Cloudflare, Mozilla, and DNS-over-HTTPS (DoH)

Chat about just about anything else
DAMIEN1307
Level 6
Level 6
Posts: 1233
Joined: Tue Feb 21, 2017 8:13 pm
Location: Alamogordo, New Mexico, USA

Comparisons of DNS Resolvers

Post by DAMIEN1307 » Mon Apr 02, 2018 9:25 pm

i thought that this might be of interest to most linux users here since we tend to set our own DNS and not trust the ISP to do this for us...DAMIEN

https://medium.com/@nykolas.z/dns-resol ... 9e803734e5
ORDO AB CHAO

User avatar
Voltron
Level 2
Level 2
Posts: 64
Joined: Tue Oct 21, 2014 12:48 am
Location: Indiana University--Bloomington

Cloudflare, Mozilla, and DNS-over-HTTPS (DoH)

Post by Voltron » Tue Apr 03, 2018 4:56 am

Hello, everyone:

I have been reading on Cloudflare's launch of their public DNS servers, 1.1.1.1 and 1.0.0.1 and was interested to get others' opinions on the matter. Here are some articles I have found, to get everyone started:

https://www.cnet.com/news/cloudfare-new ... ternet-too

https://blog.cloudflare.com/dns-resolver-1-1-1-1

https://blog.cloudflare.com/announcing-1111

This may affect users around the world, differently, given different local, regional, and national laws. I can only speak as someone in the United States and for those in the States and other locations, what do you think? Do you trust your ISP? How do you feel about changing your DNS provider to a third party? Do you do this, already? What ideas/issues do these and other related articles suggest, regarding who should be your DNS provider and/or around switching your DNS provider from some organization other than your ISP? And, what concern, if any, do you have, in moving away from your ISP's network, to a third-party DNS provider?

Meeshka
Level 1
Level 1
Posts: 11
Joined: Wed Jan 24, 2018 6:42 pm

Re: Cloudflare, Mozilla, and DNS-over-HTTPS (DoH)

Post by Meeshka » Tue Apr 03, 2018 5:28 am

I just switched to Cloudfare's DNS service. Thought I would give it a try, based on their reports of increased performance and better privacy. So far, so, good, although my perceived faster browsing might be a bit of a placebo effect. As for security, I know that requires believing everything Cloudfare says about audits and wiping logs every 24 hours. How can one really be certain? I am very interested in learning more about DNS-over-HTTPS, however.

Charlie
Level 4
Level 4
Posts: 297
Joined: Sun Jul 09, 2017 10:09 am
Location: Eng-er-land

What's the verdict on this new DNS service?

Post by Charlie » Fri Apr 06, 2018 3:16 pm

https://1.1.1.1/ Glad to hear your thoughts about this.

User avatar
Pepi
Level 5
Level 5
Posts: 737
Joined: Wed Nov 18, 2009 7:47 pm

Re: What's the verdict on this new DNS service?

Post by Pepi » Fri Apr 06, 2018 3:19 pm

I’m using it without any problems. I also see some faster surfing with it. NOW, is it safe ?????

Charlie
Level 4
Level 4
Posts: 297
Joined: Sun Jul 09, 2017 10:09 am
Location: Eng-er-land

Re: What's the verdict on this new DNS service?

Post by Charlie » Fri Apr 06, 2018 3:32 pm

Pepi wrote:
Fri Apr 06, 2018 3:19 pm
I’m using it without any problems. I also see some faster surfing with it. NOW, is it safe ?????
Hoping to get some expert opinions so we can all make a decision on using it maybe.

User avatar
JoeFootball
Level 7
Level 7
Posts: 1506
Joined: Tue Nov 24, 2009 1:52 pm
Location: /home/usa/mn/minneapolis/joe

Re: What's the verdict on this new DNS service?

Post by JoeFootball » Fri Apr 06, 2018 4:13 pm

Charlie wrote:Hoping to get some expert opinions so we can all make a decision on using it maybe.
I was coincidentally just reading these two related articles...

How to use Cloudflare's DNS service to speed up and secure your internet

What are the fastest DNS providers?

Joe

Mattyboy
Level 6
Level 6
Posts: 1196
Joined: Thu Mar 26, 2015 2:17 pm

Re: What's the verdict on this new DNS service?

Post by Mattyboy » Fri Apr 06, 2018 9:11 pm

Question is... can I use DNScrypt?

User avatar
phd21
Level 17
Level 17
Posts: 7505
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: What's the verdict on this new DNS service?

Post by phd21 » Fri Apr 06, 2018 10:40 pm

HI Charlie,

I just read your post and the good replies to it. Here are my thoughts on this as well.

I just heard about this from your post and decided to try it. It works well on my system. I usually use "dns.watch", "opennic", "OpenDNS", etc... Now I can add this to that list.

Cloudflare Launches a New Privacy-Focused DNS Server, But Should You Use It? YES 04/2018
https://www.howtogeek.com/fyi/cloudflar ... ou-use-it/



Hope this helps ...
Phd21: Mint KDE 18.3 & 19, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

DAMIEN1307
Level 6
Level 6
Posts: 1233
Joined: Tue Feb 21, 2017 8:13 pm
Location: Alamogordo, New Mexico, USA

Re: What's the verdict on this new DNS service?

Post by DAMIEN1307 » Sat Apr 07, 2018 2:50 am

I did post this under open chat with zero response when 1.1.1.1, 1.0.0.1 became available...im using it with great results myself...DAMIEN

https://medium.com/@nykolas.z/dns-resol ... 9e803734e5
Last edited by DAMIEN1307 on Sun Apr 08, 2018 8:31 pm, edited 1 time in total.
ORDO AB CHAO

User avatar
Pierre
Level 17
Level 17
Posts: 7699
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: What's the verdict on this new DNS service?

Post by Pierre » Sat Apr 07, 2018 6:15 am

whilst that sounds great - in theory - at least:
most of these "hacks" really only work well if you reside in CONUS . . :(

you'll have to Test this Stuff yourself - - to see if will work for you:
ie: From a Unix/Linux shell, you'll want to run dig with the following syntax: dig @IP address of DNS router test.site.com.
So, to see how fast Google Public DNS responds to a DNS request for zdnet.com's IP address, you'd run:

dig @8.8.8.8 zdnet.com

That's it. What you care about in the results is the line giving you the "Query time".
This measures, in milliseconds, how long it takes for the DNS resolver to give you the answer.
- The lower this number, the better. ..

;; Query time: 212 msec
;; SERVER: 8.8.8.8#53 ( 8.8.8.8 )
;; WHEN: Sat Apr 07 18:20:58 AWST 2018
;; MSG SIZE rcvd: 54

;; Query time: 276 msec
;; SERVER: 1.1.1.1#53 (1.1.1.1)
;; WHEN: Sat Apr 07 18:18:35 AWST 2018
;; MSG SIZE rcvd: 54

& your response time should be Much Better . . . than mine.

from this article:
https://www.zdnet.com/article/what-are- ... providers/
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

User avatar
catweazel
Level 17
Level 17
Posts: 7774
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: What's the verdict on this new DNS service?

Post by catweazel » Sat Apr 07, 2018 6:20 am

Pierre wrote:
Sat Apr 07, 2018 6:15 am
dig @8.8.8.8 zdnet.com
dig @1.1.1.1 google.com

9ms over a no-external DNS VPN isn't bad at all.

I run VyprVPN over openVPN. It's configured to not use any external DNS, so if I send a DNS request then it gets routed over the VPN. This result is from Australia.

Code: Select all

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @1.1.1.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20578
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             209     IN      A       172.217.25.46

;; Query time: 9 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Apr 07 20:19:22 AEST 2018
;; MSG SIZE  rcvd: 55
¡uʍop ǝpısdn sı buıɥʇʎɹǝʌǝ os ɐıןɐɹʇsnɐ ɯoɹɟ ɯ,ı

User avatar
Pierre
Level 17
Level 17
Posts: 7699
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: What's the verdict on this new DNS service?

Post by Pierre » Sat Apr 07, 2018 7:21 am

if you redo it a few time,, you will find that it does vary a bit:

Code: Select all

~ $ dig @8.8.8.8 google.com

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28554
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		52	IN	A	216.58.199.78

;; Query time: 228 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:02 AWST 2018
;; MSG SIZE  rcvd: 55

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25724
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		57	IN	A	216.58.196.142

;; Query time: 82 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:17 AWST 2018
;; MSG SIZE  rcvd: 55

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18734
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		90	IN	A	216.58.199.46

;; Query time: 104 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:21 AWST 2018
;; MSG SIZE  rcvd: 55

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2420
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		53	IN	A	216.58.196.142

;; Query time: 102 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:24 AWST 2018
;; MSG SIZE  rcvd: 55

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41166
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		193	IN	A	216.58.220.142

;; Query time: 101 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:27 AWST 2018
;; MSG SIZE  rcvd: 55
and all that does - is show, just how bad my connection - really is.
:(
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.

User avatar
catweazel
Level 17
Level 17
Posts: 7774
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: What's the verdict on this new DNS service?

Post by catweazel » Sat Apr 07, 2018 7:29 am

Pierre wrote:
Sat Apr 07, 2018 7:21 am
if you redo it a few time,, you will find that it does vary a bit:
Only by a few milliseconds, between 8 and 13 over about ten attempts. Oh, wait... you're using 8.8.8.8. I used 1.1.1.1. When I use 8.8.8.8 I get about the same as you, ~120ms.
¡uʍop ǝpısdn sı buıɥʇʎɹǝʌǝ os ɐıןɐɹʇsnɐ ɯoɹɟ ɯ,ı

Charlie
Level 4
Level 4
Posts: 297
Joined: Sun Jul 09, 2017 10:09 am
Location: Eng-er-land

Re: What's the verdict on this new DNS service?

Post by Charlie » Sat Apr 07, 2018 8:16 am

I just thought I hadn't seen this discussed and I know there are some seasoned pro's around here that would really know about it. Thanks for the replies. I have tested it and for now I think I will stick to Dnscrypt or Bind9. Unless someone comes up with a tool to improve it, like I am not convinced about DNS leaks from it.

User avatar
Pepi
Level 5
Level 5
Posts: 737
Joined: Wed Nov 18, 2009 7:47 pm

Re: What's the verdict on this new DNS service?

Post by Pepi » Sat Apr 07, 2018 12:59 pm

I think I'm going to set my wireless router to these two DNS IPs

User avatar
I2k4
Level 5
Level 5
Posts: 505
Joined: Thu Feb 02, 2012 8:33 pm

Re: What's the verdict on this new DNS service?

Post by I2k4 » Sat Apr 07, 2018 1:37 pm

Cloudflare, the host for the service, got into political soup last year for hosting some hate sites, but after a bit of libertarian hemming and hawing seems to have dumped them:

https://blog.cloudflare.com/why-we-term ... y-stormer/

No clue whether this or any DNS service has any privacy protection beyond "terms of service" exactly worth the ink they're signed with (none.) For privacy assurance I'd subscribe to a VPN, but I have a bit more confidence in government regulation of my (Canadian) ISP than these DNS services. Last I compared, my ISP internet performance beat OpenDNS and so not too curious about this one.
TRUST BUT VERIFY any advice from anybody, including me. Ubuntu / Mint user since 10.04 LTS. M17.3 Cinnamon (Dell 1520). Dual booting M17.3 XFCE / W7 (Acer netbook) and M18.3 Cinnamon / W7 (Lenovo desktop). Testing M19.x 64bit on live USB.

User avatar
majpooper
Level 5
Level 5
Posts: 699
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: What's the verdict on this new DNS service?

Post by majpooper » Sat Apr 07, 2018 1:43 pm

1.1.1.1 as well as 9.9.9.9 got thumbs up by Steve Gibson - "Security Now" pod cast. Gibson, for my money, is the best there is security wise. 9.9.9.9 will provide more security 1.1.1.1 better performance. Not sure when either will be available in the dnscrypt resolver fies.

For now I am sticking with dnscrypt/OpenDNS - I have no performance concerns and get best in class security.

User avatar
Faust
Level 4
Level 4
Posts: 440
Joined: Thu Jul 14, 2016 3:40 am

Re: What's the verdict on this new DNS service?

Post by Faust » Sat Apr 07, 2018 2:34 pm

I've tried 'em both in Pi-hole .
No noticeable gain in performance over my usual choice ( OpenDNS ) so for me , no good reason to switch
Any claimed security benefits from either aren't really relevant .
" And so it goes " - Kurt Vonnegut
The modern reality and the satirical parody are rapidly converging .

Charlie
Level 4
Level 4
Posts: 297
Joined: Sun Jul 09, 2017 10:09 am
Location: Eng-er-land

Re: What's the verdict on this new DNS service?

Post by Charlie » Sun Apr 08, 2018 8:25 am

If I use Bind9 and tell it to use RESOLVCONF by changing the value from "no" to "yes" in /etc/default/bind9

And add 1.1.1.1 and 1.0.0.1 to RESOLVCONF replacing the default, will bind9 now ensure there are no DNS leaks from 1.1.1.1?

I have tested it and it works but I do not know if it is secure.
Attachments
Screenshot at 2018-04-08 13-19-40.png
Screenshot at 2018-04-08 13-19-40.png (18.32 KiB) Viewed 807 times

Post Reply

Return to “Open chat”