Cloudflare, Mozilla, and DNS-over-HTTPS (DoH)

Chat about just about anything else
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
Locked
DAMIEN1307

Comparisons of DNS Resolvers

Post by DAMIEN1307 »

i thought that this might be of interest to most linux users here since we tend to set our own DNS and not trust the ISP to do this for us...DAMIEN

https://medium.com/@nykolas.z/dns-resol ... 9e803734e5
Last edited by LockBot on Wed Dec 07, 2022 4:01 am, edited 1 time in total.
Reason: Topic automatically closed 30 days after creation. New replies are no longer allowed.
User avatar
Voltron
Level 2
Level 2
Posts: 85
Joined: Tue Oct 21, 2014 12:48 am
Location: Indiana University--Bloomington

Cloudflare, Mozilla, and DNS-over-HTTPS (DoH)

Post by Voltron »

Hello, everyone:

I have been reading on Cloudflare's launch of their public DNS servers, 1.1.1.1 and 1.0.0.1 and was interested to get others' opinions on the matter. Here are some articles I have found, to get everyone started:

https://www.cnet.com/news/cloudfare-new ... ternet-too

https://blog.cloudflare.com/dns-resolver-1-1-1-1

https://blog.cloudflare.com/announcing-1111

This may affect users around the world, differently, given different local, regional, and national laws. I can only speak as someone in the United States and for those in the States and other locations, what do you think? Do you trust your ISP? How do you feel about changing your DNS provider to a third party? Do you do this, already? What ideas/issues do these and other related articles suggest, regarding who should be your DNS provider and/or around switching your DNS provider from some organization other than your ISP? And, what concern, if any, do you have, in moving away from your ISP's network, to a third-party DNS provider?
Meeshka

Re: Cloudflare, Mozilla, and DNS-over-HTTPS (DoH)

Post by Meeshka »

I just switched to Cloudfare's DNS service. Thought I would give it a try, based on their reports of increased performance and better privacy. So far, so, good, although my perceived faster browsing might be a bit of a placebo effect. As for security, I know that requires believing everything Cloudfare says about audits and wiping logs every 24 hours. How can one really be certain? I am very interested in learning more about DNS-over-HTTPS, however.
User avatar
Pepi
Level 6
Level 6
Posts: 1308
Joined: Wed Nov 18, 2009 7:47 pm

Re: What's the verdict on this new DNS service?

Post by Pepi »

I’m using it without any problems. I also see some faster surfing with it. NOW, is it safe ?????
User avatar
JoeFootball
Level 13
Level 13
Posts: 4674
Joined: Tue Nov 24, 2009 1:52 pm
Location: /home/usa/mn/minneapolis/joe

Re: What's the verdict on this new DNS service?

Post by JoeFootball »

Charlie wrote:Hoping to get some expert opinions so we can all make a decision on using it maybe.
I was coincidentally just reading these two related articles...

How to use Cloudflare's DNS service to speed up and secure your internet

What are the fastest DNS providers?

Joe
Mattyboy

Re: What's the verdict on this new DNS service?

Post by Mattyboy »

Question is... can I use DNScrypt?
phd21
Level 20
Level 20
Posts: 10103
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: What's the verdict on this new DNS service?

Post by phd21 »

HI Charlie,

I just read your post and the good replies to it. Here are my thoughts on this as well.

I just heard about this from your post and decided to try it. It works well on my system. I usually use "dns.watch", "opennic", "OpenDNS", etc... Now I can add this to that list.

Cloudflare Launches a New Privacy-Focused DNS Server, But Should You Use It? YES 04/2018
https://www.howtogeek.com/fyi/cloudflar ... ou-use-it/



Hope this helps ...
Phd21: Mint 20 Cinnamon & xKDE (Mint Xfce + Kubuntu KDE) & KDE Neon 64-bit (new based on Ubuntu 20.04) Awesome OS's, Dell Inspiron I5 7000 (7573) 2 in 1 touch screen, Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram, Intel 4 Graphics.
DAMIEN1307

Re: What's the verdict on this new DNS service?

Post by DAMIEN1307 »

I did post this under open chat with zero response when 1.1.1.1, 1.0.0.1 became available...im using it with great results myself...DAMIEN

https://medium.com/@nykolas.z/dns-resol ... 9e803734e5
Last edited by DAMIEN1307 on Sun Apr 08, 2018 8:31 pm, edited 1 time in total.
User avatar
Pierre
Level 21
Level 21
Posts: 13192
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: What's the verdict on this new DNS service?

Post by Pierre »

whilst that sounds great - in theory - at least:
most of these "hacks" really only work well if you reside in CONUS . . :(

you'll have to Test this Stuff yourself - - to see if will work for you:
ie: From a Unix/Linux shell, you'll want to run dig with the following syntax: dig @IP address of DNS router test.site.com.
So, to see how fast Google Public DNS responds to a DNS request for zdnet.com's IP address, you'd run:

dig @8.8.8.8 zdnet.com

That's it. What you care about in the results is the line giving you the "Query time".
This measures, in milliseconds, how long it takes for the DNS resolver to give you the answer.
- The lower this number, the better. ..

;; Query time: 212 msec
;; SERVER: 8.8.8.8#53 ( 8.8.8.8 )
;; WHEN: Sat Apr 07 18:20:58 AWST 2018
;; MSG SIZE rcvd: 54

;; Query time: 276 msec
;; SERVER: 1.1.1.1#53 (1.1.1.1)
;; WHEN: Sat Apr 07 18:18:35 AWST 2018
;; MSG SIZE rcvd: 54

& your response time should be Much Better . . . than mine.

from this article:
https://www.zdnet.com/article/what-are- ... providers/
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
User avatar
catweazel
Level 19
Level 19
Posts: 9763
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: What's the verdict on this new DNS service?

Post by catweazel »

Pierre wrote: Sat Apr 07, 2018 6:15 am dig @8.8.8.8 zdnet.com
dig @1.1.1.1 google.com

9ms over a no-external DNS VPN isn't bad at all.

I run VyprVPN over openVPN. It's configured to not use any external DNS, so if I send a DNS request then it gets routed over the VPN. This result is from Australia.

Code: Select all

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @1.1.1.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20578
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             209     IN      A       172.217.25.46

;; Query time: 9 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Apr 07 20:19:22 AEST 2018
;; MSG SIZE  rcvd: 55
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
User avatar
Pierre
Level 21
Level 21
Posts: 13192
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: What's the verdict on this new DNS service?

Post by Pierre »

if you redo it a few time,, you will find that it does vary a bit:

Code: Select all

~ $ dig @8.8.8.8 google.com

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28554
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		52	IN	A	216.58.199.78

;; Query time: 228 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:02 AWST 2018
;; MSG SIZE  rcvd: 55

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25724
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		57	IN	A	216.58.196.142

;; Query time: 82 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:17 AWST 2018
;; MSG SIZE  rcvd: 55

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18734
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		90	IN	A	216.58.199.46

;; Query time: 104 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:21 AWST 2018
;; MSG SIZE  rcvd: 55

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2420
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		53	IN	A	216.58.196.142

;; Query time: 102 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:24 AWST 2018
;; MSG SIZE  rcvd: 55

; <<>> DiG 9.9.5-3ubuntu0.13-Ubuntu <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41166
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		193	IN	A	216.58.220.142

;; Query time: 101 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 07 19:17:27 AWST 2018
;; MSG SIZE  rcvd: 55
and all that does - is show, just how bad my connection - really is.
:(
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
User avatar
catweazel
Level 19
Level 19
Posts: 9763
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: What's the verdict on this new DNS service?

Post by catweazel »

Pierre wrote: Sat Apr 07, 2018 7:21 am if you redo it a few time,, you will find that it does vary a bit:
Only by a few milliseconds, between 8 and 13 over about ten attempts. Oh, wait... you're using 8.8.8.8. I used 1.1.1.1. When I use 8.8.8.8 I get about the same as you, ~120ms.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
User avatar
Pepi
Level 6
Level 6
Posts: 1308
Joined: Wed Nov 18, 2009 7:47 pm

Re: What's the verdict on this new DNS service?

Post by Pepi »

I think I'm going to set my wireless router to these two DNS IPs
User avatar
I2k4
Level 5
Level 5
Posts: 784
Joined: Thu Feb 02, 2012 8:33 pm

Re: What's the verdict on this new DNS service?

Post by I2k4 »

Cloudflare, the host for the service, got into political soup last year for hosting some hate sites, but after a bit of libertarian hemming and hawing seems to have dumped them:

https://blog.cloudflare.com/why-we-term ... y-stormer/

No clue whether this or any DNS service has any privacy protection beyond "terms of service" exactly worth the ink they're signed with (none.) For privacy assurance I'd subscribe to a VPN, but I have a bit more confidence in government regulation of my (Canadian) ISP than these DNS services. Last I compared, my ISP internet performance beat OpenDNS and so not too curious about this one.
TRUST BUT VERIFY any advice from anybody, including me. Mint/Ubuntu user since 10.04 LTS. LM20 64 bit XFCE (Dell 1520). Dual boot LM20 XFCE / Win7 (Lenovo desktop and Acer netbook). Testing LM21.1 Cinnamon and XFCE Live for new Lenovo desktop.
User avatar
majpooper
Level 8
Level 8
Posts: 2084
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: What's the verdict on this new DNS service?

Post by majpooper »

1.1.1.1 as well as 9.9.9.9 got thumbs up by Steve Gibson - "Security Now" pod cast. Gibson, for my money, is the best there is security wise. 9.9.9.9 will provide more security 1.1.1.1 better performance. Not sure when either will be available in the dnscrypt resolver fies.

For now I am sticking with dnscrypt/OpenDNS - I have no performance concerns and get best in class security.
Faust

Re: What's the verdict on this new DNS service?

Post by Faust »

I've tried 'em both in Pi-hole .
No noticeable gain in performance over my usual choice ( OpenDNS ) so for me , no good reason to switch
Any claimed security benefits from either aren't really relevant .
User avatar
trytip
Level 14
Level 14
Posts: 5371
Joined: Tue Jul 05, 2016 1:20 pm

Re: What's the verdict on this new DNS service?

Post by trytip »

i think Cloudfare is a hidden agenda in background. far too often i would not be permitted entry into a Cloudfare site only because i use a lot of privacy tools hosts files,canvas blockers,referrer control,webrtc disable, dom storage disable and a few more. and Cloudfare is always telling me browser to enable something otherwise site will not function.
they are now going to gather huge amount of traffic data and you know it's not going to be used for the betterment of mankind but for one purpose only ADVERTISING ... no thanx; i will use https://dns.watch/index as my DNS servers because there is no log even though this is a slow service from Germany i will not mind the lag or delay

Image
Image
Teksonik

Comparisons of DNS Resolvers

Post by Teksonik »

Has anyone else switched to Cloudflare's DNS 1.1.1.1 ? Seems to be working well here. Any downsides I may not have discovered yet ? :)

https://1.1.1.1/

EDIT: Sorry, I didn't see this thread and started a new one. My post was moved from there and merged here.
Last edited by Teksonik on Sun Apr 22, 2018 10:27 pm, edited 2 times in total.
User avatar
majpooper
Level 8
Level 8
Posts: 2084
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: What's the verdict on this new DNS service?

Post by majpooper »

Charlie wrote: Sun Apr 08, 2018 8:44 am I don't really fancy using 9.9.9.9 as the British Police are involved in it.
Yep - IBM has partnered with The Global Cyber Alliance (GCA) co-founded by the City of London Police, the District Attorney of New York County (that is essentially the NYPD) and the Center for Internet Security (some intelligence agencies) to form 9.9.9.9

The good part is 9.9.9.9 is intended to block domains associated with botnets, phishing attacks, and other malicious Internet hosts.

1.1.1.1 is Cloudflare as Teksonik has pointed out - according to some podcasts that I follow the tests show pretty good performance with the caveat it really depends on where you are in relative to their servers. Some coined the saying, "data is the new oil" big data/data mining is a lucrative business - "they" fill in the blank Facebook, Google etc. want your data - that is the product, your data, that makes them $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$.



Everyone has strong opinions on security/privacy and from whom they want to keep their data/tracking info from so I won't get a rehash of that topic started here. Other than to say you certainly have a right to know who exactly is providing what services on the Internet.
Teksonik

Re: Cloudflare, Mozilla, and DNS-over-HTTPS (DoH)

Post by Teksonik »

This:

"The company's alternative, 1.1.1.1, places a large emphasis on privacy, with a promise to wipe all logs within 24 hours and to never log your IP address. Cloudflare says that it has also hired a firm to audit its code and practices annually and produce a public report to ensure that it is keeping its privacy promises".

From:

https://www.windowscentral.com/cloudfla ... e-internet
Locked

Return to “Open Chat”