Cloudflare's free DNS

classic Classic list List threaded Threaded
65 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Bill Rausch
I've dealt with Cloudflare before when I was running a large credit union information systems department. They are a good company.

And yes, outside audits are normally an annual affair. Internal security audits are more or less continuous.

Bill


On Monday, Apr 2, at 12:51 PM, Rodney <[hidden email]> wrote:


On Apr 2, 2018, at 21:41, Marilyn Matty <[hidden email]> wrote:

The difference is that I know they are constantly auditing security, and I've gotten notices about potential problems in the past.

Well no, you don’t know they are constantly auditing security. You just assume they are constantly auditing security because you’ve gotten notices in the past. 

Cloudflare is also, according to their TOS, constantly auditing security. The difference between them and your cable provider is that they promise to bring in an outside auditor once a year to verify that they’re indeed constantly auditing security. That’s once a year more often than your cable provider does this.





____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

@lbutlr
In reply to this post by Dave Scocca
On 2018-04-02 (17:19 MDT), Dave Scocca <[hidden email]> wrote:

>
>> On Apr 2, 2018, at 6:38 PM, @lbutlr <[hidden email]> wrote:
>>
>> Not with DoH, no they cannot.
>>
>> basically, the way DoH (DNS Over HHTPS) works is that an HTTPS connection is established to the DNS server and THEN DNS queries are made. The only thing anyone sees is encrypted data.
>
> This does not make sense to me. Maybe your ISP won’t see your DNS queries, but once your computer has gotten the IP address, it will still be sending packets to that IP address and receiving packets from that IP address. And if the ISP cares, they can look up the domain from the IP.
>
> The only way to conceal your destinations from your ISP is to use a VPN. And this is not a VPN.

It is not, but most VPNs do not tunnel your DNS. This will make anything you use a VPN for entirely undetectable by your ISP.

Also, your ISP will see a connection to an IP which may be serving hundreds or thousands of websites. They won't see the site you are connecting to, assuming you are using HTTPS to connect to that IP. So much less information.

Sure, without a VPN they will know facebook and google, but probably not InappropriateHamsters.org.

--
The real world was far too real to leave neat little hints. It was full
of too many things. It wasn't by eliminating the impossible that you got
at the truth, however improbable; it was by the much harder process of
eliminating the possibilities. --Feet of Clay




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Ron Risley
In reply to this post by Rodney
On Apr 2, 2018, at 05:48, Rodney <[hidden email]> wrote:
>
> I did try to go to https://1.1.1.1 to learn more, as recommended in the article, but both Safari and Chrome were unhappy about this.

Apparently, a significant number of networks have equipment or configurations that use 1.1.1.1 as a special-purpose address, in spite of there being no justification for doing so in internet standards and protocols. Everything from some AT&T routers to large enterprise networks to hospitality industry products are failing to route 1.1.1.1 properly.

--Ron


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Roger Adams
In reply to this post by Rodney
Hi Rodney,

I had no problems accessing the website nor installing the 1.1.1.1     Safari on my MBA and my iPhone accepted it perfectly and I have found that the speed of my downloads. Messages, etc are much faster.   When I get home I will install it on y iMac and MM Server.

Many thanks for alerting me to this new DNS server.

Cheers

Roger

> On 3 Apr BE 2561, at 23:00, [hidden email] wrote:
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 2 Apr 2018 18:13:31 +0200
> From: Rodney <[hidden email]>
> To: TidBITS Talk <[hidden email]>
> Subject: Re: Cloudflare's free DNS
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
>
>> On Apr 2, 2018, at 18:04, Franconi Enrico <[hidden email]> wrote:
>>
>> This is extremely bizzarre. I don't get any warning for this website neither from Safari nor from Chrome.
>
> When I try from my iPhone, I get, “Safari cannot open the page because the network connection was lost.”
>
> When I try from Safari on my iMac I get, “This connection is not private. Someone may be impersonating ‘1.1.1.1’ to steal your personal or financial information. You should close this page."
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://tidbits.com/pipermail/tidbits-talk/attachments/20180402/d699dd81/attachment-0001.html>
>
> ------------------------------
>




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Richard Rettke-2

On 4 Apr 2018, at 4:54, Roger Adams [hidden email] wrote:

I had no problems accessing the website nor installing the 1.1.1.1 Safari on my MBA and my iPhone accepted it perfectly and I have found that the speed of my downloads. Messages, etc are much faster. When I get home I will install it on y iMac and MM Server.

I also had no problems installing it on my iMac running Sierra, per the directions provided by 1.1.1.1

However, although it seemed to work fine for Safari, Chrome was unable to access ANY of the sites I visit (YouTube, Voxer, Facebook, etc.) and also suffered repeated crashes.

I then reverted back to my prior DNS and all problems went away. So clearly, something is awry. It may not be 1.1.1.1 itself but misuse of that by url by others as stated by another poster.

So for now, I'll stick with what I was using.

--
Richard Rettke
Laus Deo
Non sibi sed patriae

About Me




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Fearghas McKay


> On 4 Apr 2018, at 07:46, Richard Rettke <[hidden email]> wrote:
>
> However, although it seemed to work fine for Safari, Chrome was unable to access ANY of the sites I visit (YouTube, Voxer, Facebook, etc.) and also suffered repeated crashes.
>
> I then reverted back to my prior DNS and all problems went away. So clearly, something is awry. It may not be 1.1.1.1 itself but misuse of that by url by others as stated by another poster.
>
>

You can also use 1.0.0.1 which has had far fewer people misappropriating it.

        f





____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Paul Chernoff
>You can also use 1.0.0.1 which has had far fewer people misappropriating it.

​According to Security Now podcast 1.0.0.1 is significantly slower than 1.1.1.1 and should only be used as a backup DNS.

Gibson likes 1.1.1.1 but did talk about the problems of networks inappropriately using 1.1.1.1 address.​ He also thought that the average DNS speeds Cloudflare reports is amiss, but in his own testing 1.1.1.1 was very fast, only 1ms slower than using his ISP's DNS and faster than the other non-ISP DNS.


PAUL CHERNOFF
Director of Information Technology
Washingtonian Media
W. 202.862.3504 
1828 L Street, NW, Suite 200, Washington, DC 20036

We are a WBENC Certified WBE/WOSB.

On Wed, Apr 4, 2018 at 7:55 AM, Fearghas Mckay <[hidden email]> wrote:


> On 4 Apr 2018, at 07:46, Richard Rettke <[hidden email]> wrote:
>
> However, although it seemed to work fine for Safari, Chrome was unable to access ANY of the sites I visit (YouTube, Voxer, Facebook, etc.) and also suffered repeated crashes.
>
> I then reverted back to my prior DNS and all problems went away. So clearly, something is awry. It may not be 1.1.1.1 itself but misuse of that by url by others as stated by another poster.
>
>

You can also use 1.0.0.1 which has had far fewer people misappropriating it.

        f





____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Doug Miller
In reply to this post by @lbutlr


> On Apr 2, 2018, at 6:38 PM, @lbutlr <[hidden email]> wrote:
>
> On 2018-04-02 (15:58 MDT), Al Varnell <[hidden email]> wrote:
>> This is overstated. Your ISP can still determine every site you visit, even if you aren't using their DNS.
>
> Not with DoH, no they cannot.
>
> basically, the way DoH (DNS Over HHTPS) works is that an HTTPS connection is established to the DNS server and THEN DNS queries are made. The only thing anyone sees is encrypted data. Your ISP or your neighbor or the NSA surveillance van parked on your street cannot intercept that DNS query.
>

But just changing your DNS servers to 1.1.1.1 is not going to force a PC or Mac or iOS device or its apps to use DoH or DNS over TLS or any other secure protocol. Unless you do something else to enable/force DNS over TLS or whatever, every single DNS request will continue to go over plaintext using UDP port 53, and the ISP can see the request, whether their server resolves the address or not.

Also, FWIW, every speed test that I do on my system shows my ISP’s DNS servers to be the fastest resolvers, which makes sense, since they are the “closest” to me.


Doug


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Marilyn Matty
In reply to this post by Marilyn Matty

On Apr 2, 2018, at 9:37 PM, gastropod <[hidden email]> wrote:

On Mon, Apr 2, 2018, at 5:11 PM, Marilyn Matty wrote:

Nielsen is actually an analytics company.

Yes.  They are not an auditing company.  How often does your bank get independently audited?  Certainly not every month.  

In order to develop the analytics, Nielsen does extensive auditing of data. The links I included provide details of how they audit for particular sectors. This what they do just for grocery and drugstore retail:

"With presence in more than 100 countries, Nielsen collects sales information from more than 900,000 stores within our worldwide retail network—including grocery, drug, convenience, discount and e-commerce retailers—who, through cooperation arrangements, share their sales data with us.

Nielsen collects electronic point of sale (POS) data from stores through checkout scanners. In emerging markets where POS information is unavailable, we use field auditors to collect sales data through in-store inventory and price checks. Nielsen’s stringent quality control systems validate the data before it’s made available in our proprietary software."

Understanding e-commerce sales has become increasingly important for manufacturers and retailers, and e-commerce measurement is a priority for Nielsen. That’s why we offer a global e-commerce measurement solution to help manufacturers and retailers accurately assess their online sales performance and see how online sales contribute to total sales."

Though they don't analyze the numbers with a focus on taxation, they get very granular from a different perspective. Check out the other links in my previous post for details about the auditing they do for other industries.

Marilyn



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Rodney

On Apr 4, 2018, at 21:34, Marilyn Matty <[hidden email]> wrote:

In order to develop the analytics, Nielsen does extensive auditing of data.

And why do you think that Cloudflare, or any other DNS provider, is going to care about the ind of analytics that would interest Nielson? DNS providers resolve names to IP addresses. That’s it. What’re they going to analyze? They can’t do much with that information. In fact, they can do far less with it than your ISP can do, which doesn’t schedule audits.

They provide a high available service intended to mitigate things like DDoS (that’s distributed denial of service) attacks. They monitor their resources 24/7. They would commission an external audit to prove to the world that they’re doing what they claim to be doing.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

adamengst
Administrator
In reply to this post by @lbutlr
I am currently using quad9.net (9.9.9.9) and am very happy. In my tests it is not the fastest DNS available to me, but the difference between 20ms and 35ms doesn't actually matter to me.

For what it’s worth, Quad9 is partly a project from Packet Clearing House, run by Bill Woodcock, who is an old friend from the early Internet days. He always sponsored the A/UX dinner at Macworld Expo. Good guy.

And at the moment, the new TidBITS site is using CloudFlare as a content delivery network.

Let’s stop arguing about the exact details of how often external audits should happen.

cheers... -Adam



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Marilyn Matty
In reply to this post by Rodney


Sent from my iPad

On Apr 4, 2018, at 3:43 PM, Rodney <[hidden email]> wrote:


On Apr 4, 2018, at 21:34, Marilyn Matty <[hidden email]> wrote:

In order to develop the analytics, Nielsen does extensive auditing of data.

And why do you think that Cloudflare, or any other DNS provider, is going to care about the ind of analytics that would interest Nielson? DNS providers resolve names to IP addresses. That’s it. What’re they going to analyze? They can’t do much with that information. In fact, they can do far less with it than your ISP can do, which doesn’t schedule audits.


If Cloudfare or a competitive DNS service is going to tout a security monitoring program,    the data needs to be monitored more than once a year.

They provide a high available service intended to mitigate things like DDoS (that’s distributed denial of service) attacks. They monitor their resources 24/7. They would commission an external audit to prove to the world that they’re doing what they claim to be doing.


I have no doubts that they are a respected company that does provide many valuable services. And I have no doubts about this particular DNS service. But what I do think is that a once a year security audit is not valuable. I don't think it would hurt, but rather that it's hype and hot air.

Marilyn



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Rodney
In reply to this post by Doug Miller

On Apr 4, 2018, at 16:37, Doug Miller <[hidden email]> wrote:

Also, FWIW, every speed test that I do on my system shows my ISP’s DNS servers to be the fastest resolvers, which makes sense, since they are the “closest” to me. 

That might have more to do with your ISP’s DNS cache than proximity, and any ISP with a lot of customers probably has a large cache. DNS is a distributed service. Each domain administrator is responsible for maintaining a server with addresses for that domain. Your ISP's DNS server asks a server for the relevant domain for address resolutions for addresses that your ISP’s server hasn’t cached.

Unless the rules have changed since I retired and didn’t do this anymore, the person responsible for a domain could specify how long other servers were permitted to locally cache an address before the address should be refreshed from the domain’s server. There was always a tradeoff with this. A long caching interval meant faster resolutions since servers could resolve addresses from their local cache, but any changes to addresses would take a long time to propagate throughout the Internet. Shorter retention periods meant less caching and slower accesses overall and more load on the host DNS server. However, changes propagated faster. So, the administrator had to think about how often stuff changed when choosing a caching interval.

One problem that occurred, at least in the early days, was that some ISPs ignored the caching interval altogether and cached all addresses for a long time. This really reduced the time the ISP’s servers needed to resolve addresses, and reduced their bandwidth requirement, but their users could end up getting back incorrect addresses.



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Doug Hogg
In reply to this post by adamengst
I just switched our preschool and home routers to use Quad9. Any advantage to switching to Cloudfare?

:-)

Doug Hogg

Sent from my iPhone

On Apr 4, 2018, at 12:51 PM, Adam Engst <[hidden email]> wrote:

I am currently using quad9.net (9.9.9.9) and am very happy. In my tests it is not the fastest DNS available to me, but the difference between 20ms and 35ms doesn't actually matter to me.

For what it’s worth, Quad9 is partly a project from Packet Clearing House, run by Bill Woodcock, who is an old friend from the early Internet days. He always sponsored the A/UX dinner at Macworld Expo. Good guy.

And at the moment, the new TidBITS site is using CloudFlare as a content delivery network.

Let’s stop arguing about the exact details of how often external audits should happen.

cheers... -Adam


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Jeff Porten
In reply to this post by Rodney
Seeing a bunch of mistaken information in this thread, so a few notes:

DNS *does* give out data, but nothing you should particularly concerned about. I just went to www.google.com, this is roughly what will show up in the logs:

16:31:58 207.189.22.8 www.google.com 172.217.7.4

First number is my IP address, second is Google’s. I’m currently at Starbucks, *and* I’m on a VPN, so they literally know nothing about me. If you’re on a home network, they might be able to get a geolocation, and *if* they combined these logs with your website traffic (which they’d have to buy—they don’t get it), they could associate other data with you.

It’s not a question of trusting Cloudflare, it’s *knowing* for a fact that your ISP is mining that data to sell to people. They just lobbied Congress so they can keep doing it. I’d certainly recommend Google DNS, or Cloudflare, or literally anyone else.

Reports of Cloudflare’s speed: not sure how much you’ll benefit from this. 14 ms versus 30 ms (at Google) just isn’t that big a deal. You’ll notice it if you’re using ISP DNS that’s 100 ms or more.

No idea why 1.1.1.1 would be problematic, but it’s likely a screw-up on their end. That doesn’t have anything to do with their DNS service (the people who run their DNS are not the same techs who do their website). You shouldn’t worry about messages saying it’s “non-standard,” because there’s nothing wrong with a numeric address. It’s just not common.

Yes, it *is* a free lunch. Why would they do this? We’re talking about them, aren’t we?

The outside auditing *is* a big deal. Few other companies do this, and no one I know of for a free service. You’re worried that the dog’s diction isn’t good enough when he speaks English. If your ISP says they’re “proactively doing security,” rest assured that they are doing so to cover *their* asses, which is unlikely to really protect you from much. (And of course—*they* have all the data they desire. Most companies just keep it for themselves if they can’t sell it.)

I’m not sure how Cloudflare could “block” Tor. They’re not as ISP. Their main service is increasing uptime reliability for websites. They could choose not to sell Tor their services, but I’m not aware of any products they sell that would be “blocking.” (And note: if they *do* prevent their services to be used as an exit relay, this is *perfectly* understandable. Tor traffic can be very large, and can degrade other network services.)

ISP tracking: yes, they theoretically *can* track your website visits, but that requires a *lot* of horsepower. If I would set up such a system, I would make sure the router was doing the work, and then sending it back to a central server—I’m not aware of any ISP routers that do that. All of that said: if you’re concerned, get a VPN, and they’ll only know that you’re connected to the VPN.







> On Apr 2, 2018, at 8:48 AM, Rodney <[hidden email]> wrote:
>
> Has anyone looked at this?
>
> https://blog.cloudflare.com/announcing-1111/
>
> I have heard of Cloudflare, so I’m not as skeptical as I’d normally be, but I won’t be completely comfortable until I figure out what’s in it for Cloudflare.
>
> I did try to go to https://1.1.1.1 to learn more, as recommended in the article, but both Safari and Chrome were unhappy about this.
>
> Supposedly, the Cloudflare DNS service is faster than Google and OpenDNS. I wonder how long that’ll be true if the number of users increases. The service was just launched yesterday.
>
>
> ____________TidBITS Talk Participation Guidelines____________
> Post only when you have something substantive to contribute.
> Be polite and constructive, and comment on posts, not people.
> Quote sparingly, if at all. We all read the previous message.
> Start threads with a new message to [hidden email].
> Read archives at: http://tidbits.com/pipermail/tidbits-talk/
> Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
> ____Mailing List Manners: http://tidbits.com/series/1141 ____




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Doug Miller
In reply to this post by Rodney


On Apr 4, 2018, at 4:31 PM, Rodney <[hidden email]> wrote:

Also, FWIW, every speed test that I do on my system shows my ISP’s DNS servers to be the fastest resolvers, which makes sense, since they are the “closest” to me. 

That might have more to do with your ISP’s DNS cache than proximity, and any ISP with a lot of customers probably has a large cache. DNS is a distributed service. Each domain administrator is responsible for maintaining a server with addresses for that domain. Your ISP's DNS server asks a server for the relevant domain for address resolutions for addresses that your ISP’s server hasn’t cached.


Perhaps I should have been more clear that I was reporting results of testing with Steve Gibson’s DNS Benchmarking tool. (I’ve tried other tools in the past as well, and Charter’s own assigned DNS servers always resolve fastest with whichever tool I try.) The benchmark is pretty robust, testing cached results as well as non-cached results, and a few other important functions. See his page for more details about the testing: https://www.grc.com/dns/benchmark.htm

Honestly, I don’t do this all that often, but I did add 1.1.1.1 and 1.0.0.1, as well as 9.9.9.9 to his list and let them run a few times the other day. It is a windows app, very small, but it runs perfectly well using Wine on MacOS.

Also, by “closest” to me, I meant that it takes fewer hops to get those packets back and forth to me. 1.1.1.1 and 9.9.9.9 are both 10 hops away, Google’s 8.8.8.8 is 13 hops, Charter’s DNS server is 7.

I know that there are other reasons to use public DNS servers. I had been using Google’s for a while until about a month or two ago when I was having issues with short URLs to a specific website not resolving. It turned out to be a known issue with that server and Google DNS, so I just decided to switch back to the defaults. When my kids were in high school and I had no idea what they were doing with their computers, I was using OpenDNS with some of what I think are their pretty useful filters, but at this point I’m ok with my ISP’s servers. I may try out Cloudflare’s for a while just to see how they are.

Saving or losing a few milliseconds on DNS resolution for the few domains that I open for the first time probably isn’t going to make a huge difference for me or for most of us, though.

Doug



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

@lbutlr
In reply to this post by Jeff Porten
On 2018-04-04 (14:50 MDT), Jeff Porten <[hidden email]> wrote:
>
> Reports of Cloudflare’s speed: not sure how much you’ll benefit from this. 14 ms versus 30 ms (at Google) just isn’t that big a deal. You’ll notice it if you’re using ISP DNS that’s 100 ms or more.

I was on a site recently, wish I could remember who it was, that opened 63 connections to other domains. When you have to do 63 domain lookups the difference between 10ms and 20ms becomes noticeable.

--
For a very few, the sky's the limit. And, sometimes, not even that.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Doug Hogg
My main reason for using Quad9 for our preschool’s DNS is improvement in security.


I wonder if Cloudflare’s dns service will have similar benefits.

:-)

Doug Hogg

Sent from my iPhone

On Apr 4, 2018, at 2:50 PM, @lbutlr <[hidden email]> wrote:

On 2018-04-04 (14:50 MDT), Jeff Porten <[hidden email]> wrote:

Reports of Cloudflare’s speed: not sure how much you’ll benefit from this. 14 ms versus 30 ms (at Google) just isn’t that big a deal. You’ll notice it if you’re using ISP DNS that’s 100 ms or more.

I was on a site recently, wish I could remember who it was, that opened 63 connections to other domains. When you have to do 63 domain lookups the difference between 10ms and 20ms becomes noticeable.

--
For a very few, the sky's the limit. And, sometimes, not even that.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Ron Risley
In reply to this post by Jeff Porten


> On Apr 4, 2018, at 13:50, Jeff Porten <[hidden email]> wrote:
>
> Seeing a bunch of mistaken information in this thread,

A bit more mistaken information right here...

> DNS *does* give out data, but nothing you should particularly concerned about.

Threat model, threat model, threat model. You might have said "nothing *I* should be concerned about" but telling others that there's nothing to worry about, when you don't know their situation, is a bit careless. For many people living under repressive regimes, having a record of their home IP address requesting domain information about "seditious" sites can put them in peril. Don't assume that everyone's threat model is the same as yours.

The US DOJ have even published guidelines for obtaining and using DNS logs for evidence in criminal trials:

https://www.justice.gov/sites/default/files/usao/legacy/2011/11/30/usab5906.pdf

> No idea why 1.1.1.1 would be problematic, but it’s likely a screw-up on their end.

No, it's a screw-up on the part of networking equipment vendors and configurators. Apparently, a lot of folks have used 1.1.1.1 for testing purposes because it's so easy to remember and type, but the testing code and configurations don't always get expunged before networks or equipment go into production.

> I’m not sure how Cloudflare could “block” Tor.

They do effectively block Tor users from many sites, and (eventually) admitted as much back in 2016. It happens on their CDN/dDOS mitigation service. If you're "not sure how," a single click on any of the references I gave could have enlightened you in less time than it took to be disputatious. So please have a look; that's why I took the time to compile and link references.

--Ron


____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Bill Rausch
In reply to this post by Marilyn Matty
Well once a year is good enough for the FDIC and NCUA checking banks and credit unions for computer and network security. That includes internet banking and credit and debit card processing. If Everything Checks Out Correctly. If there were problems (luckily for me, we were always clean), they came back a lot more often. Some of my friends got to spend way too much time with auditors.

Bill


> On Wednesday, Apr 4, at 1:20 PM, Marilyn Matty <[hidden email]> wrote:
> ...
> I have no doubts that they are a respected company that does provide many valuable services. And I have no doubts about this particular DNS service. But what I do think is that a once a year security audit is not valuable. I don't think it would hurt, but rather that it's hype and hot air.
>




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
1234