Cloudflare's free DNS

classic Classic list List threaded Threaded
65 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Marilyn Matty




Sent from my iPad

> On Apr 2, 2018, at 3:54 PM, Fearghas Mckay <[hidden email]> wrote:
>
>
>
>> On 2 Apr 2018, at 14:42, Marilyn Matty <[hidden email]> wrote:
>>
>>
>> Waiting over a year for the results of an audit? Even if I knew something about Cloudfare, which I don't, I think this is something to be concerned about.
>
> Would you they waited for 20 minutes and issued a report stating that they were happy with the processes being carried out and everything is ok ?

Ideally, they should be monitoring 24/7 and having an audit at the very least monthly. The data is available immediately.

Nielsen issues its broadcast audits on a weekly, often daily, basis. Nielsen Arbitron releases its radio numbers weekly. Syndicated magazine data, which takes much longer to accumulate, every 6 months, because they're dealing with postal and shipping data.

>
> The aim of the annual report is to show that the commitments being made are being kept on an ongoing basis.

If the data for a a fiscal year of May 2018 - May 2019 is delivered to the auditors in June 2019, by the time the auditors get through all the data, irregularities will probably not be reported until close to 2020. But maybe some guilt ridden former employee will spill the beans on any irregularities before then, like with Facebook and Cambridge Analytica.

> There are two partners in this project - Cloudflare who are providing the infrastructure and service on one side, the IP address space and research analysis comes from APNIC which is the Asia Pacific Network Information Centre, one of the Regional Internet Registries, an equivalent to ARIN for folk who handle IP address space and resources. APNIC is part of the community, their research people are respected worldwide and they have the ability to pull the plug if Cloudflare misbehave. There checks and balances in this program.

Equifax, Yahoo, Target, Anthem Health, eBay, etc. etc., etc., all with phalanxes of highly regarded security teams, had big problems in the past year or so. Just yesterday Hudson's Bay announced Saks 5th Ave and Lord & Taylor had a humongous one.

>
> Geoff Huston APNIC’s Chief Scientist did a blog post about it giving more background - https://blog.apnic.net/2018/04/02/apnic-labs-enters-into-a-research-agreement-with-cloudflare/
>
> Have a read, it clear shows what they are trying to research along with improving better DNS infrastructure for everyone.

I'm glad they are doing this, but even with the best intentions, if results aren't independently audited and reported on a timely basis, something can go drastically wrong and not be reported till a lot of damage is done. DNS info can easily be available and run through the auditing processes. It's not like magazines and newspapers that have to accumulate data from shipping, postage, single copy returns that takes months to accumulate and tally.


> If you get a chance to watch a video of any of Geoff’s talks they are always interesting, well done and popular. He is in high demand for the quality of his internet research and the quantity of it, he has standing invitations to most Network Operator Group meetings since he always has something to say that is interesting.

I'll make a point of checking it out in a day or two, and I'm sure I'll find it very helpful and interesting.

>
> PS obvious disclaimer I know a lot of folk at CloudFlare & APNIC.
>

Though I'm loathe to admit I'm almost as old as the pyramids, I've been working extensively with market research data for over 40 years.

Marilyn



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Al Varnell
In reply to this post by Fritz Mills
On Mon, Apr 02, 2018 at 08:14 AM, Fritz Mills wrote:

On Apr 2, 2018, at 7:48 AM, Rodney <[hidden email]> wrote:

Has anyone looked at this?


I have heard of Cloudflare, so I’m not as skeptical as I’d normally be, but I won’t be completely comfortable until I figure out what’s in it for Cloudflare.

I did try to go to https://1.1.1.1 to learn more, as recommended in the article, but both Safari and Chrome were unhappy about this.

Supposedly, the Cloudflare DNS service is faster than Google and OpenDNS. I wonder how long that’ll be true if the number of users increases. The service was just launched yesterday.


Softonic offers a free download of Namebench, a utility that compares thousands of DNS servers and determines which are the fastest for your location.


Never use softonic for downloads. They are famous for including adware with their installers.

It's still available from <https://github.com/google/namebench>, but has not been maintained in over five year, so it does produce out-of-date information and it's highly dependent on the environment at the time you run it. It gives different results almost every time I run it, so pick the time of day that all your neighbors are home and on the Internet to see what works best at that time may help.

Personally, I got tired of changing all the time and just stuck with Comcast that gives me better security and is plenty fast enough.

-Al-
-- 
Al Varnell
Mountain View, CA







____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Al Varnell
In reply to this post by Paul Chernoff
On Mon, Apr 02, 2018 at 07:13 AM, Paul Chernoff wrote:
No problems with going to this web site with Safari 11.1.

We are a Cloudflare customer for our website. They are legit.

From the 1.1.1.1 web site
:

Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.

We think that’s gross. If you do too, now there’s an alternative: 1.1.1.1

This is overstated. Your ISP can still determine every site you visit, even if you aren't using their DNS.


-Al-
-- 
Al Varnell
Mountain View, CA







____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

@lbutlr
In reply to this post by Rodney
On 2018-04-02 (06:48 MDT), Rodney <[hidden email]> wrote:
>
> I did try to go to https://1.1.1.1 to learn more, as recommended in the article, but both Safari and Chrome were unhappy about this.

really? Loaded right up for me. I wonder if something in your router is playing with this IP.

I am currently using quad9.net (9.9.9.9) and am very happy. In my tests it is not the fastest DNS available to me, but the difference between 20ms and 35ms doesn't actually matter to me.

But DoH is a up and coming standard for DNS, and it does solve one of the last remaining gaping security holes on the Internet, so more power to them.

--
If you could do a sort of relief map of sinfulness, wickedness and
all-round immorality, rather like those representations of the
gravitational field around a Black Hole, then even in Ankh-Morpork the
Shades would be represented by a shaft. In fact the Shades was
remarkably like the aforesaid well-known astrological phenomenon: it had
a certain strong attraction, no light escaped from it, and it could
indeed become a gateway to another world. The next one.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

@lbutlr
In reply to this post by Fritz Mills
On 2018-04-02 (09:14 MDT), Fritz Mills <[hidden email]> wrote:
>
> Softonic offers a free download of Namebench, a utility that compares thousands of DNS servers and determines which are the fastest for your location.
>
> https://namebench.en.softonic.com/mac


I much prefer this one. even though it's fugly windows, it runs perfectly under whine and it's tiny (150K, yes KILOBYTES), which means it just cannot have extra crap in it.

--
She hated everything that predestined people, that fooled them, that
made them slightly less than human. --Witches Abroad




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Rodney
In reply to this post by @lbutlr

On Apr 3, 2018, at 00:03, @lbutlr <[hidden email]> wrote:

really? Loaded right up for me. I wonder if something in your router is playing with this IP.

Nailed it…

I disabled Wi-Fi on my iPhone and could then access the site without a problem via the cellular network.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

@lbutlr
In reply to this post by Rodney
On 2018-04-02 (10:13 MDT), Rodney <[hidden email]> wrote:
>
> When I try from Safari on my iMac I get, “This connection is not private. Someone may be impersonating ‘1.1.1.1’ to steal your personal or financial information. You should close this page."


Something is wrong with your LAN/router/connection/gateway/etc then. Proceed with caution.

<https://www.dropbox.com/s/m74bo8m617qyfwl/Screenshot%202018-04-02%2016.08.34.png?dl=0>

--
I get the feeling that some people's idea of heaven is an "I told you
so" T-shirt - mmalc




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

@lbutlr
In reply to this post by Marilyn Matty
On 2018-04-02 (12:42 MDT), Marilyn Matty <[hidden email]> wrote:
>
> To paraphrase Dire Straits, you don't get your money for nothing and your clicks for free.  The only thing I can figure out from their website is that might be bait to sell other services.

But it's not, since once you set the DNS you will never see any indication of cloudflare's existence.

> But something else in the description is a deal killer for me:
>
> "While we need some logging to prevent abuse and debug issues, we couldn't imagine any situation where we'd need that information longer than 24 hours. And we wanted to put our money where our mouth was, so we committed to retaining KPMG, the well-respected auditing firm, to audit our code and practices annually and publish a public report confirming we're doing what we said we would."
>
> Waiting over a year for the results of an audit?

Yes. that's not at all unreasonable. Audits, good ones, take time.

> Even if I knew something about Cloudfare,

It is Cloudflare *AND* APNIC, which ... well, which runs a massive portion of the Internet. If you can't trust APNIC, you can't trust anyone, literally. (Cloudflare partnered with APNIC to get access to the 1.1.1.1 IP, which is in APNIC's class A 1.0.0.0/8.

<https://en.wikipedia.org/wiki/Asia-Pacific_Network_Information_Centre>
<https://en.wikipedia.org/wiki/Cloudflare>

> I think this is something to be concerned about.

I disagree. there is absolutely no reason not to trust Cloudflare, as you are using their services everyday, you just don't know it. They are also a company well-known for being open about problems, bugs, and hacks and most of people's issues with them is that they (with a notable exception) do not decide what content to allow on the Internet.

--
What's another word for Thesaurus?




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

@lbutlr
In reply to this post by Marilyn Matty
On 2018-04-02 (15:44 MDT), Marilyn Matty <[hidden email]> wrote:

>
> Sent from my iPad
>> On Apr 2, 2018, at 3:54 PM, Fearghas Mckay <[hidden email]> wrote:
>>
>>
>> Would you they waited for 20 minutes and issued a report stating that they were happy with the processes being carried out and everything is ok ?
>
> Ideally, they should be monitoring 24/7 and having an audit at the very least monthly. The data is available immediately.
>
> Nielsen issues its broadcast audits on a weekly, often daily, basis.

Nielsen is counting, not auditing. A security audit is a huge process, involving many smart coders and a lot of time. A security audit that is monthly is largely a joke, and will tell you nothing, really, about the security of a service.

> Equifax, Yahoo, Target, Anthem Health, eBay, etc. etc., etc., all with phalanxes of highly regarded security teams, had big problems in the past year or so.

First, none of these companies care at all about security, it's an expense to be minimized. Second "highly regarded" by whom? Third, in many cases the MBAs overrode or ignored their security teams.

1.1.1.1 offers a very compelling benefit, DNS over HTTPS. this means that NO ONE can monitor the sites that you go to. Right now, your ISP knows every single site you have ever visited, and how often. In addition, anyone on your network segment knows every site you've ever visited. Anyone with a directional antenna can log every site your WiFi devices visit.

Now, does that mean you have to switch? Nope, you can keep using whatever DNS you want to use (unless your ISP prevents that, as some do).

There are plenty of free DNS services out there, Google, OpenDNS, and Quad9 all have many benefits over your ISPs DNS, but none of them get around your ISP logging every website you load (yes, including in privacy/incognito mode).

--
"You're just impressed by any pretty girl who can walk and talk." "She
doesn't have to talk."




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

@lbutlr
In reply to this post by Al Varnell
On 2018-04-02 (15:58 MDT), Al Varnell <[hidden email]> wrote:

>
> On Mon, Apr 02, 2018 at 07:13 AM, Paul Chernoff wrote:
>> No problems with going to this web site with Safari 11.1.
>>
>> We are a Cloudflare customer for our website. They are legit.
>>
>> From the 1.1.1.1 web site
>> :
>>
>> Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.
>>
>> We think that’s gross. If you do too, now there’s an alternative: 1.1.1.1
>
> This is overstated. Your ISP can still determine every site you visit, even if you aren't using their DNS.

Not with DoH, no they cannot.

basically, the way DoH (DNS Over HHTPS) works is that an HTTPS connection is established to the DNS server and THEN DNS queries are made. The only thing anyone sees is encrypted data. Your ISP or your neighbor or the NSA surveillance van parked on your street cannot intercept that DNS query.

--
Anybody who tells me what happens to me after I'm dead is either a liar
or a fool because they DON'T KNOW




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

@lbutlr
In reply to this post by @lbutlr
On 2018-04-02 (16:06 MDT), "@lbutlr" <[hidden email]> wrote:
>
> I much prefer this one. even though it's fugly windows, it runs perfectly under whine and it's tiny (150K, yes KILOBYTES), which means it just cannot have extra crap in it.

Oops!

<https://www.grc.com/dns/benchmark.htm>

--
Silence filled the University in the same way that air fills a hole.
Night spread across the Disk like plum jam, or possibly blackberry
preserve. But there would be a morning. There would always be another
morning. --Sourcery




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Rodney
In reply to this post by Marilyn Matty

On Apr 2, 2018, at 23:44, Marilyn Matty <[hidden email]> wrote:

Ideally, they should be monitoring 24/7 and having an audit at the very least monthly. The data is available immediately.

They ARE monitoring 24/7.

And what data is that? I’m not sure that you know what DNS is. It is the system that converts www.amazon.com to 13.32.155.48 (I’ll leave IPV6 as an exercise for the alert reader). That result is available to your computer so it can connect to Amazon’s web server. DNS servers don’t see credit card data or anything else confidential. The most a DNS server can see is that 86.245.46.166 resolved Amazon’s address to 13.32.155.48. They have no idea what Amazon's address was then used for, or who owned the IP address that requested the lookup. Someone can do a reverse lookup and figure out what entity owns 86.245.46.166 (my ISP in this case), but they can’t tell what individual was using it. On the other hand, your ISP, whose DNS server you’re now using, can figure out who that IP address belongs to by looking at DHCP logs to see whose system it was assigned to, and they can tell what you used the address for (if anything).

As I said, these people ARE monitoring 24/7. The whole purpose of privacy is you don’t want anyone knowing how many times you translated www.amazon.com to 13.32.155.48, so why would you want this data to be made available?

What these external auditors are looking at are system security, business practices, standards and procedures, etc. As Lou said, this takes time. I’ve gone through more than one of them in my day. This has nothing to do with daily operations. I’m still trying to figure out why a yearly external audit would bother you when you’re using a service today that provides no external audit whatsoever, and which knows far more about you that Cloudflare could.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Marilyn Matty
In reply to this post by Travis Butler

On Apr 2, 2018, at 4:43 PM, Travis Butler <[hidden email]> wrote:


Cloudflare’s big thing is providing reliable service to customers being targeted by denial-of-service and similar internet attacks. So in that context, I can see where running a free DNS service is a good loss-leader; you’re not just proclaiming a commitment to open internet access by providing an uncensored DNS service, you’re demonstrating that you can run a service that can stand up to sustained hacking attempts.

This is important and good, but there might also be an additional motive. Geotargeting and serving content and/or ads quickly is vital to content providers as well as to advertisers.


With any free service, I ask myself 'What are their motives in providing this, and am I OK with them?' This is one of the less problematic examples of a free service that I’ve seen - with their stock-in-trade being reliable and protected internet service, and the free DNS service being a demonstrator of same, the motives are aligned towards providing what they’re claiming.* But it’s still a free service, and subject to one of the other major problems of free services - if the motive for providing them goes away, so does the service. The good thing is that if they do decided to shut it down, you don’t lose much; just switch back to the DNS server you were using.

Many times business models are changed, companies are sold, new investors buy in, the board of directors changes, and many customers don't find out about it.


*(Google introduced their free DNS service claiming the same 'reliable internet benefits everyone including us' motive; but since their business is built on analyzing and profiling customers to improve advertising, the accusation that they’re using DNS requests to track the websites their users are visiting has some plausibility.)

Definitely true. I think the free DNS was also tied in to their big push with Google Fiber, which they dropped like a hot potato when plans for 5G began to be announced and it didn't look like they'd be able to disrupt the telecom industry so quickly.

Marilyn



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Fritz Mills
In reply to this post by Marilyn Matty

> On Apr 2, 2018, at 4:44 PM, Marilyn Matty <[hidden email]> wrote:
>
>
>
>
>
> Sent from my iPad
>> On Apr 2, 2018, at 3:54 PM, Fearghas Mckay <[hidden email]> wrote:
>>
>>
>>
>>> On 2 Apr 2018, at 14:42, Marilyn Matty <[hidden email]> wrote:
>>>
>>>
>>> Waiting over a year for the results of an audit? Even if I knew something about Cloudfare, which I don't, I think this is something to be concerned about.
>>
>> Would you they waited for 20 minutes and issued a report stating that they were happy with the processes being carried out and everything is ok ?
>
> Ideally, they should be monitoring 24/7 and having an audit at the very least monthly. The data is available immediately.
>
> Nielsen issues its broadcast audits on a weekly, often daily, basis. Nielsen Arbitron releases its radio numbers weekly. Syndicated magazine data, which takes much longer to accumulate, every 6 months, because they're dealing with postal and shipping data.
>
I don’t think you can compare Nielsen to Cloudflare. Nielsen’s whole business is to provide those audits. That’s the product they sell to TV stations, networks, etc.. Cloudflare isn’t in the business of selling audits.



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Dave Scocca
In reply to this post by @lbutlr

> On Apr 2, 2018, at 6:38 PM, @lbutlr <[hidden email]> wrote:
>
> Not with DoH, no they cannot.
>
> basically, the way DoH (DNS Over HHTPS) works is that an HTTPS connection is established to the DNS server and THEN DNS queries are made. The only thing anyone sees is encrypted data.

This does not make sense to me. Maybe your ISP won’t see your DNS queries, but once your computer has gotten the IP address, it will still be sending packets to that IP address and receiving packets from that IP address. And if the ISP cares, they can look up the domain from the IP.

The only way to conceal your destinations from your ISP is to use a VPN. And this is not a VPN.

Dave



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Al Varnell
On Mon, Apr 02, 2018 at 04:19 PM, Dave Scocca wrote:

On Apr 2, 2018, at 6:38 PM, @lbutlr <[hidden email]> wrote:

Not with DoH, no they cannot.

basically, the way DoH (DNS Over HHTPS) works is that an HTTPS connection is established to the DNS server and THEN DNS queries are made. The only thing anyone sees is encrypted data.

This does not make sense to me. Maybe your ISP won’t see your DNS queries, but once your computer has gotten the IP address, it will still be sending packets to that IP address and receiving packets from that IP address. And if the ISP cares, they can look up the domain from the IP. 

The only way to conceal your destinations from your ISP is to use a VPN. And this is not a VPN. 

Dave

Exactly.

I also read this from an IT I know at Facebook:

A poorly made claim on their site is that using their DNS can prevent your ISP from snooping, given that encrypted DNS queries are not part of most OS DNS resolver stacks.

-Al-
-- 
Al Varnell
Mountain View, CA







____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Travis Butler
In reply to this post by Marilyn Matty

On Apr 2, 2018, at 6:10 PM, Marilyn Matty <[hidden email]> wrote:


On Apr 2, 2018, at 4:43 PM, Travis Butler <[hidden email]> wrote:


Cloudflare’s big thing is providing reliable service to customers being targeted by denial-of-service and similar internet attacks. So in that context, I can see where running a free DNS service is a good loss-leader; you’re not just proclaiming a commitment to open internet access by providing an uncensored DNS service, you’re demonstrating that you can run a service that can stand up to sustained hacking attempts.

This is important and good, but there might also be an additional motive. Geotargeting and serving content and/or ads quickly is vital to content providers as well as to advertisers.

I’m… not sure what you’re suggesting here? 

As far as I’ve seen, they’ve made their reputation on keeping sites available that other people are trying to shut down. Their public policy is to provide service neutrally, without prejudice. (The only site I’ve seen them refuse to support is the Daily Stormer, and that was after the Stormer people tried to claim that Cloudflare secretly supported them and that’s why they provided service. https://arstechnica.com/tech-policy/2017/08/racist-daily-stormer-goes-down-again-as-cloudflare-drops-support/  ) 

If you’re suggesting they would use their DNS servers to track users, or help advertising services target users, that would blow a big hole in the public reputation that’s their main hook for attracting customers.

With any free service, I ask myself 'What are their motives in providing this, and am I OK with them?' This is one of the less problematic examples of a free service that I’ve seen - with their stock-in-trade being reliable and protected internet service, and the free DNS service being a demonstrator of same, the motives are aligned towards providing what they’re claiming.* But it’s still a free service, and subject to one of the other major problems of free services - if the motive for providing them goes away, so does the service. The good thing is that if they do decided to shut it down, you don’t lose much; just switch back to the DNS server you were using.

Many times business models are changed, companies are sold, new investors buy in, the board of directors changes, and many customers don't find out about it.

Which is why having a third-party auditing them is a big deal - if it holds true, that provides some assurance that they are behaving the way they said they’d behave. As I said, I don’t think any other DNS provider has a third party auditor looking over their shoulder to make sure they’re acting the way they should.


Travis Butler
The Wandering Powerbook
[hidden email]

...Cats are the proof of a higher purpose to the universe.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Rodney

On Apr 3, 2018, at 01:55, Travis Butler <[hidden email]> wrote:

If you’re suggesting they would use their DNS servers to track users, or help advertising services target users, that would blow a big hole in the public reputation that’s their main hook for attracting customers.

That would also be one hell of a neat trick to pull off. All their DNS servers see is the IP address from which the request came and the name to be resolved into an IP address. For a DNS server to map that IP to an individual user and to get that information to a potential advertiser would be a neat trick. There are a lot better ways to do geotagging.



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Marilyn Matty
In reply to this post by @lbutlr


On Apr 2, 2018, at 6:33 PM, @lbutlr <[hidden email]> wrote:

On 2018-04-02 (15:44 MDT), Marilyn Matty <[hidden email]> wrote:


Nielsen is counting, not auditing.

Nielsen is actually an analytics company. The information they feed the press about viewers and listeners compiled via their panels is just a small part of what makes their services valuable, which is why the PR people give the info out for free. What's most important to advertisers, and equally important to content providers, is what people like, do and buy and where and when. They do this through their retail, ecommerce, brand, mobile, gaming, etc. audits. This is what content providers, marketers and advertisers across the globe spend mega bucks for and live by:






And a whole lot more.

A security audit is a huge process, involving many smart coders and a lot of time. A security audit that is monthly is largely a joke, and will tell you nothing, really, about the security of a service.

They actually should be doing it 24/7 for it to be valuable. But they couldn't give the service away for free if they did.

Marilyn


Equifax, Yahoo, Target, Anthem Health, eBay, etc. etc., etc., all with phalanxes of highly regarded security teams, had big problems in the past year or so.

First, none of these companies care at all about security, it's an expense to be minimized.

Now that they've had to shell out big bucks, and their stock prices tanked and never fully recovered, the numbers of paying customers dropped and they have to give away services for free they have to care a lot more than they used to. 

Marilyn



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Randy B. Singer
In reply to this post by Rodney

On Apr 2, 2018, at 5:48 AM, Rodney wrote:

> Has anyone looked at this?

See:

<https://www.cnet.com/news/cloudfare-new-1111-dns-privacy-tool-would-speed-your-internet-too/>

<https://medium.com/@nykolas.z/dns-resolvers-performance-compared-cloudflare-x-google-x-quad9-x-opendns-149e803734e5>

___________________________________________
Randy B. Singer
Co-author of The Macintosh Bible (4th, 5th, and 6th editions)

Macintosh OS X Routine Maintenance
http://www.macattorney.com/ts.html
___________________________________________






____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
1234