Cloudflare, Mozilla, and DNS-over-HTTPS (DoH)
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
Comparisons of DNS Resolvers
i thought that this might be of interest to most linux users here since we tend to set our own DNS and not trust the ISP to do this for us...DAMIEN
https://medium.com/@nykolas.z/dns-resol ... 9e803734e5
https://medium.com/@nykolas.z/dns-resol ... 9e803734e5
Last edited by LockBot on Wed Dec 07, 2022 4:01 am, edited 1 time in total.
Reason: Topic automatically closed 30 days after creation. New replies are no longer allowed.
Reason: Topic automatically closed 30 days after creation. New replies are no longer allowed.
- Voltron
- Level 2
- Posts: 85
- Joined: Tue Oct 21, 2014 12:48 am
- Location: Indiana University--Bloomington
Cloudflare, Mozilla, and DNS-over-HTTPS (DoH)
Hello, everyone:
I have been reading on Cloudflare's launch of their public DNS servers, 1.1.1.1 and 1.0.0.1 and was interested to get others' opinions on the matter. Here are some articles I have found, to get everyone started:
https://www.cnet.com/news/cloudfare-new ... ternet-too
https://blog.cloudflare.com/dns-resolver-1-1-1-1
https://blog.cloudflare.com/announcing-1111
This may affect users around the world, differently, given different local, regional, and national laws. I can only speak as someone in the United States and for those in the States and other locations, what do you think? Do you trust your ISP? How do you feel about changing your DNS provider to a third party? Do you do this, already? What ideas/issues do these and other related articles suggest, regarding who should be your DNS provider and/or around switching your DNS provider from some organization other than your ISP? And, what concern, if any, do you have, in moving away from your ISP's network, to a third-party DNS provider?
I have been reading on Cloudflare's launch of their public DNS servers, 1.1.1.1 and 1.0.0.1 and was interested to get others' opinions on the matter. Here are some articles I have found, to get everyone started:
https://www.cnet.com/news/cloudfare-new ... ternet-too
https://blog.cloudflare.com/dns-resolver-1-1-1-1
https://blog.cloudflare.com/announcing-1111
This may affect users around the world, differently, given different local, regional, and national laws. I can only speak as someone in the United States and for those in the States and other locations, what do you think? Do you trust your ISP? How do you feel about changing your DNS provider to a third party? Do you do this, already? What ideas/issues do these and other related articles suggest, regarding who should be your DNS provider and/or around switching your DNS provider from some organization other than your ISP? And, what concern, if any, do you have, in moving away from your ISP's network, to a third-party DNS provider?
Re: Cloudflare, Mozilla, and DNS-over-HTTPS (DoH)
I just switched to Cloudfare's DNS service. Thought I would give it a try, based on their reports of increased performance and better privacy. So far, so, good, although my perceived faster browsing might be a bit of a placebo effect. As for security, I know that requires believing everything Cloudfare says about audits and wiping logs every 24 hours. How can one really be certain? I am very interested in learning more about DNS-over-HTTPS, however.
Re: What's the verdict on this new DNS service?
I’m using it without any problems. I also see some faster surfing with it. NOW, is it safe ?????
- JoeFootball
- Level 13
- Posts: 4673
- Joined: Tue Nov 24, 2009 1:52 pm
- Location: /home/usa/mn/minneapolis/joe
Re: What's the verdict on this new DNS service?
I was coincidentally just reading these two related articles...Charlie wrote:Hoping to get some expert opinions so we can all make a decision on using it maybe.
How to use Cloudflare's DNS service to speed up and secure your internet
What are the fastest DNS providers?
Joe
Re: What's the verdict on this new DNS service?
HI Charlie,
I just read your post and the good replies to it. Here are my thoughts on this as well.
I just heard about this from your post and decided to try it. It works well on my system. I usually use "dns.watch", "opennic", "OpenDNS", etc... Now I can add this to that list.
Cloudflare Launches a New Privacy-Focused DNS Server, But Should You Use It? YES 04/2018
https://www.howtogeek.com/fyi/cloudflar ... ou-use-it/
Hope this helps ...
I just read your post and the good replies to it. Here are my thoughts on this as well.
I just heard about this from your post and decided to try it. It works well on my system. I usually use "dns.watch", "opennic", "OpenDNS", etc... Now I can add this to that list.
Cloudflare Launches a New Privacy-Focused DNS Server, But Should You Use It? YES 04/2018
https://www.howtogeek.com/fyi/cloudflar ... ou-use-it/
Hope this helps ...
Phd21: Mint 20 Cinnamon & KDE Neon 64-bit Awesome OS's, Dell Inspiron I5 7000 (7573, quad core i5-8250U ) 2 in 1 touch screen
Re: What's the verdict on this new DNS service?
I did post this under open chat with zero response when 1.1.1.1, 1.0.0.1 became available...im using it with great results myself...DAMIEN
https://medium.com/@nykolas.z/dns-resol ... 9e803734e5
https://medium.com/@nykolas.z/dns-resol ... 9e803734e5
Last edited by DAMIEN1307 on Sun Apr 08, 2018 8:31 pm, edited 1 time in total.
Re: What's the verdict on this new DNS service?
whilst that sounds great - in theory - at least:
most of these "hacks" really only work well if you reside in CONUS . .
you'll have to Test this Stuff yourself - - to see if will work for you:
ie: From a Unix/Linux shell, you'll want to run dig with the following syntax: dig @IP address of DNS router test.site.com.
So, to see how fast Google Public DNS responds to a DNS request for zdnet.com's IP address, you'd run:
That's it. What you care about in the results is the line giving you the "Query time".
This measures, in milliseconds, how long it takes for the DNS resolver to give you the answer.
- The lower this number, the better. ..
;; Query time: 212 msec
;; SERVER: 8.8.8.8#53 ( 8.8.8.8 )
;; WHEN: Sat Apr 07 18:20:58 AWST 2018
;; MSG SIZE rcvd: 54
;; Query time: 276 msec
;; SERVER: 1.1.1.1#53 (1.1.1.1)
;; WHEN: Sat Apr 07 18:18:35 AWST 2018
;; MSG SIZE rcvd: 54
& your response time should be Much Better . . . than mine.
from this article:
https://www.zdnet.com/article/what-are- ... providers/
most of these "hacks" really only work well if you reside in CONUS . .
you'll have to Test this Stuff yourself - - to see if will work for you:
ie: From a Unix/Linux shell, you'll want to run dig with the following syntax: dig @IP address of DNS router test.site.com.
So, to see how fast Google Public DNS responds to a DNS request for zdnet.com's IP address, you'd run:
dig @8.8.8.8 zdnet.com
That's it. What you care about in the results is the line giving you the "Query time".
This measures, in milliseconds, how long it takes for the DNS resolver to give you the answer.
- The lower this number, the better. ..
;; Query time: 212 msec
;; SERVER: 8.8.8.8#53 ( 8.8.8.8 )
;; WHEN: Sat Apr 07 18:20:58 AWST 2018
;; MSG SIZE rcvd: 54
;; Query time: 276 msec
;; SERVER: 1.1.1.1#53 (1.1.1.1)
;; WHEN: Sat Apr 07 18:18:35 AWST 2018
;; MSG SIZE rcvd: 54
& your response time should be Much Better . . . than mine.
from this article:
https://www.zdnet.com/article/what-are- ... providers/
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
- catweazel
- Level 19
- Posts: 9763
- Joined: Fri Oct 12, 2012 9:44 pm
- Location: Australian Antarctic Territory
Re: What's the verdict on this new DNS service?
dig @1.1.1.1 google.com
9ms over a no-external DNS VPN isn't bad at all.
I run VyprVPN over openVPN. It's configured to not use any external DNS, so if I send a DNS request then it gets routed over the VPN. This result is from Australia.
Code: Select all
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @1.1.1.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20578
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 209 IN A 172.217.25.46
;; Query time: 9 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Apr 07 20:19:22 AEST 2018
;; MSG SIZE rcvd: 55
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Re: What's the verdict on this new DNS service?
if you redo it a few time,, you will find that it does vary a bit:
and all that does - is show, just how bad my connection - really is.
Code: Select all
~ $ dig @8.8.8.8 google.com
; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28554
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 52 IN A 216.58.199.78
;; Query time: 228 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:02 AWST 2018
;; MSG SIZE rcvd: 55
; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25724
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 57 IN A 216.58.196.142
;; Query time: 82 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:17 AWST 2018
;; MSG SIZE rcvd: 55
; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18734
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 90 IN A 216.58.199.46
;; Query time: 104 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:21 AWST 2018
;; MSG SIZE rcvd: 55
; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2420
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 53 IN A 216.58.196.142
;; Query time: 102 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:24 AWST 2018
;; MSG SIZE rcvd: 55
; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41166
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 193 IN A 216.58.220.142
;; Query time: 101 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:27 AWST 2018
;; MSG SIZE rcvd: 55
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
- catweazel
- Level 19
- Posts: 9763
- Joined: Fri Oct 12, 2012 9:44 pm
- Location: Australian Antarctic Territory
Re: What's the verdict on this new DNS service?
Only by a few milliseconds, between 8 and 13 over about ten attempts. Oh, wait... you're using 8.8.8.8. I used 1.1.1.1. When I use 8.8.8.8 I get about the same as you, ~120ms.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Re: What's the verdict on this new DNS service?
I think I'm going to set my wireless router to these two DNS IPs
Re: What's the verdict on this new DNS service?
Cloudflare, the host for the service, got into political soup last year for hosting some hate sites, but after a bit of libertarian hemming and hawing seems to have dumped them:
https://blog.cloudflare.com/why-we-term ... y-stormer/
No clue whether this or any DNS service has any privacy protection beyond "terms of service" exactly worth the ink they're signed with (none.) For privacy assurance I'd subscribe to a VPN, but I have a bit more confidence in government regulation of my (Canadian) ISP than these DNS services. Last I compared, my ISP internet performance beat OpenDNS and so not too curious about this one.
https://blog.cloudflare.com/why-we-term ... y-stormer/
No clue whether this or any DNS service has any privacy protection beyond "terms of service" exactly worth the ink they're signed with (none.) For privacy assurance I'd subscribe to a VPN, but I have a bit more confidence in government regulation of my (Canadian) ISP than these DNS services. Last I compared, my ISP internet performance beat OpenDNS and so not too curious about this one.
TRUST BUT VERIFY any advice from anybody, including me. Mint/Ubuntu user since 10.04 LTS. LM20 64 bit XFCE (Dell 1520). Dual boot LM20 XFCE / Win7 (Lenovo desktop and Acer netbook). Testing LM21.1 Cinnamon and XFCE Live for new Lenovo desktop.
Re: What's the verdict on this new DNS service?
1.1.1.1 as well as 9.9.9.9 got thumbs up by Steve Gibson - "Security Now" pod cast. Gibson, for my money, is the best there is security wise. 9.9.9.9 will provide more security 1.1.1.1 better performance. Not sure when either will be available in the dnscrypt resolver fies.
For now I am sticking with dnscrypt/OpenDNS - I have no performance concerns and get best in class security.
For now I am sticking with dnscrypt/OpenDNS - I have no performance concerns and get best in class security.
Re: What's the verdict on this new DNS service?
I've tried 'em both in Pi-hole .
No noticeable gain in performance over my usual choice ( OpenDNS ) so for me , no good reason to switch
Any claimed security benefits from either aren't really relevant .
No noticeable gain in performance over my usual choice ( OpenDNS ) so for me , no good reason to switch
Any claimed security benefits from either aren't really relevant .
Re: What's the verdict on this new DNS service?
i think Cloudfare is a hidden agenda in background. far too often i would not be permitted entry into a Cloudfare site only because i use a lot of privacy tools hosts files,canvas blockers,referrer control,webrtc disable, dom storage disable and a few more. and Cloudfare is always telling me browser to enable something otherwise site will not function.
they are now going to gather huge amount of traffic data and you know it's not going to be used for the betterment of mankind but for one purpose only ADVERTISING ... no thanx; i will use https://dns.watch/index as my DNS servers because there is no log even though this is a slow service from Germany i will not mind the lag or delay
they are now going to gather huge amount of traffic data and you know it's not going to be used for the betterment of mankind but for one purpose only ADVERTISING ... no thanx; i will use https://dns.watch/index as my DNS servers because there is no log even though this is a slow service from Germany i will not mind the lag or delay
Comparisons of DNS Resolvers
Has anyone else switched to Cloudflare's DNS 1.1.1.1 ? Seems to be working well here. Any downsides I may not have discovered yet ?
https://1.1.1.1/
EDIT: Sorry, I didn't see this thread and started a new one. My post was moved from there and merged here.
https://1.1.1.1/
EDIT: Sorry, I didn't see this thread and started a new one. My post was moved from there and merged here.
Last edited by Teksonik on Sun Apr 22, 2018 10:27 pm, edited 2 times in total.
Re: What's the verdict on this new DNS service?
Yep - IBM has partnered with The Global Cyber Alliance (GCA) co-founded by the City of London Police, the District Attorney of New York County (that is essentially the NYPD) and the Center for Internet Security (some intelligence agencies) to form 9.9.9.9
The good part is 9.9.9.9 is intended to block domains associated with botnets, phishing attacks, and other malicious Internet hosts.
1.1.1.1 is Cloudflare as Teksonik has pointed out - according to some podcasts that I follow the tests show pretty good performance with the caveat it really depends on where you are in relative to their servers. Some coined the saying, "data is the new oil" big data/data mining is a lucrative business - "they" fill in the blank Facebook, Google etc. want your data - that is the product, your data, that makes them $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$.
Everyone has strong opinions on security/privacy and from whom they want to keep their data/tracking info from so I won't get a rehash of that topic started here. Other than to say you certainly have a right to know who exactly is providing what services on the Internet.
Re: Cloudflare, Mozilla, and DNS-over-HTTPS (DoH)
This:
"The company's alternative, 1.1.1.1, places a large emphasis on privacy, with a promise to wipe all logs within 24 hours and to never log your IP address. Cloudflare says that it has also hired a firm to audit its code and practices annually and produce a public report to ensure that it is keeping its privacy promises".
From:
https://www.windowscentral.com/cloudfla ... e-internet
"The company's alternative, 1.1.1.1, places a large emphasis on privacy, with a promise to wipe all logs within 24 hours and to never log your IP address. Cloudflare says that it has also hired a firm to audit its code and practices annually and produce a public report to ensure that it is keeping its privacy promises".
From:
https://www.windowscentral.com/cloudfla ... e-internet