Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Cloudflare Launches 1.1.1.1 Consumer DNS Service

posted by chromas on Monday April 02 2018, @10:23PM   Printer-friendly
from the send-us-all-your-privates dept.

takyon writes:

On April Fool's Day and Easter Sunday, Cloudflare launched a new "privacy-oriented" domain name system (DNS) service with two IP addresses: 1.1.1.1 and 1.0.0.1. These addresses were offered by the Asia-Pacific Network Information Centre (APNIC) in exchange for allowing APNIC to study the "garbage traffic" often sent to them. The service supports both DNS-over-TLS and DNS-over-HTTPS, and DNSPerf currently ranks 1.1.1.1 as the fastest consumer DNS resolver:

Cloudflare is launching its own consumer DNS service today, on April Fools' Day, that promises to speed up your internet connection and help keep it private. The service is using https://1.1.1.1, and it's not a joke but an actual DNS resolver that anyone can use. Cloudflare claims it will be "the Internet's fastest, privacy-first consumer DNS service." While OpenDNS and Google DNS both exist, Cloudflare is focusing heavily on the privacy aspect of its own DNS service with a promise to wipe all logs of DNS queries within 24 hours.

DNS services are typically provided by internet service providers to resolve a domain name like Google.com into a real IP address that routers and switches understand. It's an essential part of the internet, but DNS servers provided by ISPs are often slow and unreliable. ISPs or any Wi-Fi network you connect to can also use DNS servers to identify all sites that are visited, which presents privacy problems. DNS also played an important role in helping Turkish citizens avoid a Twitter ban.

Also at VentureBeat and Engadget.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Cloudflare Launches 1.1.1.1 Consumer DNS Service | Log In/Create an Account | Top | 27 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by richtopia on Tuesday April 03 2018, @01:51AM (10 children)

    by richtopia (3160) on Tuesday April 03 2018, @01:51AM (#661758) Homepage Journal

    I have not come to a solid conclusion what the correct DNS for privacy, openness, and speed concerns are. Many tech writers point to Google, but no thank you.

    What are you guys doing?

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 5, Funny) by takyon on Tuesday April 03 2018, @01:54AM (1 child)

    by takyon (881) <takyonNO@SPAMsoylentnews.org> on Tuesday April 03 2018, @01:54AM (#661759) Journal

    Memorizing IP addresses, of course!

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]

  • (Score: 0) by Anonymous Coward on Tuesday April 03 2018, @02:20AM

    by Anonymous Coward on Tuesday April 03 2018, @02:20AM (#661767)

    I've heard suggestions for OpenDNS and Quad9, but some others recommend UncensoredDNS and Zero Knowledge DNS. Either way, I'd suggest making sure your resolver verifies DNSSEC and supports some form of encryption, such as DNS-over-HTTPS, DNSCrypt/DNSCurve or DNS-over-TLS.

  • (Score: 5, Interesting) by Apparition on Tuesday April 03 2018, @02:32AM (3 children)

    by Apparition (6835) on Tuesday April 03 2018, @02:32AM (#661772) Journal

    I use Quad9 [quad9.net]. Here's their FAQ [quad9.net]. Previous story about Quad9 on SoylentNews.org is here [soylentnews.org]. Here's a story [arstechnica.com] about Quad9 on Ars Technica. It's fast, and it works well.

    I ran a DNS benchmark this afternoon. Google and Quad9 were essentially tied for first place. Level 3 came in second, OpenNIC third, and this new Cloudflare DNS fourth. This is on the east coast of the United States mind you. YMMV.

    Everything's a compromise. Google is... well... Google. Cloudflare is Cloudflare. Comcast is my ISP. Quad9 is run by IBM, Packet Clearing House [pch.net], and the Global Cyber Alliance [globalcyberalliance.org]. Personally, I trust IBM and the Global Cyber Alliance just slightly more than Google, and a lot more than Cloudflare and Comcast.

    • (Score: 4, Interesting) by bradley13 on Tuesday April 03 2018, @05:49AM (2 children)

      by bradley13 (3053) on Tuesday April 03 2018, @05:49AM (#661828) Homepage Journal

      I missed the earlier article about Quad9, so I just read up on it. I find two things worrisome:

      - It was started by police forces (New York and London). Especially London worries me, given the UK's stance that neither privacy nor freedom of information should exist. I don't trust them to run a DNS filter that doesn't include outright censorship.

      - It was initially funded by asset forfeiture money from New York. I.e. money stolen from taxpayers without due process.

      Neither of those facts endear the service to me. I want someone like the EFF to run a DNS resolver. Better would be an organization outside the US and UK.

      --
      Everyone is somebody else's weirdo.

      • (Score: 1, Insightful) by Anonymous Coward on Tuesday April 03 2018, @07:40PM (1 child)

        by Anonymous Coward on Tuesday April 03 2018, @07:40PM (#662107)

        > Better would be an organization outside the US and UK.

        So... China, Russia, or Saudi Arabia?

        • (Score: 2) by bob_super on Tuesday April 03 2018, @08:50PM

          by bob_super (1357) on Tuesday April 03 2018, @08:50PM (#662161)

          Nigeria of course.
          They're really good at finding stuff, though you only get 10% of it.

  • (Score: 1, Interesting) by Anonymous Coward on Tuesday April 03 2018, @03:47AM

    by Anonymous Coward on Tuesday April 03 2018, @03:47AM (#661799)

    The Tor network [infosecinstitute.com] can resolve names.

  • (Score: 1, Interesting) by Anonymous Coward on Tuesday April 03 2018, @04:46AM

    by Anonymous Coward on Tuesday April 03 2018, @04:46AM (#661813)

    You know you can run your own resolver, contacting the root servers and other servers as needed? Some OS make it relatively easy, just install the right package.

    If you mean for something that can't do that... probably run the resolver above and set it as the DNS server. Not tried.

  • (Score: 4, Interesting) by zocalo on Tuesday April 03 2018, @11:44AM

    by zocalo (302) on Tuesday April 03 2018, @11:44AM (#661900)
    I run my own resolver complete with DNSSec validation where available on a BSD instance because I also want to run my own local DNSBL and URIBL for spam/domain filtering (resolving an entire domain to 0.0.0.0 is an excellent ad-blocker), but that's probably overkill for 99% of Soylentils, let alone the general population. Simpler alternatives would be to run your own caching-only DNS, pointed at something like Quad9, which is supposedly pretty good as long as you don't have issues with some of the associations mentioned in other posts, or just point your clients directly at their servers. As long as you have a stable DNS that isn't rebooted too often, you're going to have most records you actually use cached anyway, so synthetic performance tests of full recursion to $DNS_provider's servers are pretty meaningless, really. The main thing is to try and get DNSSec validation working so that you'll have some protection against tampering with DNS responses, but be aware that DNSSec use is pretty low, and many of the sites that would actually benefit the most from using it (banks, Pr0n, etc.) actually don't have it deployed yet.
    --
    UNIX? They're not even circumcised! Savages!