-
1.1.1.1 | Cloudflare DNS Resolver
-
I tried this on an FTTH connection yesterday, response times were 1 ms or less for regular DNS. I had to check if some host within the LAN was hijacking the 1.1.1.1 address and no, it was real :gw00t:
-
Quote:
Originally Posted by
anon
This has existed for two months now, but I only found out about it now.
Short details
1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001
No IP logs
At least no logs for more than 24h, and except if legally submitted to do otherwise...
Quote:
DNSSEC, DNS over TLS and DNS over HTTPS are available
And now DoT (DNS overTor), so that CloudFlare normally doens't know wich IP is sending the DNS request, rendering IP logging far less concerning.
https://blog.cloudflare.com/welcome-hidden-resolver/
https://developers.cloudflare.com/1..../dns-over-tor/
-
Quote:
Originally Posted by
Renk
Nice initiative from them, I don't think I was aware of this.
Also, I recently encountered a Mitrastar FTTH router that reserves the 1.1.1.0/24 block for some internal interface that can't be removed. Only 1.0.0.1 works in that scenario.
-
I've been noticing some SSL issues etc lately. As a last attempt, I changed my DNS settings to the google ones instead of cloudflare, and they stopped occurring ever since. It's weird. I can't even really imagine how they're related, but it was very consistent so far.
-
Quote:
Originally Posted by
Renk
using services of any big company is of course a bad idea, because they collect and have way too much data already. if you're interested in privacy, the likes of google and cloudflare are the last choice.
there're long lists of public dns servers available at many sites, which are from no-name providers and located in liberal countries.
-
Quote:
Originally Posted by
Instab
using services of any big company is of course a bad idea, because they collect and have way too much data already. if you're interested in privacy, the likes of google and cloudflare are the last choice.
there're long lists of public dns servers available at many sites, which are from no-name providers and located in liberal countries.
The problem is noname providers may be honeypots as well. Or may not be strong enough to resist against some pressure (technical pressure such as DoD, hacks, or legal pressure). Or don't present any audited capabilities. When you you use a noname DNS provider, you are hoping... Exactly as when/if you use noname vpn. A reputable entity has something to lost if it become unworthy of his reputation. A noname entity has nothing to lose.
And the sad fact is free&secure&uncensored DNS services is not in a healthy state now (and the number of independent liberal countries tend to reduce dramatically). For example: some years ago the German Privacy Foundation DNS was a good choice. Then they stopped providing DNS services, advising to use Swiss Privacy Foundation DNS... A good choice too (I think). But after a few years the SPF ceased to provide DNS, advising to use the service of "their friends" from Xiala. Which was probably (I think so but have no formal proof) a good choice too. But then... Recently Xiala stopped all activities, too. With no replacement advises this times.
Now, what remains, outside US/UK? CensurfriDNS, good rep, managed only by an individual (Denmark), SecureDNS.eu, managed by an other individual (Netherlands). Better is probably CCC's DNS (good rep. too, and the service does not rely on a sole individual), but they don't provide neither IPv6 DNS, nor DoH or DoT. Ah, and OpenNic too. But it is an act of faith to use one of the OpenNic's DNS. Interesting for ponctual usage, to circumvent some DNS blockage. But for continual use?? As noticed here on AirVPN forum, "Unfortunately, regardless of the OpenNIC DNS server I use sooner or later I end up seeing DNS queries being routed through the UK or USA. Multicasting effect of OpenNIC or programmed IP address swaps among opennic servers or other reasons I do not understand or do not know, but do not like it one bit my DNS queries often end up in internet privacy hell locations when using OpenNIC DNS servers referenced as allegedly being outside these locations."
So for casual activities, I think using ClouFlare's DNS is not a so bad choice, particularly DNS over TLS or Https, over Tor. If you are really engaged in activities requiring high level of privacy, best to use Tails or Whonix.
Here a list of DNS services that seem not bad (promising no log, outside 5 eyes countries, plausibly able to maintain a good level of security on their infrastrure):
SecureDNS.eu
See site (DoH, DoTLS, DnsCrypt, OpenNic TLD, NameCoin TLD)
ChaosComputerClub (Germany)
https://www.ccc.de/en/censorship/dns-howto
Code:
IPV4
194.150.168.168 (DNSSEC)
213.73.91.35
Censurfri DNS (Denmark - DNSSEC)
https://blog.censurfridns.dk/
Code:
IPv4
89.233.43.71
IPv6
2001:67c:28a4::
Piratat Partiet DNS (Norway - OpenNIC TLD)
https://www.piratpartiet.no/dns/
Code:
IPv4
87.238.35.136
185.56.187.149
Ipredator DNS (Sweden)
https://ipredator.se/page/services#service_dns
Code:
IPv4:
194.132.32.32 (supports dnscrypt)
46.246.46.346
IPv6:
2001:67C:1350:DEAD:BEEF::246
2C0F:F930:DEAD:BEEF::32 (supports dnscrypt)
OVPN.com DNS (Sweden)
http://www.ovpn.com/en/blog/change-y...rvers-to-ovpns
Code:
IPv4
46.227.67.134
46.227.67.135
IPv6:
2a03:8600:8600::5a
2a03:8600:8600::5b
Mullvad DNS (Sweden)
https://mullvad.net/en/guides/dns-leaks/
Code:
IPv4
193.138.219.228
This list is not very long. If IPv6 resolving is required, it reduces to 4 services, of which 2 are managed by individuals. If you require Ipv6 resolving and encryption (DoTLS or DoH), there is only one :( . It is run by an individual.
Maybe there are few others I didn't found after many searches, but what are they really worth in regard to the criteria above?
NB: Italic = run by individual.
-
Quote:
Originally Posted by
Renk
So for casual activities, I think using ClouFlare's DNS is not a so bad choice
the sheer number of sites using cloudflare disqualifies them on any level. the chances of hitting a honeypot or getting caught somewhere on the way with a no-name dns are very low. and even if they were higher, it'd still just be a chance while with cloudflare every query counts.
Quote:
ChaosComputerClub (Germany)
Ipredator DNS (Sweden)
germany and sweden are no good choices. they're usa's lackeys.
-
I honestly trust a noname just as much or even less than google who knows who put those up.
That being said, I'm mostly using something different from my default one because there's several blockades put up on a dns level and even if I don't visit most of those sites, I don't like the idea that they're blocked.
I see what you're saying instab and I agree, but unless you can give one and absolutely 100% guarantee it's any better than getting a random one from god knows who, being paranoid about google isn't going to help you out any more with the noname one. Why would they respect my privacy and I doubt they'll withstand _any_ form of pressure put on them at all. In this situation, no one but myself can be trusted. At least I know what Google is doing with it.
Also, since you didn't mention the norway one I had a look at it. It's hella slow...
-
Quote:
Originally Posted by
Sazzy
being paranoid about google
this has nothing to do with paranoia but simply is the current situation. sadly it has become quite normal.
Quote:
the noname one. Why would they respect my privacy and I doubt they'll withstand _any_ form of pressure put on them at all.
that's not the point at all. of course i have no idea who they are and what they do. but unless it is indeed a honeypot, it doesn't matter because the size of the company behind it puts that on a radically different level.
-
I mean, that's kind of what I meant. Maybe paranoia wasn't the right word.
Anyway... Isn't that completely the point? Company A is not safer than B and going with B because it's not as known yet easily found on google may not be that much better of an option. The point I was trying to make is that they're most likely both evil and it's choosing between a small name and a big one, but the main difference is that you sort of know what the big one is doing with your data and you have no clue what the small one is doing. Using google search, gmail, hangouts and what not probably makes it so that it's hardly a difference in my case anyway.
-
Quote:
Originally Posted by
Renk
And the sad fact is free&secure&uncensored DNS services is not in a healthy state now (and the number of independent liberal countries tend to reduce dramatically).
What do you think of these?
https://libredns.gr/
- DoH, DoT, no logs, hosted in Germany (verified via ping and TCP traceroute test).
https://surfshark.com/trust-dns
- DoH, DoT, no logs, anycast routing with servers in at least the USA, Netherlands, Germany and Singapore (verified via ping and TCP traceroute test).
- Only available as an Android app, but I installed it inside a VM and nothing differs from a standard implementation. DoH on https://dns.surfshark.com/dns-query, DoT on dns.surfshark.com:853.
https://applied-privacy.net/services/dns/
- DoH, DoT, DNS over Tor, no logs, hosted in Austria (verified via ping and TCP traceroute test).
- Supports very few TLS ciphers, which may prevent it from being usable at all depending on your client.
Acrylic DNS Proxy recently gained DNS-over-HTTPS support (and even more recently, I helped find and fix an important bug on its implementation =]), which means I wouldn't have to change my "infrastructure" to use DNS encryption. The problem is, being located in South America, the latency on all of these services is horrible.
Additionally, I ran ping.pe and tracetcp tests on all of them to get a better clue of where they're really located, but also which countries data travels through. This led me to find Surfshark's closest server is in the United States, not exactly the most trustworthy jurisdiction around... I'm not sure Germany (LibreDNS) is either. But these tests are highly location-sensitive, so make sure to run them yourself from the address you'll be using to send requests.
-
More DoH servers at https://github.com/curl/curl/wiki/DNS-over-HTTPS
A few of them have ceased operations, but it's still a good list.
-
-
Cloudflare is Cloudflare... Quad9's biggest sponsor is the Global Cyber Alliance, which has the City of London Police and New York District Attorney's Office as its founding members... take your pick. Also, the fact a quick copy & paste got several dozen upvotes (and two awards) while comments suggesting alternatives were downvoted into oblivion makes me think that subreddit isn't very unbiased.
Anyway, I still stand by my picks on post #12, although you may want to do a TCP traceroute to Surfshark and forget about them if you get anycast-routed to their United States server.