New Cloudflare DNS -- Fastest and Most Secure

New, fast, secure DNS service from Cloudflare!

Discuss!

If anyone has a functional config for BIND to use TLS or HTTPS for forwarding address(es), please let me know!

Otherwise, is 1.1.1.1 the new 8.8.8.8? Let us know what you think!

3 Likes

I saw that, just because they said it wasn’t an April fools joke kind of has me on the skeptical side, I’m going to wait a few days then I may stick it in my Pi-Hole over the Cisco and Google one loaded.

1 Like

Agreed, it could be an elaborate April Fools ploy.

This is the current real-life state of 1.1.1.1:

time host google.com 1.1.1.1

Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases: 

google.com has address 172.217.6.238
google.com has IPv6 address 2607:f8b0:4006:805::200e
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.

real	0m0.136s
user	0m0.008s
sys	0m0.007s

So take that for what it’s worth.

Interested, will monitor and potentially switch. Will be nice to get off 4.2.2.1 since my home isn’t l3, (my work is though, so technically I’m a customer)

Might be nice to get a guide for DNS-over-TLS upstream from a service like pihole.

1 Like

well people looking and using it, is fine. But lets ask important question why was it created?

APNIC and Cloudflare entered a research agreement,
https://labs.apnic.net/?p=1127

“The joint research project involves the operation of an open public DNS resolution service using IPv4 address prefixes that the APNIC Address Policy SIG has set aside for research purposes”

What will they use this data for? From what I’ve read they will keep logs and analyze them for maximum of a year for 5 years.

“unique opportunity to gain some valuable insight into the query behaviour of the DNS in today’s Internet and will allow us to further our existing research activities in looking at the DNS.”

The overall lack of information on what they will do with the data, and how is the “privacy” working with them… making it pro bono “free” data mining.

Yes they say its very private, but they do not go into detail how is it private.
Where are the legal documents? I didn’t find any.

While google we do know for sure they collect everything, and use it for data mining; with them its unknown.

still, 1dot1dot1dot1.cloudflare-dns.com *(if we change 1 to i, comes out similar to idiot)

NSlookup

Default Server:  resolver1.opendns.com
Address:  208.67.222.222

> server 1.1.1.1
Default Server:  1dot1dot1dot1.cloudflare-dns.com
Address:  1.1.1.1

> google.com
Server:  1dot1dot1dot1.cloudflare-dns.com
Address:  1.1.1.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to 1dot1dot1dot1.cloudflare-dns.com timed-out
2 Likes

1.1.1.1
Minimum = 9ms, Maximum = 10ms, Average = 9ms
Minimum = 8ms, Maximum = 10ms, Average = 8ms
Minimum = 8ms, Maximum = 11ms, Average = 9ms

8.8.8.8
Minimum = 16ms, Maximum = 20ms, Average = 17ms
Minimum = 17ms, Maximum = 19ms, Average = 18ms
Minimum = 15ms, Maximum = 19ms, Average = 16ms

9.9.9.9
Minimum = 38ms, Maximum = 39ms, Average = 38ms
Minimum = 37ms, Maximum = 39ms, Average = 38ms
Minimum = 38ms, Maximum = 41ms, Average = 39ms

With my VPN on these show

1.1.1.1
Minimum = 22ms, Maximum = 23ms, Average = 22ms
Minimum = 22ms, Maximum = 31ms, Average = 25ms
Minimum = 23ms, Maximum = 25ms, Average = 24ms

8.8.8.8
Minimum = 25ms, Maximum = 28ms, Average = 26ms
Minimum = 26ms, Maximum = 28ms, Average = 27ms
Minimum = 25ms, Maximum = 28ms, Average = 26ms

9.9.9.9
Minimum = 42ms, Maximum = 49ms, Average = 44ms
Minimum = 42ms, Maximum = 48ms, Average = 45ms
Minimum = 43ms, Maximum = 45ms, Average = 43ms

2 Likes

Testing from Amsterdam datacenter (No Caching)

1.1.1.1

time host google.com 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases: 

google.com has address 216.58.212.238
google.com has IPv6 address 2a00:1450:400e:80a::200e
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.

real    0m0.030s
user    0m0.010s
sys     0m0.010s
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @1.1.1.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30275
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             178     IN      A       216.58.212.238

;; Query time: 1 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Apr 02 09:27:15 UTC 2018
;; MSG SIZE  rcvd: 55
ping -c10 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=56 time=1.34 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=56 time=1.16 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=56 time=1.43 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=56 time=1.27 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=56 time=1.38 ms
64 bytes from 1.1.1.1: icmp_seq=6 ttl=56 time=1.43 ms
64 bytes from 1.1.1.1: icmp_seq=7 ttl=56 time=1.50 ms
64 bytes from 1.1.1.1: icmp_seq=8 ttl=56 time=1.37 ms
64 bytes from 1.1.1.1: icmp_seq=9 ttl=56 time=1.35 ms
64 bytes from 1.1.1.1: icmp_seq=10 ttl=56 time=1.44 ms

--- 1.1.1.1 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9013ms
rtt min/avg/max/mdev = 1.169/1.371/1.509/0.102 ms

8.8.8.8

 time host google.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases: 

google.com has address 216.58.204.142
google.com has IPv6 address 2a00:1450:4007:812::200e
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.

real    0m0.081s
user    0m0.010s
sys     0m0.010s

dig @8.8.8.8 google.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12232
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             297     IN      A       216.58.204.142

;; Query time: 17 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 02 09:31:02 UTC 2018
;; MSG SIZE  rcvd: 55
ping -c10 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=48 time=10.6 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=48 time=10.6 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=48 time=10.6 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=48 time=10.7 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=48 time=10.7 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=48 time=10.6 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=48 time=10.6 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=48 time=10.8 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=48 time=10.6 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=48 time=10.5 ms

--- 8.8.8.8 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9016ms
rtt min/avg/max/mdev = 10.563/10.677/10.832/0.153 ms

Anyone want to guess how close I am to the IP? :smiley:

2 Likes

Might update my pi-hole from opendns to this especially with the “promise to wipe all logs of DNS queries within 24 hours.” How true this statement is debatable however speeds look good.

Does nobody use opens?

100m

Friends getting 2ms and hes like 100m away from main cable, but I dont know where does it actually plug in to the thing

1 Like

There are actually quite a few interesting DNS providers these days.

Quad9: Very fast, retains no records, blocks malicious domains. No DNScrypt, but supports DNS over TLS.

Adguard DNS: Blocks ads like a pi-hole, can be configured to block porno too, doesn’t retain logs, and supports DNScrypt.

Cloudflare: Very fast, retains no records, supports DNS over HTTPS but not DNScrypt.

Google DNS: Very fast, retains records for 48 hours, supports DNS over HTTPS but not DNScrypt.

OpenDNS: Can be configured to not retain logs, can be configured to block porno, blocks some malicious domains but that isn’t its forté. Supports DNScrypt.

I run a Pi-hole at home, caching the Quad9 servers. This is the default on my home router and serves all my mobile clients, IOT, and streaming boxes. This blocks ads inside apps, which is otherwise very difficult to do. My various computers and lab stuff all point to Quad9 directly as I block ads in browsers and such with uBlock Origin.

4 Likes

Last year that 9.9.9.9 was faster than 8.8.8.8

Netgate/pfsense is on board apparently:

3 Likes

This made me realize I’ve just been using my ISP’s DNS. I’m going to have some faith in CF and switched over to 1.1.1.1 for the time being. All this talk of Pi-Hole though… I think that’ll be my weekend project with my spare RPi 2.

1 Like

Anything should be an improvement over the ISP servers.

Let us know how it goes with the Pi-Hole.

Have any ISP’s taken on CF for their DNS? Is there a reason/outcome why an ISP should ditch their own DNS and have their customers to straight to CF.

Yeah, some countries like to do a poor attempt at blocking websites by enforcing ISPs to redirect DNS requests. Like Australia and some torrent websites etc. By using another DNS than your ISP, you can get around this.

DNS is also the easiest way for ISPs to datamine you.

Not to mention it makes just as much sense for them to cache/provide DNS as it does any router that has multiple machines behind it. Lots of small traffic going out that never needs to leave the “local” net with proper network topology.

That ignores the datamine problem of course, but the main point being that there is less than zero incentive for an ISP to not provide DNS. It’s win-win for them.

1 Like

Yes, and it’s also a really inexpensive service to provide.

Unfortunately DNScrypt never made a lot of headway, and while DNS over HTTPS might do better, it’s still really early so you need to run a local proxy, and the only place to get one is to download source from some rando’s github and compile it yourself.