Cloudflare's new DNS

Bryn

Doubleplusgood
Joined
Oct 29, 2010
Messages
16,894
Ooh sweet. Just switched to it now. Sounds really cool.
 

Soul Assassin

Honorary Master
Joined
Mar 27, 2006
Messages
11,212
What horrible timing though, for the first few hours yesterday after they announced it people thought it was some kind of joke.
 

Bryn

Doubleplusgood
Joined
Oct 29, 2010
Messages
16,894
What horrible timing though, for the first few hours yesterday after they announced it people thought it was some kind of joke.

Yeah lol. Insane to announce anything at all that isn't a joke on April 1st.
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
81,150
Doesn't resolve local google sites to local addresses. :/
 

sajunky

Honorary Master
Joined
Nov 1, 2010
Messages
13,124
It looks like this server is not doing geolocation checking and Google is down. On Telkom cellular:
Code:
C:\>nslookup
Default Server:  homerouter.cpe
Address:  192.168.8.1

> netflix.com
Server:  homerouter.cpe
Address:  192.168.8.1

Non-authoritative answer:
Name:    netflix.com
Addresses:  54.85.175.142, 52.86.210.197, 54.173.169.115, 54.80.77.89
          107.23.104.215, 52.54.154.226, 35.169.45.33, 34.234.59.120

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> netflix.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to google-public-dns-a.google.com timed-out
> server 1.1.1.1
DNS request timed out.
    timeout was 2 seconds.
Default Server:  [1.1.1.1]
Address:  1.1.1.1

> netflix.com
Server:  [1.1.1.1]
Address:  1.1.1.1

Non-authoritative answer:
Name:    netflix.com
Addresses:  34.250.3.119, 34.250.61.125, 52.17.227.174, 54.76.48.210
          54.77.210.48, 54.171.27.14, 54.171.111.137, 176.34.151.201
Server in CT?
C:\>tracert 1.1.1.1

Tracing route to 1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms homerouter.cpe [192.168.8.1]
2 * * * Request timed out.
3 47 ms 27 ms 30 ms 172.17.16.5
4 25 ms 20 ms 29 ms 172.17.16.21
5 46 ms 27 ms 18 ms rrba-ip-bng-3-wan.telkomipnet.co.za [165.165.184.21]
6 75 ms 45 ms 47 ms 196.43.8.45
7 73 ms 59 ms 61 ms rrba-ip-p-1-bundle-ether202.telkom-ipnet.co.za [41.147.241.29]
8 76 ms 62 ms 51 ms wblv-ip-p-1-bundle-ether101.telkom-ipnet.co.za [41.147.240.145]
9 58 ms 53 ms 52 ms wblv-ip-bpe-2-bundle-ether201.telkom-ipnet.co.za [41.147.240.130]
10 101 ms 65 ms 61 ms 196.43.11.234
11 103 ms 79 ms 72 ms 196.43.25.206
12 73 ms 59 ms 61 ms 196-10-140-198.ixp.capetown [196.10.140.198]
13 83 ms 54 ms 47 ms 1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]

Trace complete.
 
Last edited:

Rickster

EVGA Fanatic
Joined
Jul 31, 2012
Messages
20,429
Code:
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=9ms TTL=58
Reply from 1.1.1.1: bytes=32 time=9ms TTL=58
Reply from 1.1.1.1: bytes=32 time=9ms TTL=58
Reply from 1.1.1.1: bytes=32 time=10ms TTL=58

Ping statistics for 1.1.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% lo
Approximate round trip times in milli-seconds:
    Minimum = 9ms, Maximum = 10ms, Average = 9ms

ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=90ms TTL=57
Reply from 8.8.8.8: bytes=32 time=79ms TTL=57
Reply from 8.8.8.8: bytes=32 time=10ms TTL=57
Reply from 8.8.8.8: bytes=32 time=47ms TTL=57

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% lo
Approximate round trip times in milli-seconds:
    Minimum = 10ms, Maximum = 90ms, Average = 56ms

Hmmm....
 

[)roi(]

Executive Member
Joined
Apr 15, 2005
Messages
6,282
1.1.1.1

1.1.1.1 said:
DNS: Internet’s Directory
Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email and the first thing your device does is ask the directory:

Where can I find this?
Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.

We think that’s gross. If you do too, now there’s an alternative: 1.1.1.1

Screen Shot 2018-04-02 at 9.50.18 PM.png

Launched on April 1, but it wasn't a fool's errand.

Information, including setup instructions
https://1.1.1.1
 

j4ck455

Executive Member
Joined
Jan 2, 2006
Messages
7,502
We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say.

Interesting.
 

Gnome

Executive Member
Joined
Sep 19, 2005
Messages
7,208
It looks like this server is not doing geolocation checking and Google is down

Back when I was still on Telkom I couldn't use anything but the Telkom DNS servers or a lot of web-sites stopped working.

This is still true on Telkom mobile (just tested)
 

sajunky

Honorary Master
Joined
Nov 1, 2010
Messages
13,124
Back when I was still on Telkom I couldn't use anything but the Telkom DNS servers or a lot of web-sites stopped working.

This is still true on Telkom mobile (just tested)
I noticed that with DNS servers other than Google or Telkom default. I don't know, maybe they manipulate DNS to direct you to their transparent proxy servers. I leave it now, a bigger problem gives me invalid https certificates which cuts me off from many websites.

For the purpose of this discussion I do confirm, it is consistent that Telkom is adding 30ms delay on their backbone and that I am reaching Cloudflare server in CT, but I am in Joburg. Something is terrible wrong with Telkom routers.

[EDIT] Just adding traceroute from Cell C cellular connection. Everything works properly:
C:\>tracert 1.1.1.1

Tracing route to 1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms homerouter.cpe [192.168.8.1]
2 * * * Request timed out.
3 27 ms 30 ms 20 ms 41.48.22.38
4 51 ms 20 ms 34 ms 10.228.233.193
5 38 ms 23 ms 24 ms 41.48.16.1
6 29 ms 20 ms 24 ms 41.48.0.2
7 42 ms 20 ms 23 ms cloudflare.ixp.joburg [196.60.8.198]
8 37 ms 20 ms 20 ms 1dot1dot1dot1.cloudflare-dns.com [1.1.1.1]

Trace complete.
 
Last edited:

Gnome

Executive Member
Joined
Sep 19, 2005
Messages
7,208
I noticed that with DNS servers other than Google or Telkom default. I don't know, maybe they manipulate DNS to direct you to their transparent proxy servers. I leave it now, a bigger problem gives me invalid https certificates which cuts me off from many websites.

For the purpose of this discussion I do confirm, it is consistent that Telkom is adding 30ms delay on their backbone and that I am reaching Cloudflare server in CT, but I am in Joburg. Something is terrible wrong with Telkom routers.

I've been thinking about this problem and I actually think if you either A) use a resolver (eg. unbound) or B) use 1.1.1.1 using DNS over TCP, there is no way Telkom is blocking that.

Case A would be better if you use unbound using DNSSEC mode.

DNSSEC makes it impossible for bad actors like Telkom to intercept or even track you.
Specifically because dig +short $dns -> $a.b.c.d -> nslookup $a.b.c.d != $ip

Assuming they don't outright block 1.1.1.1 (but even that seems futile because HTTPS VPN makes that moot).

I like the idea of using a resolver (eg. it walks the DNS tree), but given that most DNS servers don't support DNSSEC I trust 1.1.1.1 more because of actors like Telkom.

ANYWAY, Telkom is bad mmkay.
 

ActivateD

Expert Member
Joined
Jun 7, 2004
Messages
1,720
I wonder what Cisco will do with their devices that use 1.1.1.1 for guest hotspots.
 

infscrtyrisk

Expert Member
Joined
Nov 22, 2014
Messages
1,296
I've been thinking about this problem and I actually think if you either A) use a resolver (eg. unbound) or B) use 1.1.1.1 using DNS over TCP, there is no way Telkom is blocking that.

Case A would be better if you use unbound using DNSSEC mode.

DNSSEC makes it impossible for bad actors like Telkom to intercept or even track you.
Specifically because dig +short $dns -> $a.b.c.d -> nslookup $a.b.c.d != $ip

Assuming they don't outright block 1.1.1.1 (but even that seems futile because HTTPS VPN makes that moot).

I like the idea of using a resolver (eg. it walks the DNS tree), but given that most DNS servers don't support DNSSEC I trust 1.1.1.1 more because of actors like Telkom.

ANYWAY, Telkom is bad mmkay.

Intercept, yes they can, track, yes they can, intercept & tamper, no. DNSSEC supports authentication but not confidentiality. For that you will need DNS over TLS (RFC 8310), and you can use 1.1.1.1 for it with a suitably configured proxy (assuming that your DNS forwarder does not support it -- mine doesn't).
 
Top