Cloudflare's new DNS

[infscrtyrisk]

Secure, fast and cheap?
Almost too good to be true, and yes, it supports DNSSEC.

http://1.1.1.1

Updated list of public DNS servers here.

 

[Bryn]

Ooh sweet. Just switched to it now. Sounds really cool.

 

[Soul Assassin]

What horrible timing though, for the first few hours yesterday after they announced it people thought it was some kind of joke.

 

[Sinbad]

/sets dhcp dns address

 

[Bryn]

What horrible timing though, for the first few hours yesterday after they announced it people thought it was some kind of joke.

Yeah lol. Insane to announce anything at all that isn't a joke on April 1st.

 

[Sinbad]

Doesn't resolve local google sites to local addresses. :/

 

[Soul Assassin]

Doesn't resolve local google sites to local addresses. :/

It does for me.

 

[Hamish McPanji]

Yeah lol. Insane to announce anything at all that isn't a joke on April 1st.

Especially something called 1.1.1.1

 

[sajunky]

It looks like this server is not doing geolocation checking and Google is down. On Telkom cellular:

C:\>nslookup
Default Server:  homerouter.cpe
Address:  192.168.8.1

> netflix.com
Server:  homerouter.cpe
Address:  192.168.8.1

Non-authoritative answer:
Name:    netflix.com
Addresses:  54.85.175.142, 52.86.210.197, 54.173.169.115, 54.80.77.89
          107.23.104.215, 52.54.154.226, 35.169.45.33, 34.234.59.120

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> netflix.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to google-public-dns-a.google.com timed-out
> server 1.1.1.1
DNS request timed out.
    timeout was 2 seconds.
Default Server:  [1.1.1.1]
Address:  1.1.1.1

> netflix.com
Server:  [1.1.1.1]
Address:  1.1.1.1

Non-authoritative answer:
Name:    netflix.com
Addresses:  34.250.3.119, 34.250.61.125, 52.17.227.174, 54.76.48.210
          54.77.210.48, 54.171.27.14, 54.171.111.137, 176.34.151.201

Server in CT?

C:\>tracert 1.1.1.1

Tracing route to 1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms homerouter.cpe [192.168.8.1]
2 * * * Request timed out.
3 47 ms 27 ms 30 ms 172.17.16.5
4 25 ms 20 ms 29 ms 172.17.16.21
5 46 ms 27 ms 18 ms rrba-ip-bng-3-wan.telkomipnet.co.za [165.165.184.21]
6 75 ms 45 ms 47 ms 196.43.8.45
7 73 ms 59 ms 61 ms rrba-ip-p-1-bundle-ether202.telkom-ipnet.co.za [41.147.241.29]
8 76 ms 62 ms 51 ms wblv-ip-p-1-bundle-ether101.telkom-ipnet.co.za [41.147.240.145]
9 58 ms 53 ms 52 ms wblv-ip-bpe-2-bundle-ether201.telkom-ipnet.co.za [41.147.240.130]
10 101 ms 65 ms 61 ms 196.43.11.234
11 103 ms 79 ms 72 ms 196.43.25.206
12 73 ms 59 ms 61 ms 196-10-140-198.ixp.capetown [196.10.140.198]
13 83 ms 54 ms 47 ms 1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]

Trace complete.

 

[Rickster]

Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=9ms TTL=58
Reply from 1.1.1.1: bytes=32 time=9ms TTL=58
Reply from 1.1.1.1: bytes=32 time=9ms TTL=58
Reply from 1.1.1.1: bytes=32 time=10ms TTL=58

Ping statistics for 1.1.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% lo
Approximate round trip times in milli-seconds:
    Minimum = 9ms, Maximum = 10ms, Average = 9ms

ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=90ms TTL=57
Reply from 8.8.8.8: bytes=32 time=79ms TTL=57
Reply from 8.8.8.8: bytes=32 time=10ms TTL=57
Reply from 8.8.8.8: bytes=32 time=47ms TTL=57

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% lo
Approximate round trip times in milli-seconds:
    Minimum = 10ms, Maximum = 90ms, Average = 56ms

Hmmm....

 

[[)roi(]]

1.1.1.1

DNS: Internet’s Directory
Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email and the first thing your device does is ask the directory:

Where can I find this?
Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.

We think that’s gross. If you do too, now there’s an alternative: 1.1.1.1

Launched on April 1, but it wasn't a fool's errand.

Information, including setup instructions
https://1.1.1.1

 

[j4ck455]

We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say.

Interesting.

 

[Rickster]

/threadmerge


https://mybroadband.co.za/vb/showthread.php/946429-Cloudflare-s-new-DNS

 

[Gnome]

It looks like this server is not doing geolocation checking and Google is down

Back when I was still on Telkom I couldn't use anything but the Telkom DNS servers or a lot of web-sites stopped working.

This is still true on Telkom mobile (just tested)

 

[Anthro]

Quite quick ..

 

[Bryn]

So far 1.1.1.1 is working great for me.

 

[sajunky]

Back when I was still on Telkom I couldn't use anything but the Telkom DNS servers or a lot of web-sites stopped working.

This is still true on Telkom mobile (just tested)

I noticed that with DNS servers other than Google or Telkom default. I don't know, maybe they manipulate DNS to direct you to their transparent proxy servers. I leave it now, a bigger problem gives me invalid https certificates which cuts me off from many websites.

For the purpose of this discussion I do confirm, it is consistent that Telkom is adding 30ms delay on their backbone and that I am reaching Cloudflare server in CT, but I am in Joburg. Something is terrible wrong with Telkom routers.

[EDIT] Just adding traceroute from Cell C cellular connection. Everything works properly:

C:\>tracert 1.1.1.1

Tracing route to 1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms homerouter.cpe [192.168.8.1]
2 * * * Request timed out.
3 27 ms 30 ms 20 ms 41.48.22.38
4 51 ms 20 ms 34 ms 10.228.233.193
5 38 ms 23 ms 24 ms 41.48.16.1
6 29 ms 20 ms 24 ms 41.48.0.2
7 42 ms 20 ms 23 ms cloudflare.ixp.joburg [196.60.8.198]
8 37 ms 20 ms 20 ms 1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]

Trace complete.

 

[Gnome]

I noticed that with DNS servers other than Google or Telkom default. I don't know, maybe they manipulate DNS to direct you to their transparent proxy servers. I leave it now, a bigger problem gives me invalid https certificates which cuts me off from many websites.

For the purpose of this discussion I do confirm, it is consistent that Telkom is adding 30ms delay on their backbone and that I am reaching Cloudflare server in CT, but I am in Joburg. Something is terrible wrong with Telkom routers.

I've been thinking about this problem and I actually think if you either A) use a resolver (eg. unbound) or B) use 1.1.1.1 using DNS over TCP, there is no way Telkom is blocking that.

Case A would be better if you use unbound using DNSSEC mode.

DNSSEC makes it impossible for bad actors like Telkom to intercept or even track you.
Specifically because dig +short $dns -> $a.b.c.d -> nslookup $a.b.c.d != $ip

Assuming they don't outright block 1.1.1.1 (but even that seems futile because HTTPS VPN makes that moot).

I like the idea of using a resolver (eg. it walks the DNS tree), but given that most DNS servers don't support DNSSEC I trust 1.1.1.1 more because of actors like Telkom.

ANYWAY, Telkom is bad mmkay.

 

[ActivateD]

I wonder what Cisco will do with their devices that use 1.1.1.1 for guest hotspots.

 

[infscrtyrisk]

I've been thinking about this problem and I actually think if you either A) use a resolver (eg. unbound) or B) use 1.1.1.1 using DNS over TCP, there is no way Telkom is blocking that.

Case A would be better if you use unbound using DNSSEC mode.

DNSSEC makes it impossible for bad actors like Telkom to intercept or even track you.
Specifically because dig +short $dns -> $a.b.c.d -> nslookup $a.b.c.d != $ip

Assuming they don't outright block 1.1.1.1 (but even that seems futile because HTTPS VPN makes that moot).

I like the idea of using a resolver (eg. it walks the DNS tree), but given that most DNS servers don't support DNSSEC I trust 1.1.1.1 more because of actors like Telkom.

ANYWAY, Telkom is bad mmkay.

Intercept, yes they can, track, yes they can, intercept & tamper, no. DNSSEC supports authentication but not confidentiality. For that you will need DNS over TLS (RFC 8310), and you can use 1.1.1.1 for it with a suitably configured proxy (assuming that your DNS forwarder does not support it -- mine doesn't).