The need for speed (and security): Cloudflare has developed a new DNS service for PCs and phones

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Despite the timing, Cloudflare CEO Matthew Prince would like to emphasize that his company’s latest announcement is not an April Fool’s joke.

The security services company is rolling out a new DNS resolver Sunday that it hopes will make the internet faster and more secure. The service, called 1.1.1.1 (four ones, or April 1), allows PC and mobile users to use a custom DNS setting that Cloudflare says is more secure than the default one issued by your ISP, which allows them to assemble a profile of your browsing history that marketers find very intriguing.

“DNS is the foundation of almost everything you do on the internet,” Prince said in an interview with GeekWire. “If we could make that faster, that’s just a cool engineering challenge.”

DNS is the system that translates text domains, like geekwire.com, into the series of numbers that actually marks that site’s location on the internet. There are a few different parts to it: DNS resolvers (or recursive DNS servers) are the phone books of the internet, servers that take the requests sent from your computer for a given website and connect you to that site. In this analogy, the other part, authoritative DNS servers, are the telephone operators that tell DNS resolves where the site actually is.

If you configure your phone or computer to use 1.1.1.1 as the DNS resolver, that device will use Cloudflare’s network to find your destination. Most people use the default DNS resolver provided by their internet service provider, which allows that ISP to see which sites you’ve visited (but not the content of those sites) and in some cases, assemble a profile of your browsing habits that can be sold to marketers.

There are a lot of alternative DNS providers; Google’s 8.8.8.8 service is probably the most widely used one, and there are lots of others that let you get online without telling your ISP where you’ve been. The impulse to avoid ad tracking is one thing, but in a lot of countries ISPs are state-owned companies that use DNS information to track dissidents and take sites they don’t like offline; in 2014 dissidents in Turkey actually used Google’s service to get around a government ban on Twitter until the DNS service was also blocked.

Cloudflare is promising 1.1.1.1 users that it won’t log any IP addresses that use its service, and any information it does track (such as the number of requests from a given region, or request that appear to come from botnets) will be deleted from its servers 24 hours after it was collected, Prince said.

“Our business never has been, and never will be, selling user data,” he said.

And even if you’re not paranoid about your online habits, 1.1.1.1 promises a faster internet experience by using Cloudflare’s network instead of your ISP’s, Prince said. Cloudflare operates a network of servers around the world that are used by its customers to absorb the flood of traffic associated with distributed denial-of-service attacks, and it has started to open up that network for some interesting other uses.

In tests against Cisco’s OpenDNS service, one of the leading alternative DNS providers, 1.1.1.1 was at least 30 percent faster, and it has half the latency of your average ISP, he said.

Prince hopes services such as 1.1.1.1 help spur adoption of encrypted DNS resolvers, which are currently being debated as a standard by the Internet Engineering Task Force (IETF). “We have an opportunity to rebuild the 1983-era DNS protocol, and do it with encryption built in,” he said.

It seems pretty likely that only a small subset of internet users will actually change the default settings on their devices; Prince said Cloudflare’s internal goals for 1.1.1.1 usage are in the low single-digit millions. Still, if services like 1.1.1.1 are included in browsers and home routers, eventually more and more people might come to understand the benefits of using something other than the default service, he said.

The need for speed (and security): Cloudflare has developed a new DNS service for PCs and phones

If you’re interested in using 1.1.1.1, set-up instructions can be found here.

1.1.1.1 — the Internet’s Fastest, Privacy-First DNS Resolver
 

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,448
If you're using a vpn service is there any improvement in security or speed after applying the new DNS, what possible conflicts? also what about Do Not Track, isn't that what it's for?
 
  • Like
Reactions: Prorootect

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Thank's for the share, I'm trying it out now and it is indeed pretty fast. I'm in the centre of the UK for any other UK users wondering what their speeds will be like.
South-West UK here. 30-35ms resolve time. Pretty much exactly the same as Quad9 for me.

Nice thing is that Cloudflare's DNS offers its own client for running DNS over HTTPS, unlike Quad9 which requires a third-party client.
 

Prorootect

Level 69
Verified
Nov 5, 2011
5,855
Reddit: Be careful with CloudFlare: Be careful with CloudFlare • r/privacy

"Well, first of all, let me explain what is CloudFlare. CloudFlare is a CDN (content delivery network) which acts as a reverse proxy, saving bandwhidt and protecting websites against denial-of-service attacks. Some of their plans are free. This sounds very interesting, specially for individuals or small companies which can't afford a very sofisticated infrastructure to their own websites.

However, in order to do this, they act literally as a MITM (man-in-the-middle), even in SSL connections. They do a lot of marketing saying they are helping to improve to internet security bringing SSL connections for all the websites which use their services. Well, you conection is really encrypted, but only until the CloudFlare's servers. After that, the conection between CloudFlare and can simply be unencrypted, if the website operator choose to do so. Or still can be encrypted (between CloudFlare servers and website servers) but the contents of what you're viewing and sending on that website remains visible to CloudFlare, even in the so-called full strict SSL. So, although an encrypted conection can be good, even if it's just until CloudFlare's servers (which at least creates a protection on unsecure wi-fis or shitty ISPs), they aren't telling clearly the whole story thanks to their PR management.

Do you want to check this? Simple: go to any website with a SSL connection behind CloudFlare and check the certificate. You'll notice the certificate was emited for something.cloudflaressl.com instead of the original website address. Yet the web browser accepts this type of certificate as valid and shows the lock in the address bar.

All of this creates an interesting paradox with Tor. In one side, the ability of having a SSL conection, even if it's only until the CloudFlare servers, helps to protect your browsing against a malicious exit node. However, on the other side, they require you to enable JavaScript in order to avoid those terrible and unreadable captchas.

So, my friends, be careful with this company. As they grown more and more, they can learn about your browsing habits and harm your privacy. If you access a website behind CloudFlare, avoid putting sensitive information on there, because all the contents are accesible to them. Even in their Keyless SSL which is used by some US banks, the contents of the pages are still accesible to them. And if you're just creating your own website, please, avoid them."

Reccomended readings:

The Real Cost of a CloudFlare “Free” SSL Certificate – SSL Information and FAQ

My TLS conundrum and why I decided to leave CloudFlare

-----------------------------

Wikipedia: CloudFlare Controversies: Cloudflare - Wikipedia
 
Last edited:

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
Hmm is this false? reported it...
nPhirH5.png
 

Marko :)

Level 20
Verified
Top Poster
Well-known
Aug 12, 2015
954
seems like I can never use this DNS

View attachment 184474
On Cloudflare community forum, it's said that 1.1.1.1 was horribly abused address space in the past. That's probably the reason why some providers aren't resolving that IP address.

See this thread; Cannot open https://1.1.1.1 or ping 1.1.1.1 in Bosnia
Isn't Cloudflare the fine organization that incessantly bombards me with "click the road signs" captchas? Or tells me my connection looks suspicious and refuses to complete the connection?
Yes, it is. They do that to prevent DDoS attacks and spam. If you need to solve captcha before entering the websites using Cloudflare, that means your IP address is on the blacklists because it was abused in the past.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top