the past. I operate on the theory that every saint has a past, every sinner has a future." -- Warren Buffett

Shikoku
Posts: 270
Joined: Fri Oct 27, 2017 11:01 pm
Location: USA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Shikoku » Wed Apr 11, 2018 8:16 pm

bampf wrote:
Wed Apr 11, 2018 12:36 pm
lazydavid wrote:
Wed Apr 11, 2018 12:12 pm
Shikoku wrote:
Wed Apr 11, 2018 10:52 am
Last time I checked few years ago, Comcast was using Domain Name System Security Extensions (DNSSEC). If it is not good enough, IETF will develop a new set that ISPs will adopt. Comcast has about 25 million broadband subscribers, and I am glad to use their default ISP. Hopefully, I am not the only one to use their default ISP!
Have you installed and configured a DNSSEC resolver on all of your machines? Because it's not built in to most operating systems. If you haven't--which I assume is the case since you flipped out when you saw the word INSTALL associated with this topic--then it doesn't really matter if they support DNSSEC or not. Which they do, but they sign their own sites and strip the security from any ones they don't own. So it doubly doesn't matter, because you can't actually directly use it anyway. It buys you almost nothing.

Don't get me wrong, I use Comcast's DNS too. Because I'm lazy and it works well enough. But rejecting any other option because of some sort of sense of trust or inherent security is at best misguided. Especially when they've been caught multiple times manipulating DNS queries to display advertising, or to limit access to high-bandwidth services. And given that your machine never sees the DNSSEC validation, you still have no assurance that the result you receive is the same one Comcast did. It could have been manipulated by them, or any of your neighbors.

I'm also not saying that CloudFlare is the best thing out there. But they're far from some unknown upstart as you keep implying. They do have an almost decade-long history of actions that increase general internet security, in a wide variety of aspects. Cloudflare is both the world's second largest DDoS security provider with 7+ million corporate customers, as well as the 5th largest content distribution network. A full 10% of all web traffic passes through their servers. This is not a guy working out of his mom's basement. Comcast on the other hand has a multi-decade long history of actions that increase its profitability, in most cases at its consumer expense (both literally and figuratively) in the form of higher prices and reduced competition. So much so that it had to abandon its merger plans with Time Warner to avoid a DOJ antitrust lawsuit. They prove on an almost daily basis that they do not have your best interests in mind.
I believe that there is literally nothing you can say will change this individuals mind. I won't tell you to stop since it is probably educating other folks, but, or as Scott Adams put it, "Nothing makes [someone] argue harder than being proven wrong."
bampf,
I really like this quote. :wink:
"I don't worry too much about pointing fingers at the past. I operate on the theory that every saint has a past, every sinner has a future." -- Warren Buffett

lazydavid
Posts: 1759
Joined: Wed Apr 06, 2016 1:37 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by lazydavid » Wed Apr 11, 2018 9:16 pm

bampf wrote:
Wed Apr 11, 2018 12:36 pm
I believe that there is literally nothing you can say will change this individuals mind. I won't tell you to stop since it is probably educating other folks, but, or as Scott Adams put it, "Nothing makes [someone] argue harder than being proven wrong."
You are exactly right. I tried, but am now throwing in the towel. I'll stop trying to educate the unwilling about such things and go back to my day job implementing and maintaining them :mrgreen:

Shikoku
Posts: 270
Joined: Fri Oct 27, 2017 11:01 pm
Location: USA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Shikoku » Wed Apr 11, 2018 9:59 pm

oneleaf wrote:
Tue Apr 10, 2018 10:14 pm
Cloudflare has been around, and are one of the most trusted authoritative DNS providers in the world and have been for years (the recursive DNS offering we are talking about in this thread is new).
oneleaf,
I am unsure what you mean by 'new'. MIT Laboratory for Computer Science published the following article in 2002 and found recursive DNS lookups. I read about recursive DNS lookups before that. So 15+ years - not so new.

Article: DNS Performance and the Effectiveness of Caching, IEEE/ACM Transactions on Networking (Volume: 10, Issue: 5, Oct 2002).
https://ieeexplore.ieee.org/document/1041066/authors
https://www.cc.gatech.edu/classes/AY200 ... on2002.pdf

Quoted from the above article:
This method correctly captures the list of servers contacted for iterative lookups, but not for recursive lookups. Most lookups in the MIT traces are iterative; we eliminated the small number of hosts which sent recursive lookups to name servers outside the traced network.
"I don't worry too much about pointing fingers at the past. I operate on the theory that every saint has a past, every sinner has a future." -- Warren Buffett

User avatar
oneleaf
Posts: 2343
Joined: Mon Feb 19, 2007 5:48 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by oneleaf » Wed Apr 11, 2018 10:06 pm

Shikoku wrote:
Wed Apr 11, 2018 9:59 pm
oneleaf wrote:
Tue Apr 10, 2018 10:14 pm
Cloudflare has been around, and are one of the most trusted authoritative DNS providers in the world and have been for years (the recursive DNS offering we are talking about in this thread is new).
oneleaf,
I am unsure what you mean by 'new'. MIT Laboratory for Computer Science published the following article in 2002 and found recursive DNS lookups. I read about recursive DNS lookups before that. So 15+ years - not so new.
Well duh, you sure are digging deep to find something to argue about. I am saying this is a new offering from Cloudflare. No one is claiming this is a new concept. I'm just saying Cloudflare has been in the authoritative DNS business for a long time, and felt a need to clarify that this is different than their new offering - a recursive DNS service. New for Cloudflare, but not a new invention.

Shikoku
Posts: 270
Joined: Fri Oct 27, 2017 11:01 pm
Location: USA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Shikoku » Wed Apr 11, 2018 10:28 pm

oneleaf wrote:
Wed Apr 11, 2018 10:06 pm
Shikoku wrote:
Wed Apr 11, 2018 9:59 pm
oneleaf wrote:
Tue Apr 10, 2018 10:14 pm
Cloudflare has been around, and are one of the most trusted authoritative DNS providers in the world and have been for years (the recursive DNS offering we are talking about in this thread is new).
oneleaf,
I am unsure what you mean by 'new'. MIT Laboratory for Computer Science published the following article in 2002 and found recursive DNS lookups. I read about recursive DNS lookups before that. So 15+ years - not so new.
Well duh, you sure are digging deep to find something to argue about. I am saying this is a new offering from Cloudflare. No one is claiming this is a new concept. I'm just saying Cloudflare has been in the authoritative DNS business for a long time, and felt a need to clarify that this is different than their new offering - a recursive DNS service. New for Cloudflare, but not a new invention.
I agree.

As I have noted earlier, my ISP offers DNSSEC, and I have been using DNSSEC resolver which has been verified by https://dnssec.vs.uni-due.de/ (a PDF file has been posted up-thread).
Yes, your DNS resolver validates DNSSEC signatures.
Am I exposed to so much risk?
"I don't worry too much about pointing fingers at the past. I operate on the theory that every saint has a past, every sinner has a future." -- Warren Buffett

KyleAAA
Posts: 6675
Joined: Wed Jul 01, 2009 5:35 pm
Contact:

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by KyleAAA » Wed Apr 11, 2018 10:58 pm

Shikoku wrote:
Wed Apr 11, 2018 10:52 am
lazydavid wrote:
Wed Apr 11, 2018 5:40 am
Shikoku wrote:
Tue Apr 10, 2018 10:03 pm
When I enter vanguard.com in my browser, Comcast's DNS lookup returns IP address 192.175.191.200. I might disagree with my Comcast bill but I trust the IP address they return and the webpage I visit as a result of my browser receiving the IP address; I am happy to enter my username and password to do my business. I do not have the same level of trust with a small private company such as CloudFlare. So it is not me who is going to use 1.1.1.1 as my DNS.
This further confirms that you do not have the slightest clue what you are talking about. DNS is quite literally the least secure protocol on the entire internet. It's incredibly easy to hijack, and nearly every ISP (including Comcast) has been caught tampering with it. We have been trying with very limited success to add some level of security to DNS for almost two decades. If you are relying on a DNS response from ANYONE to establish trust, you are doing it wrong. It is not intended for that purpose and EVERY SINGLE security expert will tell you this is a bad idea.

Trust is established by the certificate that Vanguard.com presents being issued by a Certificate Authority that you (via your browser) trust. it confirms their identity because a trusted 3rd party has signed it, and only Vanguard is capable of communicating using that certificate.
Last time I checked few years ago, Comcast was using Domain Name System Security Extensions (DNSSEC). If it is not good enough, IETF will develop a new set that ISPs will adopt. Comcast has about 25 million broadband subscribers, and I am glad to use their default ISP. Hopefully, I am not the only one to use their default ISP!

The market is efficient. If CloudFlare is the best thing in town, ISPs like Comcast will use CloudFlare services to keep their customers happy. Until then, I will not jump to the every mom-and-pop technology that come out every day.
Did you just refer to the broadband internet market as efficient? The same market where most consumers have at most 2 viable options, and many have only 1?

SittingOnTheFence
Posts: 294
Joined: Sun Sep 27, 2015 5:30 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by SittingOnTheFence » Thu Apr 12, 2018 12:34 am

RetiredAL wrote:
Wed Apr 11, 2018 6:41 pm
What you are missing by doing yourself with pfSense or similar, is the professional list management, where badboy Addresses/Names are blocked ( not resolved ) because somebody already knows that address is a trouble-maker.
Not in this case. pfSense #1) blocks all inbound unless allowed or requested. #2) has a large number of configurable plugin choices that have actively maintained badboy lists that you can use if you feel it necessary. You need to check out the capabilities of pfSense before saying what (you think) it won't do. It is a highly respected solution within the community of folks that understand how the Internet works.

Enkidu
Posts: 198
Joined: Mon Jun 02, 2014 8:48 am

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Enkidu » Thu Apr 12, 2018 5:30 pm

Does anyone know if changing DNS to 1.1.1.1 in the ISP router will change the DNS for all devices that use the router?

Do you have to change DNS address for each device, and the router?

What if the router is set for the ISP DNS but you change a device to the 1.1.1.1 What takes prescience, router or device?

AntsOnTheMarch
Posts: 610
Joined: Mon May 29, 2017 5:47 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by AntsOnTheMarch » Thu Apr 12, 2018 5:42 pm

Enkidu wrote:
Thu Apr 12, 2018 5:30 pm
Does anyone know if changing DNS to 1.1.1.1 in the ISP router will change the DNS for all devices that use the router?

Do you have to change DNS address for each device, and the router?

What if the router is set for the ISP DNS but you change a device to the 1.1.1.1 What takes prescience, router or device?
My understanding is that if you change the router, it’s good for every device accessing it. If you change a device, it takes precedence over router for that device only. I tested on one device and when satisfied, changed router without changing the rest of the devices.

User avatar
siamond
Posts: 4156
Joined: Mon May 28, 2012 5:50 am

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by siamond » Thu Apr 12, 2018 6:23 pm

Thanks, Moshe. Good to know.

RetiredAL
Posts: 134
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by RetiredAL » Thu Apr 12, 2018 7:36 pm

SittingOnTheFence wrote:
Thu Apr 12, 2018 12:34 am
RetiredAL wrote:
Wed Apr 11, 2018 6:41 pm
What you are missing by doing yourself with pfSense or similar, is the professional list management, where badboy Addresses/Names are blocked ( not resolved ) because somebody already knows that address is a trouble-maker.
Not in this case. pfSense #1) blocks all inbound unless allowed or requested. #2) has a large number of configurable plugin choices that have actively maintained badboy lists that you can use if you feel it necessary. You need to check out the capabilities of pfSense before saying what (you think) it won't do. It is a highly respected solution within the community of folks that understand how the Internet works.
Mr Fence:

Glad to hear their is better functionality - item #2 - than what pfSense web page eludes to. When I read the term blacklist, it reminded me of the ancient days when we managed the HOSTS file, not the concept of a professional actively managed bad-boy list.

I got a fair amount of experience using HOSTS files to stop/slowdown in-appropriate internet access. It was cumbersome at best and getting reliable HOSTS files was problematic, as they quickly went out of date. Background: We had about a dozen PC's that were shared by multiple people per shift, on rotating shifts, in a manufacturing environment. Besides using HOSTS files, we'd periodically download the PC's history files and quickly parse the list looking for common terms associated with in-appropriate sites. When we found a PC that had been places its should not have been, we modified the HOSTS file to block access, typically by re-directing that site name to a local picture file of the Plant Manager's face. Even doing that on just a single PC brought plant wide results, as the word was spread quickly that Al was checking again. I did a similar thing with telephone calls, routing them either to the Guard's Office or the Shift Supervisor's Desk. Imagine the surprise to the poor bloke got who had been calling the Netherlands when his Supervisor answered the phone, and they were within eye shot of each other, but the Super only thought he got a dead air call and never looked up. This was all long before the IT functions and controls got centralized and such functions became bought items from a vendor.

moshe
Posts: 454
Joined: Thu Dec 12, 2013 1:18 pm
Location: Boston, MA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by moshe » Thu Apr 12, 2018 7:46 pm

siamond wrote:
Thu Apr 12, 2018 6:23 pm
Thanks, Moshe. Good to know.
Very welcome siamond!

:beer
My money has no emotions. ~Moshe | | I'm the world's greatest expert on my own opinion. ~Bruce Williams

User avatar
LadyGeek
Site Admin
Posts: 47453
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by LadyGeek » Thu Apr 12, 2018 8:06 pm

bampf wrote:
Wed Apr 11, 2018 4:24 pm
Ah darn. (I would use another word but that would annoy the moderators).
Thanks. :D

========================
My favorite security podcast, GRC | Security Now! has discussed Cloudflare. The sn-657 show notes leads to his DNS Nameserver Performance Benchmark  .

My DNS server is hosted by my local Verizon FiOS router, which is not what I expected. :shock: The router has 2 public DNS servers listed, but I don't see how to change them. I've got some research to do. :annoyed

Both the quad 9 (9.9.9.9) and Cloudflare's 1.1.1.1 are included in the benchmark, with 9.9.9.9 coming in faster than 1.1.1.1.

FYI - The tool runs in Linux under WINE.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

moshe
Posts: 454
Joined: Thu Dec 12, 2013 1:18 pm
Location: Boston, MA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by moshe » Thu Apr 12, 2018 8:32 pm

LadyGeek wrote:
Thu Apr 12, 2018 8:06 pm
bampf wrote:
Wed Apr 11, 2018 4:24 pm
Ah darn. (I would use another word but that would annoy the moderators).
Thanks. :D

========================
My favorite security podcast, GRC | Security Now! has discussed Cloudflare. The sn-657 show notes leads to his DNS Nameserver Performance Benchmark  .

My DNS server is hosted by my local Verizon FiOS router, which is not what I expected. :shock: The router has 2 public DNS servers listed, but I don't see how to change them. I've got some research to do. :annoyed

Both the quad 9 (9.9.9.9) and Cloudflare's 1.1.1.1 are included in the benchmark, with 9.9.9.9 coming in faster than 1.1.1.1.

FYI - The tool runs in Linux under WINE.
Hi,

Can you change the default DNS servers handed out by the DHCP service for your local LAN participants? No need to change the default DNS servers the router itself uses.

~Moshe
My money has no emotions. ~Moshe | | I'm the world's greatest expert on my own opinion. ~Bruce Williams

lazydavid
Posts: 1759
Joined: Wed Apr 06, 2016 1:37 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by lazydavid » Thu Apr 12, 2018 9:14 pm

Enkidu wrote:
Thu Apr 12, 2018 5:30 pm
Does anyone know if changing DNS to 1.1.1.1 in the ISP router will change the DNS for all devices that use the router?

Do you have to change DNS address for each device, and the router?

What if the router is set for the ISP DNS but you change a device to the 1.1.1.1 What takes prescience, router or device?
It depends on how the devices are configured. The most common way that consumer routers are configured is that they issue IP addresses to clients (computers, tablets, etc) on the network, including setting themselves as the DNS server. If that is the way you're set up, then making the change in the router automatically applies it to requests coming from the client.

The next most common way is for the router to issue IP addresses and the public DNS servers that the clients should use. In this case you would want to make the change on the router, but under the DHCP (Dynamic Host Configuration Protocol) settings menu. Then it would take effect the next time a client requested or renewed its lease on the IP address it's been issued--there are several ways to force it, including rebooting.

The least common way is for each client to be configured statically. In this case you'd have to make the change manually on every client.

But to answer your question, if both the client and the router have been manually configured, the client's configuration wins. Unless the router is configured to do DNS doctoring/hijacking. But if you were doing that, you'd know. :)

SittingOnTheFence
Posts: 294
Joined: Sun Sep 27, 2015 5:30 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by SittingOnTheFence » Fri Apr 13, 2018 12:46 am

RetiredAL wrote:
Thu Apr 12, 2018 7:36 pm
Mr Fence:

Glad to hear their is better functionality - item #2 - than what pfSense web page eludes to. When I read the term blacklist, it reminded me of the ancient days when we managed the HOSTS file, not the concept of a professional actively managed bad-boy list.
The blacklisting is achieved by dumping the offending IP addr to virtual IP (ie: 10.10.1.1 or others in the private subnet ranges) .
The pfSense package I'm using (there are others) is pfBlockerNG. One of the 'master' lists is this text file:https://raw.githubusercontent.com/Steve ... ster/hosts
There are many more and there are some tutorials on youtube that helped me configure the DNSBL.
we modified the HOSTS file to block access, typically by re-directing that site name to a local picture file of the Plant Manager's face. Even doing that on just a single PC brought plant wide results, as the word was spread quickly that Al was checking again.
Very nice. That's a hoot.

richardglm
Posts: 260
Joined: Sun Jan 04, 2015 9:42 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by richardglm » Fri Apr 13, 2018 1:34 am

I am well familiar with Cloudflare's professional (=paid) products. It's correct that they're among the most reputable in the industry. Their entire business model is delivering secure and reliable internet services to large scale websites and anything sketchy or shady would undermine that.

All DNS providers including your ISP will keep usage logs and analytics. The difference here is that Cloudflare is being straightforward with how they plan to privatize and use the data for research.

They are probably doing this to try to increase the responsiveness of page loading. Companies pay Cloudflare a lot of money to optimize the loading latency of their site and Cloudflare spends a lot to make that happen. But then the DNS query becomes the bottleneck.

The security and privacy bonus is probably a side perk. Cloudflare is not in the advertising business the way Google or Facebook is, but rather is more like Apple. They want people to view the internet (and Cloudflare products) as a secure platform for everything. If people don't see the internet as secure and won't use it, then companies don't need Cloudflares security products.

ausmatt
Posts: 75
Joined: Sun Jan 02, 2011 1:53 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by ausmatt » Fri Apr 13, 2018 5:07 am

mattsm wrote:
Sun Apr 08, 2018 10:22 pm
Also, FWIW DNS queries go to your ISP if not these services. ISPs are known to do way worse things than Google DNS services for example.

Also, each page you load likely loads 100's of DNS queries not 1 per page... and not only that most browsers speculatively fetch DNS results as well. So it is a noticeable difference.

Not comparing CloudFare vs. Google but they are both likely much better than your ISP.
THIS!!

jalbert
Posts: 3585
Joined: Fri Apr 10, 2015 12:29 am

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by jalbert » Fri Apr 13, 2018 6:55 pm

Your DNS requests travel over the fiber or copper provided by your ISP. They have your DNS requests if they want them whether or not you use their DNS servers. Why give them to yet another player who you don’t really know?
Index fund investor since 1987.

User avatar
LadyGeek
Site Admin
Posts: 47453
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by LadyGeek » Fri Apr 13, 2018 8:56 pm

moshe wrote:
Thu Apr 12, 2018 8:32 pm
LadyGeek wrote:
Thu Apr 12, 2018 8:06 pm
...My DNS server is hosted by my local Verizon FiOS router, which is not what I expected. :shock: The router has 2 public DNS servers listed, but I don't see how to change them. I've got some research to do. :annoyed
...
Hi,

Can you change the default DNS servers handed out by the DHCP service for your local LAN participants? No need to change the default DNS servers the router itself uses.

~Moshe
Yes, thanks. I figured it out. Actually, it's been so long since I first set this up, I forgot how I did it. :oops:

Working in Linux, I first reconfigured my DNS away from my router to quad9 (9.9.9.9) and Cloudflare (1.1.1.1). This stopped the benchmark from complaining about the overhead imposed by my router. Then, I manually added my ISP's DNS server IP addresses to the benchmark.

I fed both of the Verizon DNS addresses (and backup servers)* into the GRC's | DNS Nameserver Performance Benchmark

The results are in:

#1 Verizon FiOS - without Verizon Assist (as it's supposed to work), full green status
#2 Verizon FiOS - with Verizon Assist (annoying ads), orange status - confirming this is a marketing and revenue generator
#3 NTT-Communications
#4 Quad9
#5 Google
#6 OpenDNS
#7 CloudFlare

So far, I'll stick with my non-ad supported ISP.
=========
* A tip for Verizon FiOS users: If you don't like Verizon intruding on your web browser whenever a bad website address is entered (called "Verizon Assist"), it can easily be disabled by changing the DNS server address lower bytes from 12 to 14.

For example:
xx.xxx.0.12 - an invalid web address will return Verizon's annoying ad space.
xx.xxx.0.14 - an invalid web address will return a blank page (as it's supposed to)
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

Shikoku
Posts: 270
Joined: Fri Oct 27, 2017 11:01 pm
Location: USA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Shikoku » Fri Apr 13, 2018 10:25 pm

lazydavid wrote:
Wed Apr 11, 2018 5:40 am
Shikoku wrote:
Tue Apr 10, 2018 10:03 pm
When I enter vanguard.com in my browser, Comcast's DNS lookup returns IP address 192.175.191.200. I might disagree with my Comcast bill but I trust the IP address they return and the webpage I visit as a result of my browser receiving the IP address; I am happy to enter my username and password to do my business. I do not have the same level of trust with a small private company such as CloudFlare. So it is not me who is going to use 1.1.1.1 as my DNS.
This further confirms that you do not have the slightest clue what you are talking about. DNS is quite literally the least secure protocol on the entire internet. It's incredibly easy to hijack, and nearly every ISP (including Comcast) has been caught tampering with it. We have been trying with very limited success to add some level of security to DNS for almost two decades. If you are relying on a DNS response from ANYONE to establish trust, you are doing it wrong. It is not intended for that purpose and EVERY SINGLE security expert will tell you this is a bad idea.

Trust is established by the certificate that Vanguard.com presents being issued by a Certificate Authority that you (via your browser) trust. it confirms their identity because a trusted 3rd party has signed it, and only Vanguard is capable of communicating using that certificate.
lazydavid,

Can you elaborate on why you think I do not have the slightest clue what I am talking about? What am I doing wrong by accessing my accounts the way I have stated?

As I have noted earlier, my ISP offers DNSSEC, and I have been a long-time user of DNSSEC resolver. The DNSSEC Resolver Test at https://dnssec.vs.uni-due.de/ on my computer -- a Linux machine -- produces the following result:
Yes, your DNS resolver validates DNSSEC signatures.
Here is the test result dated 4/11/2018: Shikoku's DNSSEC Resolver Test Result.
"I don't worry too much about pointing fingers at the past. I operate on the theory that every saint has a past, every sinner has a future." -- Warren Buffett

lazydavid
Posts: 1759
Joined: Wed Apr 06, 2016 1:37 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by lazydavid » Sun Apr 15, 2018 11:03 am

Shikoku wrote:
Fri Apr 13, 2018 10:25 pm
lazydavid wrote:
Wed Apr 11, 2018 5:40 am
Shikoku wrote:
Tue Apr 10, 2018 10:03 pm
When I enter vanguard.com in my browser, Comcast's DNS lookup returns IP address 192.175.191.200. I might disagree with my Comcast bill but I trust the IP address they return and the webpage I visit as a result of my browser receiving the IP address; I am happy to enter my username and password to do my business. I do not have the same level of trust with a small private company such as CloudFlare. So it is not me who is going to use 1.1.1.1 as my DNS.
This further confirms that you do not have the slightest clue what you are talking about. DNS is quite literally the least secure protocol on the entire internet. It's incredibly easy to hijack, and nearly every ISP (including Comcast) has been caught tampering with it. We have been trying with very limited success to add some level of security to DNS for almost two decades. If you are relying on a DNS response from ANYONE to establish trust, you are doing it wrong. It is not intended for that purpose and EVERY SINGLE security expert will tell you this is a bad idea.

Trust is established by the certificate that Vanguard.com presents being issued by a Certificate Authority that you (via your browser) trust. it confirms their identity because a trusted 3rd party has signed it, and only Vanguard is capable of communicating using that certificate.
lazydavid,

Can you elaborate on why you think I do not have the slightest clue what I am talking about? What am I doing wrong by accessing my accounts the way I have stated?

As I have noted earlier, my ISP offers DNSSEC, and I have been a long-time user of DNSSEC resolver. The DNSSEC Resolver Test at https://dnssec.vs.uni-due.de/ on my computer -- a Linux machine -- produces the following result:
Yes, your DNS resolver validates DNSSEC signatures.
Here is the test result dated 4/11/2018: Shikoku's DNSSEC Resolver Test Result.
Well that was infuriating. Spent almost an hour writing a response, and then the site went down so I lost it all. :annoyed Here it is again, more or less:

I had asked if you had installed a DNSSEC resolver on your computer. Since you're running Linux, that would be something like Unbound: https://packages.debian.org/search?keywords=unbound You said yes, you were using Comcast's DNSSEC resolver. There is a major disconnect here. So here's what happens when you do a lookup on vanguard.com:

You send an old-school unencrypted DNS request to 75.75.75.75 (Comcast's primary DNS server). They do a recursive lookup, receive the signed record, validate it and then strip the signature. They send it back to you in plaintext. The results can be tampered with at the DNS server (which Comcast has an established history of doing, though admittedly not for vanguard specifically), or at any point in between the server and you. This is especially true in your own neighborhood, where all subscribers using your same node (usually a few hundred to a few thousand) have access to all of your traffic.

In the olden times, wax seals would be used to authenticate messages. When you received a scroll that was ostensibly from me, you would confirm that my seal was intact on it, then break the seal and read the message, confident that it had not been altered in transit. This is the same way that SSL/TLS certificates on websites still work today. The way transparent DNSSEC resolvers work, the original scroll doesn't make its way back to you. It goes to a central clearinghouse that validates the seal, opens the scroll, copies the message onto a sheet of notebook paper, and hands it off to another messenger. You can't validate yourself that I sent the message, you have to trust that it hasn't been altered in transit because the messenger is wearing a Comcast tunic.

I'm not saying you're doing anything wrong. As I mentioned above, I use Comcast's DNS servers at home also. But your trust is misplaced. You shouldn't trust that you're interacting with Vanguard because you received an unencrypted, unauthenticated DNS lookup from a remote server that does DNSSEC validation. It's better than nothing, but is still very far from a guarantee. You should trust that you're interacting with Vanguard because the certificate your browser received from Vanguard.com was issued to "The Vanguard Group, Inc." by the COMODO certificate authority (not my favorite CA, but they are legit), and further because it is an EV (Extended Validation) cert, which means that the CA had to take several additional steps to ensure that they were issuing the certificiate to the correct party. When you see that certificate, you know with absolute certainty that you are communicating with Vanguard directly, and that no one in between you and them can view or alter the information being sent back and forth.

If you want to rely on DNS for security, the only true way is to do DNSSEC validation yourself. The easiest method is to have your router/firewall do it for you, like has been mentioned upthread with pfSense, but you could install DNSSEC resolver software on every client as well. The next best thing is to use DNS over TLS to a trusted DNSSEC resolver. This encrypts and authenticates your DNS traffic between you and the resolver, and ensures that the only places the response can be tampered with is at the DNS server itself or directly on your machine. Comcast does not offer this, but both Cloudflare (1.1.1.1) and Quad9 (9.9.9.9) do. Cloudflare also supports the newer DNS over HTTPS, (which has the unfortunate acronymn of DoH :P ). These methods also have an added privacy benefit, in that they prevent your neighbors, ISP, etc from knowing what sites you're doing lookups for, because the requests are encrypted. Quad9 also suppresses responses for known malware distribution/Command & Control servers to help prevent you from getting pwned. I believe Cloudflare will be doing this also, but haven't read in enough detail to confirm.

Shikoku
Posts: 270
Joined: Fri Oct 27, 2017 11:01 pm
Location: USA

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Shikoku » Sun Apr 15, 2018 5:50 pm

lazydavid wrote:
Sun Apr 15, 2018 11:03 am
Shikoku wrote:
Fri Apr 13, 2018 10:25 pm
lazydavid wrote:
Wed Apr 11, 2018 5:40 am
Shikoku wrote:
Tue Apr 10, 2018 10:03 pm
When I enter vanguard.com in my browser, Comcast's DNS lookup returns IP address 192.175.191.200. I might disagree with my Comcast bill but I trust the IP address they return and the webpage I visit as a result of my browser receiving the IP address; I am happy to enter my username and password to do my business. I do not have the same level of trust with a small private company such as CloudFlare. So it is not me who is going to use 1.1.1.1 as my DNS.
This further confirms that you do not have the slightest clue what you are talking about. DNS is quite literally the least secure protocol on the entire internet. It's incredibly easy to hijack, and nearly every ISP (including Comcast) has been caught tampering with it. We have been trying with very limited success to add some level of security to DNS for almost two decades. If you are relying on a DNS response from ANYONE to establish trust, you are doing it wrong. It is not intended for that purpose and EVERY SINGLE security expert will tell you this is a bad idea.

Trust is established by the certificate that Vanguard.com presents being issued by a Certificate Authority that you (via your browser) trust. it confirms their identity because a trusted 3rd party has signed it, and only Vanguard is capable of communicating using that certificate.
lazydavid,

Can you elaborate on why you think I do not have the slightest clue what I am talking about? What am I doing wrong by accessing my accounts the way I have stated?

As I have noted earlier, my ISP offers DNSSEC, and I have been a long-time user of DNSSEC resolver. The DNSSEC Resolver Test at https://dnssec.vs.uni-due.de/ on my computer -- a Linux machine -- produces the following result:
Yes, your DNS resolver validates DNSSEC signatures.
Here is the test result dated 4/11/2018: Shikoku's DNSSEC Resolver Test Result.
I had asked if you had installed a DNSSEC resolver on your computer. Since you're running Linux, that would be something like Unbound: https://packages.debian.org/search?keywords=unbound You said yes, you were using Comcast's DNSSEC resolver. There is a major disconnect here. So here's what happens when you do a lookup on vanguard.com:

You send an old-school unencrypted DNS request to 75.75.75.75 (Comcast's primary DNS server). They do a recursive lookup, receive the signed record, validate it and then strip the signature. They send it back to you in plaintext. The results can be tampered with at the DNS server (which Comcast has an established history of doing, though admittedly not for vanguard specifically), or at any point in between the server and you. This is especially true in your own neighborhood, where all subscribers using your same node (usually a few hundred to a few thousand) have access to all of your traffic.
Your explanation does not make sense because if I receive forged DNS data as a result of a DNS query, the DNSSEC resolver on my client machine will be able to detect that. And precisely this is the job of the DNSSEC resolver on my client machine. Note that Comcast provides my DNS but Comcast does not provide the DNSSEC resolver for my client machine.

Just look to the discussions up-thread: I said that I use Comcast's DNS, and Comcast supports DNSSEC. You asked if I have installed and configured a DNSSEC resolver. I said: "Of course, I did."

So what is wrong in the approach I am using? Note that encryption of the DNS query results is not what we are talking about.
"I don't worry too much about pointing fingers at the past. I operate on the theory that every saint has a past, every sinner has a future." -- Warren Buffett

lazydavid
Posts: 1759
Joined: Wed Apr 06, 2016 1:37 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by lazydavid » Sun Apr 15, 2018 9:09 pm

Shikoku wrote:
Sun Apr 15, 2018 5:50 pm
Your explanation does not make sense because if I receive forged DNS data as a result of a DNS query, the DNSSEC resolver on my client machine will be able to detect that. And precisely this is the job of the DNSSEC resolver on my client machine. Note that Comcast provides my DNS but Comcast does not provide the DNSSEC resolver for my client machine.

Just look to the discussions up-thread: I said that I use Comcast's DNS, and Comcast supports DNSSEC. You asked if I have installed and configured a DNSSEC resolver. I said: "Of course, I did."

So what is wrong in the approach I am using? Note that encryption of the DNS query results is not what we are talking about.
I am now extremely confused. You have made two statements which are incompatible, which I will paraphrase:

"I am using Comcast DNS"
"I have a DNSSEC resolver installed on my client that validates all signed DNS records"

Both of these statements cannot be true. Comcast's DNS servers do not pass DNSSEC signatures on to clients. They either validate and return a result, or fail validation and return an NXDOMAIN (record not found) So if you are in fact running at DNSSEC resolver on your machine, and it uses Comcast DNS for lookups, it has nothing to validate.

lazydavid
Posts: 1759
Joined: Wed Apr 06, 2016 1:37 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by lazydavid » Mon Apr 16, 2018 4:43 am

Irony of ironies, I woke up this morning to find Comcast's DNS down. So now I AM using 1.1.1.1. :P

Angelus359
Posts: 845
Joined: Tue Mar 04, 2014 12:56 am

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by Angelus359 » Fri Apr 27, 2018 8:57 am

Shikoku wrote:
Tue Apr 10, 2018 5:30 pm
PFInterest wrote:
Tue Apr 10, 2018 3:54 pm
Shikoku wrote:
Sun Apr 08, 2018 9:44 pm
ridebikeseveryday wrote:
Sun Apr 08, 2018 9:27 pm
Shikoku wrote:
Sun Apr 08, 2018 9:07 pm
People really need to understand the purpose of DNS and how DNS works before installing the recommended software.
You don't need to install any software to use alternate DNS servers.
When I clicked on https://1.1.1.1/ it presented me with two options: INSTALL and INFO. I stopped there. Even I do not need to install any software, I will not use this service. Everyone should be cautious about any service like this.
That is not how this works.
It is true that they presented with two options: INSTALL and INFO. If they are so much smart and trustworthy, they should have presented with: CONFIGURE and INFO. INSTALL and CONFIGURE are not the same. So they have misrepresented at the first place what they like the users to do. How someone can guarantee that they are better than DNS provided by ISPs such as Comcast? Comcast has over $180 billions in assets. How much assets CloudFlare has? If there is an issue, CloudFlare can close the store but Comcast cannot! When trust is an issue, I will go with a large well-known company to run my DNS. I do not want to be the 'product' of every new company pops up and increase their IPO value.

Cloudflare currently serves more traffic that Comcast does.

It's more than 10% of the global internet
IT-DevOps System Administrator

bwoodcock
Posts: 1
Joined: Sat Apr 28, 2018 1:27 pm

Re: New faster DNS - 1.1.1.1 by CloudFlare

Post by bwoodcock » Sat Apr 28, 2018 1:33 pm

LadyGeek wrote:
Fri Apr 13, 2018 8:56 pm
The results are in:

#1 Verizon FiOS - without Verizon Assist (as it's supposed to work), full green status
#2 Verizon FiOS - with Verizon Assist (annoying ads), orange status - confirming this is a marketing and revenue generator
#3 NTT-Communications
#4 Quad9
#5 Google
#6 OpenDNS
#7 CloudFlare

So far, I'll stick with my non-ad supported ISP.
It's reasonable that Verizon would yield the quickest responses, since they're always in the direct path of your queries. Likewise NTT, their transit provider, and Quad9, since Quad9 is back-to-back with most of the authoritative servers.

But the big difference between them is privacy policies. Verizon and Google actively market user data, whereas Quad9 doesn't even collect it. OpenDNS uses it internally for cybersecurity research, and Cloudflare is very new, so it's hard to know how they're using or selling it, but they share it with APNIC, from whom they're borrowing their IP address, and APNIC uses it for more general-purpose research.

I'm guessing that all seven of them provide "reasonable" performance, but that's not the axis on which I'd be comparing them.

Post Reply