Cloudflare's free DNS

classic Classic list List threaded Threaded
65 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

@lbutlr
On 2018-04-04 (14:20 MDT), Marilyn Matty <[hidden email]> wrote:
>
> I have no doubts that they are a respected company that does provide many valuable services. And I have no doubts about this particular DNS service. But what I do think is that a once a year security audit is not valuable. I don't think it would hurt, but rather that it's hype and hot air.


It's really not. A security audit is a large deal, and a good one will take a month or three to complete. Some of that time will involve high-level infrastructure employees at the company, taking time away from their actual jobs.

It's perfectly reasonable to do these yearly, many companies do them less frequently than that, and most companies never do them at all (Yahoo, Sony, Home Depot, Target, Walmart, etc etc etc).

--
Bowling scores are way up, minigolf scores are way down, and we have
more excellent waterslides than any other planet we communicate with




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Al Varnell
In reply to this post by Ron Risley
On Wed, Apr 04, 2018 at 07:56 PM, Ron Risley wrote:
The US DOJ have even published guidelines for obtaining and using DNS logs for evidence in criminal trials:

https://www.justice.gov/sites/default/files/usao/legacy/2011/11/30/usab5906.pdf

Sure, but how is this any different from seizing your snail mail, phone logs or any other document that shows evidence of a crime. 

-Al-
-- 
Al Varnell
Mountain View, CA







____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Curtis Wilcox
On Apr 5, 2018, at 5:36 AM, Al Varnell <[hidden email]> wrote:

On Wed, Apr 04, 2018 at 07:56 PM, Ron Risley wrote:
The US DOJ have even published guidelines for obtaining and using DNS logs for evidence in criminal trials:

https://www.justice.gov/sites/default/files/usao/legacy/2011/11/30/usab5906.pdf

Sure, but how is this any different from seizing your snail mail, phone logs or any other document that shows evidence of a crime. 

Snail mail or any document in your possession would require a warrant, you know you have it, and you can do something to protect yourself. DNS query logs are somewhat analogous to phone logs because phone logs are in possession of the phone company and exist as a part of doing business. I think police can get your phone logs without a warrant if the phone company wants to cooperate (and they generally do), because the data is the phone company's not yours, and the same is likely true of DNS query records.

It depends on one's threat model. Presumably you're not a murderer so even if there as a DNS lookup for 'makeitlooklikeanaccident.com' from you computer, you're not worried about a record of that existing anywhere. But if you're in Russia, you could be in a situation where a DNS lookup of 'savegaysinrussia.com' could be a problem for you. 

Not using your ISP's DNS offers some protection and using a DNS provider, like CloudFlare, that recognizes they don't need to save logs for diagnostic purposes for more than a day offers further protection. It's not enough on its own but it's an additional piece.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Jolin Warren
In reply to this post by Marilyn Matty
At 20:34 on Wed 04 Apr 2018, Marilyn Matty wrote:
In order to develop the analytics, Nielsen does extensive auditing of data.

That is just Nielsen auditing their own data. Cloudflare have said that they continuously audit their security, as well. However, they've made a further commitment to have an _external_ auditor come in and audit their processes and security once a year, essentially to verify the 24/7 auditing they are doing internally.

Does Nielsen have an external auditor come in and verify their methods and the robustness of their data? If so, how often? I suspect they don't and just ask people to 'trust them'.



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
Reply | Threaded
Open this post in threaded view
|

Re: Cloudflare's free DNS

Al Varnell
In reply to this post by Randy B. Singer
Here's a lengthy, much more technical discussion of the privacy aspects of this service (or current lack thereof) from arsTECHNICA:
<https://arstechnica.com/information-technology/2018/04/how-to-keep-your-isps-nose-out-of-your-browser-history-with-encrypted-dns/>.

I've been testing DNSCloak for iOS on my iPad for about a week now and it doesn't seem to be interfering with it's operation. I can only assume that it's working as advertised.
<https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-client/id1330471557?mt=8>.

On my Mac, I've been using DNSCrypt from OpenDNS for many years. There have been occasional issues with it's use during that time, but it seems to have settled out for the last couple of years:
<https://www.opendns.com/about/innovations/dnscrypt/>. I'm using the Cisco OpenDNS server which appears to be close to my home and usually reliable.

-Al-

On Mon, Apr 02, 2018 at 07:52 PM, Randy B. Singer wrote:
> On Apr 2, 2018, at 5:48 AM, Rodney wrote:
>> Has anyone looked at this?
>
> See:
> <https://www.cnet.com/news/cloudfare-new-1111-dns-privacy-tool-would-speed-your-internet-too/>
> <https://medium.com/@nykolas.z/dns-resolvers-performance-compared-cloudflare-x-google-x-quad9-x-opendns-149e803734e5>
> ___________________________________________
> Randy B. Singer



____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://sparky.tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://sparky.tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____
1234