Results 1 to 12 of 12

Thread: 1.1.1.1 | Cloudflare DNS Resolver

  1. #1
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    35,901
    Activity Longevity
    12/20 19/20
    Today Posts
    0/5 ssss35901
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    Renk (03.02.19) , Master Razor (06.07.18) , cloud99 (12.06.18)

  3. #2
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    35,901
    Activity Longevity
    12/20 19/20
    Today Posts
    0/5 ssss35901
    I tried this on an FTTH connection yesterday, response times were 1 ms or less for regular DNS. I had to check if some host within the LAN was hijacking the 1.1.1.1 address and no, it was real
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  4. #3
    Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    524
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss524
    Quote Originally Posted by anon View Post
    This has existed for two months now, but I only found out about it now.

    Short details

    1.1.1.1
    1.0.0.1
    2606:4700:4700::1111
    2606:4700:4700::1001
    No IP logs
    At least no logs for more than 24h, and except if legally submitted to do otherwise...

    DNSSEC, DNS over TLS and DNS over HTTPS are available

    And now DoT (DNS overTor), so that CloudFlare normally doens't know wich IP is sending the DNS request, rendering IP logging far less concerning.

    https://blog.cloudflare.com/welcome-hidden-resolver/
    https://developers.cloudflare.com/1..../dns-over-tor/
    Last edited by Renk; 03.02.19 at 03:34.
    Reply With QuoteReply With Quote
    Thanks

  5. Who Said Thanks:

    anon (03.02.19)

  6. #4
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    35,901
    Activity Longevity
    12/20 19/20
    Today Posts
    0/5 ssss35901
    Quote Originally Posted by Renk View Post
    And now DoT (DNS overTor), so that CloudFlare normally doens't know wich IP is sending the DNS request, rendering IP logging far less concerning.

    https://blog.cloudflare.com/welcome-hidden-resolver/
    https://developers.cloudflare.com/1..../dns-over-tor/
    Nice initiative from them, I don't think I was aware of this.

    Also, I recently encountered a Mitrastar FTTH router that reserves the 1.1.1.0/24 block for some internal interface that can't be removed. Only 1.0.0.1 works in that scenario.
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  7. #5
    I've been noticing some SSL issues etc lately. As a last attempt, I changed my DNS settings to the google ones instead of cloudflare, and they stopped occurring ever since. It's weird. I can't even really imagine how they're related, but it was very consistent so far.
    g̺̗͙̺l̜̜i͖̦͇̙t͕̲̜c͇̮͕̺̩͎̰̜h͕̦̘
    Reply With QuoteReply With Quote
    Thanks

  8. #6
    Moderator
    Instab's Avatar
    Join Date
    18.09.09
    Posts
    6,634
    Activity Longevity
    6/20 17/20
    Today Posts
    0/5 sssss6634
    Quote Originally Posted by Renk View Post
    At least no logs for more than 24h, and except if legally submitted to do otherwise...
    And now DoT (DNS overTor), so that CloudFlare normally doens't know wich IP is sending the DNS request, rendering IP logging far less concerning.
    https://blog.cloudflare.com/welcome-hidden-resolver/
    https://developers.cloudflare.com/1..../dns-over-tor/
    using services of any big company is of course a bad idea, because they collect and have way too much data already. if you're interested in privacy, the likes of google and cloudflare are the last choice.
    there're long lists of public dns servers available at many sites, which are from no-name providers and located in liberal countries.
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  9. #7
    Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    524
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss524
    Quote Originally Posted by Instab View Post
    using services of any big company is of course a bad idea, because they collect and have way too much data already. if you're interested in privacy, the likes of google and cloudflare are the last choice.
    there're long lists of public dns servers available at many sites, which are from no-name providers and located in liberal countries.

    The problem is noname providers may be honeypots as well. Or may not be strong enough to resist against some pressure (technical pressure such as DoD, hacks, or legal pressure). Or don't present any audited capabilities. When you you use a noname DNS provider, you are hoping... Exactly as when/if you use noname vpn. A reputable entity has something to lost if it become unworthy of his reputation. A noname entity has nothing to lose.

    And the sad fact is free&secure&uncensored DNS services is not in a healthy state now (and the number of independent liberal countries tend to reduce dramatically). For example: some years ago the German Privacy Foundation DNS was a good choice. Then they stopped providing DNS services, advising to use Swiss Privacy Foundation DNS... A good choice too (I think). But after a few years the SPF ceased to provide DNS, advising to use the service of "their friends" from Xiala. Which was probably (I think so but have no formal proof) a good choice too. But then... Recently Xiala stopped all activities, too. With no replacement advises this times.

    Now, what remains, outside US/UK? CensurfriDNS, good rep, managed only by an individual (Denmark), SecureDNS.eu, managed by an other individual (Netherlands). Better is probably CCC's DNS (good rep. too, and the service does not rely on a sole individual), but they don't provide neither IPv6 DNS, nor DoH or DoT. Ah, and OpenNic too. But it is an act of faith to use one of the OpenNic's DNS. Interesting for ponctual usage, to circumvent some DNS blockage. But for continual use?? As noticed here on AirVPN forum, "Unfortunately, regardless of the OpenNIC DNS server I use sooner or later I end up seeing DNS queries being routed through the UK or USA. Multicasting effect of OpenNIC or programmed IP address swaps among opennic servers or other reasons I do not understand or do not know, but do not like it one bit my DNS queries often end up in internet privacy hell locations when using OpenNIC DNS servers referenced as allegedly being outside these locations."

    So for casual activities, I think using ClouFlare's DNS is not a so bad choice, particularly DNS over TLS or Https, over Tor. If you are really engaged in activities requiring high level of privacy, best to use Tails or Whonix.



    Here a list of DNS services that seem not bad (promising no log, outside 5 eyes countries, plausibly able to maintain a good level of security on their infrastrure):

    SecureDNS.eu
    See site (DoH, DoTLS, DnsCrypt, OpenNic TLD, NameCoin TLD)



    ChaosComputerClub (Germany)
    https://www.ccc.de/en/censorship/dns-howto

    Code:
    IPV4
    194.150.168.168  (DNSSEC)
    213.73.91.35


    Censurfri DNS (Denmark - DNSSEC)
    https://blog.censurfridns.dk/

    Code:
    IPv4
    89.233.43.71
    
    IPv6
    2001:67c:28a4::

    Piratat Partiet DNS (Norway - OpenNIC TLD)
    https://www.piratpartiet.no/dns/
    Code:
    IPv4
    87.238.35.136 
    185.56.187.149

    Ipredator DNS (Sweden)
    https://ipredator.se/page/services#service_dns
    Code:
    IPv4:
    194.132.32.32 (supports dnscrypt)
    46.246.46.346
    
    IPv6:
    2001:67C:1350:DEAD:BEEF::246
    2C0F:F930:DEAD:BEEF::32   (supports dnscrypt)

    OVPN.com DNS (Sweden)
    http://www.ovpn.com/en/blog/change-y...rvers-to-ovpns

    Code:
    IPv4
    46.227.67.134
    46.227.67.135
    
    IPv6:
    2a03:8600:8600::5a
    2a03:8600:8600::5b

    Mullvad DNS (Sweden)
    https://mullvad.net/en/guides/dns-leaks/

    Code:
    IPv4
    193.138.219.228
    This list is not very long. If IPv6 resolving is required, it reduces to 4 services, of which 2 are managed by individuals. If you require Ipv6 resolving and encryption (DoTLS or DoH), there is only one :( . It is run by an individual.

    Maybe there are few others I didn't found after many searches, but what are they really worth in regard to the criteria above?


    NB: Italic = run by individual.
    Last edited by Renk; 04.02.19 at 00:06.
    Reply With QuoteReply With Quote
    Thanks

  10. Who Said Thanks:

    anon (06.02.19) , H265 (05.02.19)

  11. #8
    Moderator
    Instab's Avatar
    Join Date
    18.09.09
    Posts
    6,634
    Activity Longevity
    6/20 17/20
    Today Posts
    0/5 sssss6634
    Quote Originally Posted by Renk View Post
    So for casual activities, I think using ClouFlare's DNS is not a so bad choice
    the sheer number of sites using cloudflare disqualifies them on any level. the chances of hitting a honeypot or getting caught somewhere on the way with a no-name dns are very low. and even if they were higher, it'd still just be a chance while with cloudflare every query counts.

    ChaosComputerClub (Germany)
    Ipredator DNS (Sweden)
    germany and sweden are no good choices. they're usa's lackeys.
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  12. Who Said Thanks:

    Rebound (04.02.19)

  13. #9
    I honestly trust a noname just as much or even less than google who knows who put those up.
    That being said, I'm mostly using something different from my default one because there's several blockades put up on a dns level and even if I don't visit most of those sites, I don't like the idea that they're blocked.

    I see what you're saying instab and I agree, but unless you can give one and absolutely 100% guarantee it's any better than getting a random one from god knows who, being paranoid about google isn't going to help you out any more with the noname one. Why would they respect my privacy and I doubt they'll withstand _any_ form of pressure put on them at all. In this situation, no one but myself can be trusted. At least I know what Google is doing with it.

    Also, since you didn't mention the norway one I had a look at it. It's hella slow...
    Last edited by Sazzy; 04.02.19 at 22:53.
    g̺̗͙̺l̜̜i͖̦͇̙t͕̲̜c͇̮͕̺̩͎̰̜h͕̦̘
    Reply With QuoteReply With Quote
    Thanks

  14. #10
    Moderator
    Instab's Avatar
    Join Date
    18.09.09
    Posts
    6,634
    Activity Longevity
    6/20 17/20
    Today Posts
    0/5 sssss6634
    Quote Originally Posted by Sazzy View Post
    being paranoid about google
    this has nothing to do with paranoia but simply is the current situation. sadly it has become quite normal.

    the noname one. Why would they respect my privacy and I doubt they'll withstand _any_ form of pressure put on them at all.
    that's not the point at all. of course i have no idea who they are and what they do. but unless it is indeed a honeypot, it doesn't matter because the size of the company behind it puts that on a radically different level.
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  15. #11
    I mean, that's kind of what I meant. Maybe paranoia wasn't the right word.

    Anyway... Isn't that completely the point? Company A is not safer than B and going with B because it's not as known yet easily found on google may not be that much better of an option. The point I was trying to make is that they're most likely both evil and it's choosing between a small name and a big one, but the main difference is that you sort of know what the big one is doing with your data and you have no clue what the small one is doing. Using google search, gmail, hangouts and what not probably makes it so that it's hardly a difference in my case anyway.
    Last edited by Sazzy; 05.02.19 at 22:45.
    g̺̗͙̺l̜̜i͖̦͇̙t͕̲̜c͇̮͕̺̩͎̰̜h͕̦̘
    Reply With QuoteReply With Quote
    Thanks

  16. #12
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    35,901
    Activity Longevity
    12/20 19/20
    Today Posts
    0/5 ssss35901
    Quote Originally Posted by Renk View Post
    And the sad fact is free&secure&uncensored DNS services is not in a healthy state now (and the number of independent liberal countries tend to reduce dramatically).
    What do you think of these?

    https://libredns.gr/
    • DoH, DoT, no logs, hosted in Germany (verified via ping and TCP traceroute test).

    https://surfshark.com/trust-dns
    • DoH, DoT, no logs, anycast routing with servers in at least the USA, Netherlands, Germany and Singapore (verified via ping and TCP traceroute test).
    • Only available as an Android app, but I installed it inside a VM and nothing differs from a standard implementation. DoH on https://dns.surfshark.com/dns-query, DoT on dns.surfshark.com:853.

    https://applied-privacy.net/services/dns/
    • DoH, DoT, DNS over Tor, no logs, hosted in Austria (verified via ping and TCP traceroute test).
    • Supports very few TLS ciphers, which may prevent it from being usable at all depending on your client.

    Acrylic DNS Proxy recently gained DNS-over-HTTPS support (and even more recently, I helped find and fix an important bug on its implementation ), which means I wouldn't have to change my "infrastructure" to use DNS encryption. The problem is, being located in South America, the latency on all of these services is horrible.

    Additionally, I ran ping.pe and tracetcp tests on all of them to get a better clue of where they're really located, but also which countries data travels through. This led me to find Surfshark's closest server is in the United States, not exactly the most trustworthy jurisdiction around... I'm not sure Germany (LibreDNS) is either. But these tests are highly location-sensitive, so make sure to run them yourself from the address you'll be using to send requests.
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •