Privacy orientated DNS resolution

[Guest Alphonsox]

Cloudflare recently announced a new free, privacy orientated DNS resolution service (1.1.1.1). This looks like an interesting alternative to Google DNS (8.8.8.8)  and Cisco's Opendns (208.67.222.222) services.

https://blog.cloudflare.com/announcing-1111/

 

The support for DNS-over-HTTPS looks particularly interesting although I haven't had chance to look at how it can be usefully implemented in a home environment. This may provide a Pi orientated solution...

https://scotthelme.co.uk/securing-dns-across-all-of-my-devices-with-pihole-dns-over-https-1-1-1-1/

[Dreadnaught]

Off topic: I wonder how-on-earth Cloudflare got the ip address 1.1.1.1 (and I wonder what the equivalent address is in IPv6).

Edited April 13, 2018 by Dreadnaught

[Guest Alphonsox]

12 minutes ago, Dreadnaught said:

Off topic: I wonder how-on-earth Cloudflare got the ip address 1.1.1.1 (and I wonder what the equivalent address is in IPv6).

 

This is described in the first link - It's a joint venture with the Asia Pacific internet registry who own the address.

 

IP V6 is 2606:4700:4700::1111

[Jeremy Harris]

Thanks for this, it looks very interesting. 

 

Not sure about using a RPi, though, as it's not really optimised to handle network traffic.  I wonder if this will migrate to OpenWrt/LEDE?  Running it on router hardware seems to make more sense, and would avoid the need to have another box in the network connection.  I've already got a cheap second mini router running TOR that gives me the option to connect via TOR without having to run the TOR browser (although it does still need a safe browser to be used to limit browser profiling - I use a portable version of Firefox that is set up to run from a USB stick, with all the usual safeguards that are in the TOR browser version of Firefox.

 

 

[richi]

Sadly, using network 1/8 is challenging. Many years ago, after the demise of the BBN packet-radio network, it was marked as "reserved," but countless networking people decided that word meant they could use it as a private, unroutable network address (despite there being several ranges such as 10/8 and 192.168/16 set aside for this).

 

Cloudflare is doing its best to fix the problem, but it's a bit like the Augean stables.

 

As an alternative, look into 9.9.9.9, which focusses on threats and has a similar censorship and privacy stance. It's also not controlled by a single commercial entity, being a not-for-profit JV of IBM, PCH and GCA, in collaboration with several others (wonderful as Cloudflare is today, who knows what they'll be in a year or two's time).

From the About page:

Quote

Community-Driven Internet Security
...

Quad9 will check the site against IBM X-Force threat intelligence that includes 800+ terabytes of threat intelligence data including 40B+ analyzed web pages and images and 17 million spam and phishing attacks monitored daily. Advanced analysis is performed on IP addresses to assign a risk score based on text, visual object recognition, optical character recognition (OCR), structure and linkages to other sites, and the presence of suspicious files.
...
Quad9 systems are distributed worldwide in more than 70 locations at launch, with more than 160 locations in total on schedule for 2018. These servers are located primarily at Internet Exchange points, meaning that the distance and time required to get answers is lower than almost any other solution.
... 
No personally-identifiable information is collected by the system. IP addresses of end users are not stored to disk or distributed outside of the equipment answering the query in the local data center. Quad9 is a not-for-profit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally-identifiable data, and the core charter of the organization is to provide secure, fast, private DNS.

 

Edited April 13, 2018 by richi
ce; add a range; clarify tedious history

[SteamyTea]

There was something about Cloudfire and routing porn a while back.  Just popped into my news feed, honest.  Seem to remember that the headline was that they were in some sort of trouble with the regulatory people (or government snoopers)

[richi]

Cloudflare's main business is protecting websites from denial-of-service attacks, by proxying traffic for them. CF sells the service with a freemium model, so there are countless "undesirable" sites protected by CF that lazy journalists can point to with shock-horror opprobrium.

 

One well-known example is The Pirate Bay.

[SteamyTea]

The Pirate Bay is better than Netwflick/Amazon/iPlayer/Spotify put together, why would anyone want to take them down, they are only a listing to repositories for the planets creative content after all