Results 1 to 12 of 12

Thread: 1.1.1.1 | Cloudflare DNS Resolver

  1. #1
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    35,482
    Activity Longevity
    12/20 19/20
    Today Posts
    2/5 ssss35482
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    Renk (03.02.19) , Master Razor (06.07.18) , cloud99 (12.06.18)

  3. #2
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    35,482
    Activity Longevity
    12/20 19/20
    Today Posts
    2/5 ssss35482
    I tried this on an FTTH connection yesterday, response times were 1 ms or less for regular DNS. I had to check if some host within the LAN was hijacking the 1.1.1.1 address and no, it was real
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  4. #3
    Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    524
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss524
    Quote Originally Posted by anon View Post
    This has existed for two months now, but I only found out about it now.

    Short details

    1.1.1.1
    1.0.0.1
    2606:4700:4700::1111
    2606:4700:4700::1001
    No IP logs
    At least no logs for more than 24h, and except if legally submitted to do otherwise...

    DNSSEC, DNS over TLS and DNS over HTTPS are available

    And now DoT (DNS overTor), so that CloudFlare normally doens't know wich IP is sending the DNS request, rendering IP logging far less concerning.

    https://blog.cloudflare.com/welcome-hidden-resolver/
    https://developers.cloudflare.com/1..../dns-over-tor/
    Last edited by Renk; 03.02.19 at 02:34.
    Reply With QuoteReply With Quote
    Thanks

  5. Who Said Thanks:

    anon (03.02.19)

  6. #4
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    35,482
    Activity Longevity
    12/20 19/20
    Today Posts
    2/5 ssss35482
    Quote Originally Posted by Renk View Post
    And now DoT (DNS overTor), so that CloudFlare normally doens't know wich IP is sending the DNS request, rendering IP logging far less concerning.

    https://blog.cloudflare.com/welcome-hidden-resolver/
    https://developers.cloudflare.com/1..../dns-over-tor/
    Nice initiative from them, I don't think I was aware of this.

    Also, I wrote a quick script that will make an API query to this service and output the results. Even if you don't use it in a "normal" way, it can be interesting to check for differences against your name servers of choice, especially if not using a trusted connection and/or before doing sensitive tasks (banking, e-mail).

    Usage: cfdns.bat [-0] [hostname]

    The parameter -0 makes it use 1.0.0.1 instead; I had to add this after encountering a Mitrastar FTTH router which reserves the 1.1.1.0/24 block for some internal interface that can't be removed. There is an interactive mode if you don't specify a hostname.

    Warning: https://eternallybored.org/misc/wget/ must be in the same directory as the script or in your PATH for this to work.

    Code:
    @echo off
    set CFIP=1.1.1.1
    if "%1"=="-0" (
    	set CFIP=1.0.0.1
    	if "%2"=="" (
    		set /p DOMAIN=Enter domain to check: 
    	) else (
    		set DOMAIN=%2
    	)
    	goto main
    )
    
    if "%1"=="" (
    	set /p DOMAIN=Enter domain to check: 
    	) else (
    	set DOMAIN=%1
    )
    goto main
    
    :main
    echo Checking domain %DOMAIN% on Cloudflare DNS %CFIP%...
    echo.
    wget "https://%CFIP%/dns-query?ct=application/dns-json&name=%DOMAIN%&type=A" -q -t 1 -O -
    set CFIP=
    set DOMAIN=
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  7. Who Said Thanks:

    Renk (03.02.19)

  8. #5
    I've been noticing some SSL issues etc lately. As a last attempt, I changed my DNS settings to the google ones instead of cloudflare, and they stopped occurring ever since. It's weird. I can't even really imagine how they're related, but it was very consistent so far.
    g̺̗͙̺l̜̜i͖̦͇̙t͕̲̜c͇̮͕̺̩͎̰̜h͕̦̘
    Reply With QuoteReply With Quote
    Thanks

  9. #6
    Moderator
    Instab's Avatar
    Join Date
    17.09.09
    Posts
    6,619
    Activity Longevity
    7/20 16/20
    Today Posts
    0/5 sssss6619
    Quote Originally Posted by Renk View Post
    At least no logs for more than 24h, and except if legally submitted to do otherwise...
    And now DoT (DNS overTor), so that CloudFlare normally doens't know wich IP is sending the DNS request, rendering IP logging far less concerning.
    https://blog.cloudflare.com/welcome-hidden-resolver/
    https://developers.cloudflare.com/1..../dns-over-tor/
    using services of any big company is of course a bad idea, because they collect and have way too much data already. if you're interested in privacy, the likes of google and cloudflare are the last choice.
    there're long lists of public dns servers available at many sites, which are from no-name providers and located in liberal countries.
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  10. #7
    Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    524
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss524
    Quote Originally Posted by Instab View Post
    using services of any big company is of course a bad idea, because they collect and have way too much data already. if you're interested in privacy, the likes of google and cloudflare are the last choice.
    there're long lists of public dns servers available at many sites, which are from no-name providers and located in liberal countries.

    The problem is noname providers may be honeypots as well. Or may not be strong enough to resist against some pressure (technical pressure such as DoD, hacks, or legal pressure). Or don't present any audited capabilities. When you you use a noname DNS provider, you are hoping... Exactly as when/if you use noname vpn. A reputable entity has something to lost if it become unworthy of his reputation. A noname entity has nothing to lose.

    And the sad fact is free&secure&uncensored DNS services is not in a healthy state now (and the number of independent liberal countries tend to reduce dramatically). For example: some years ago the German Privacy Foundation DNS was a good choice. Then they stopped providing DNS services, advising to use Swiss Privacy Foundation DNS... A good choice too (I think). But after a few years the SPF ceased to provide DNS, advising to use the service of "their friends" from Xiala. Which was probably (I think so but have no formal proof) a good choice too. But then... Recently Xiala stopped all activities, too. With no replacement advises this times.

    Now, what remains, outside US/UK? CensurfriDNS, good rep, managed only by an individual (Denmark), SecureDNS.eu, managed by an other individual (Netherlands). Better is probably CCC's DNS (good rep. too, and the service does not rely on a sole individual), but they don't provide neither IPv6 DNS, nor DoH or DoT. Ah, and OpenNic too. But it is an act of faith to use one of the OpenNic's DNS. Interesting for ponctual usage, to circumvent some DNS blockage. But for continual use?? As noticed here on AirVPN forum, "Unfortunately, regardless of the OpenNIC DNS server I use sooner or later I end up seeing DNS queries being routed through the UK or USA. Multicasting effect of OpenNIC or programmed IP address swaps among opennic servers or other reasons I do not understand or do not know, but do not like it one bit my DNS queries often end up in internet privacy hell locations when using OpenNIC DNS servers referenced as allegedly being outside these locations."

    So for casual activities, I think using ClouFlare's DNS is not a so bad choice, particularly DNS over TLS or Https, over Tor. If you are really engaged in activities requiring high level of privacy, best to use Tails or Whonix.



    Here a list of DNS services that seem not bad (promising no log, outside 5 eyes countries, plausibly able to maintain a good level of security on their infrastrure):

    SecureDNS.eu
    See site (DoH, DoTLS, DnsCrypt, OpenNic TLD, NameCoin TLD)



    ChaosComputerClub (Germany)
    https://www.ccc.de/en/censorship/dns-howto

    Code:
    IPV4
    194.150.168.168  (DNSSEC)
    213.73.91.35


    Censurfri DNS (Denmark - DNSSEC)
    https://blog.censurfridns.dk/

    Code:
    IPv4
    89.233.43.71
    
    IPv6
    2001:67c:28a4::

    Piratat Partiet DNS (Norway - OpenNIC TLD)
    https://www.piratpartiet.no/dns/
    Code:
    IPv4
    87.238.35.136 
    185.56.187.149

    Ipredator DNS (Sweden)
    https://ipredator.se/page/services#service_dns
    Code:
    IPv4:
    194.132.32.32 (supports dnscrypt)
    46.246.46.346
    
    IPv6:
    2001:67C:1350:DEAD:BEEF::246
    2C0F:F930:DEAD:BEEF::32   (supports dnscrypt)

    OVPN.com DNS (Sweden)
    http://www.ovpn.com/en/blog/change-y...rvers-to-ovpns

    Code:
    IPv4
    46.227.67.134
    46.227.67.135
    
    IPv6:
    2a03:8600:8600::5a
    2a03:8600:8600::5b

    Mullvad DNS (Sweden)
    https://mullvad.net/en/guides/dns-leaks/

    Code:
    IPv4
    193.138.219.228
    This list is not very long. If IPv6 resolving is required, it reduces to 4 services, of which 2 are managed by individuals. If you require Ipv6 resolving and encryption (DoTLS or DoH), there is only one :( . It is run by an individual.

    Maybe there are few others I didn't found after many searches, but what are they really worth in regard to the criteria above?


    NB: Italic = run by individual.
    Last edited by Renk; 03.02.19 at 23:06.
    Reply With QuoteReply With Quote
    Thanks

  11. Who Said Thanks:

    anon (05.02.19) , H265 (05.02.19)

  12. #8
    Moderator
    Instab's Avatar
    Join Date
    17.09.09
    Posts
    6,619
    Activity Longevity
    7/20 16/20
    Today Posts
    0/5 sssss6619
    Quote Originally Posted by Renk View Post
    So for casual activities, I think using ClouFlare's DNS is not a so bad choice
    the sheer number of sites using cloudflare disqualifies them on any level. the chances of hitting a honeypot or getting caught somewhere on the way with a no-name dns are very low. and even if they were higher, it'd still just be a chance while with cloudflare every query counts.

    ChaosComputerClub (Germany)
    Ipredator DNS (Sweden)
    germany and sweden are no good choices. they're usa's lackeys.
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  13. Who Said Thanks:

    Rebound (04.02.19)

  14. #9
    I honestly trust a noname just as much or even less than google who knows who put those up.
    That being said, I'm mostly using something different from my default one because there's several blockades put up on a dns level and even if I don't visit most of those sites, I don't like the idea that they're blocked.

    I see what you're saying instab and I agree, but unless you can give one and absolutely 100% guarantee it's any better than getting a random one from god knows who, being paranoid about google isn't going to help you out any more with the noname one. Why would they respect my privacy and I doubt they'll withstand _any_ form of pressure put on them at all. In this situation, no one but myself can be trusted. At least I know what Google is doing with it.

    Also, since you didn't mention the norway one I had a look at it. It's hella slow...
    Last edited by Sazzy; 04.02.19 at 21:53.
    g̺̗͙̺l̜̜i͖̦͇̙t͕̲̜c͇̮͕̺̩͎̰̜h͕̦̘
    Reply With QuoteReply With Quote
    Thanks

  15. #10
    Moderator
    Instab's Avatar
    Join Date
    17.09.09
    Posts
    6,619
    Activity Longevity
    7/20 16/20
    Today Posts
    0/5 sssss6619
    Quote Originally Posted by Sazzy View Post
    being paranoid about google
    this has nothing to do with paranoia but simply is the current situation. sadly it has become quite normal.

    the noname one. Why would they respect my privacy and I doubt they'll withstand _any_ form of pressure put on them at all.
    that's not the point at all. of course i have no idea who they are and what they do. but unless it is indeed a honeypot, it doesn't matter because the size of the company behind it puts that on a radically different level.
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  16. #11
    I mean, that's kind of what I meant. Maybe paranoia wasn't the right word.

    Anyway... Isn't that completely the point? Company A is not safer than B and going with B because it's not as known yet easily found on google may not be that much better of an option. The point I was trying to make is that they're most likely both evil and it's choosing between a small name and a big one, but the main difference is that you sort of know what the big one is doing with your data and you have no clue what the small one is doing. Using google search, gmail, hangouts and what not probably makes it so that it's hardly a difference in my case anyway.
    Last edited by Sazzy; 05.02.19 at 21:45.
    g̺̗͙̺l̜̜i͖̦͇̙t͕̲̜c͇̮͕̺̩͎̰̜h͕̦̘
    Reply With QuoteReply With Quote
    Thanks

  17. #12
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    35,482
    Activity Longevity
    12/20 19/20
    Today Posts
    2/5 ssss35482
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  18. Who Said Thanks:

    Instab (11.04.19)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •