Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Network Networking Privacy IT Technology

Cloudflare Launches 1.1.1.1 Consumer DNS Service With a Focus On Privacy (betanews.com) 225

BrianFagioli writes: Today, Cloudflare announces a new consumer DNS service with a focus on privacy. Called '1.1.1.1.' it quite literally uses that easy-to-remeber IP address as the primary DNS server. Why announce on April Fool's Day? Because the IP is four ones and today's date is 4/1 -- clever. The secondary server is 1.0.0.1 -- also easy to remember.

The big question is why? With solid offerings from Google and Comodo, for instance, does the world need another DNS service? The answer is yes, because Cloudflare intends to focus on both speed, and more importantly, privacy.

This discussion has been archived. No new comments can be posted.

Cloudflare Launches 1.1.1.1 Consumer DNS Service With a Focus On Privacy

Comments Filter:
  • Tried it, it's fast (Score:5, Interesting)

    by Unknown User ( 4795349 ) on Sunday April 01, 2018 @12:02PM (#56363235)
    Looks good so far. The Piratebay is not censored (but is usually in my country), for example.
    • The Pirate bay was not censored for me. Fast.
    • by PolygamousRanchKid ( 1290638 ) on Sunday April 01, 2018 @01:42PM (#56363541)

      Looks good so far.

      . . . apparently, we haven't had enough time to Slashdot it yet . . .

    • by jrumney ( 197329 )

      The performance may not be great for busy sites like youtube.

      If I look up m.youtube.com, @8.8.8.8 returns me a different address every time I run the query, spreading the load across multiple servers. @1.1.1.1 returns the same address every time, so that server is going to end up overloaded. Both are directing me to a local server, which is good (but this may be handled by the routing tables rather than DNS).

      • More likely is that 1.1.1.1 is returning the same IP address for you, but a different IP address for the next person.

        • by jrumney ( 197329 )
          How does it know I'm the same person? I tried from two different locations with IP addresses on two different ISPs, it is always returning the same IP from both locations. From a third location on an AWS instance though, it returns the same list of 5 IP addresses that 4.2.2.4 returns from all 3 locations.
  • Like their wireless lan controllers.

  • Does not compute (Score:5, Interesting)

    by Anonymous Coward on Sunday April 01, 2018 @12:13PM (#56363269)

    Cloudflare is an American company which was funded as and began its life as a "honey-pot", where the owners realized that the only way to extend its reach was to grow and style it as a genuine business.

    As an American company they also have to respond to and carry out orders from the NSA and CIA if there is a court order present (which there always is -- they have their own "courts").

    There is a lot of power in being able to tell who is looking at what website, and being able to possibly redirect them elsewhere when needed. If you think for a second that your browsing is private and that this service will not be used for shady purposes, then you are kidding yourself.

    • by OrangeTide ( 124937 ) on Sunday April 01, 2018 @12:52PM (#56363397) Homepage Journal

      I'm wrapping my cablemodem with tinfoil as we speak.

    • Re:Does not compute (Score:5, Informative)

      by pots ( 5047349 ) on Sunday April 01, 2018 @04:37PM (#56363971)
      Courts can't compel Cloudflare to collect information, they can only compel them to turn over the information which they already have. Cloudflare says:

      While we need some logging to prevent abuse and debug issues, we couldn't imagine any situation where we'd need that information longer than 24 hours. And we wanted to put our money where our mouth was, so we committed to retaining KPMG, the well-respected auditing firm, to audit our code and practices annually and publish a public report confirming we're doing what we said we would.

      In the end you're still probably better off using the DNS that your VPN provides, but this seems like a good alternative to 8.8.8.8.

      • I'm trying desperately not to whip out my roll of tinfoil. But...

        While we need some logging to prevent abuse and debug issues, we couldn't imagine any situation where we'd need that information longer than 24 hours.

        Don't you suppose they would say that? Do you really think they would say...

        We collect TONS of logs just like everyone else, but please trust us, we're not giving them up yo anyone...

        Good grief, you think they just walked into that IP address? Got to be some WEIGHT to get that IP and be "allowed" to use it for commercial purposes.

        If this isn't a Honey Pot for the Three Letter Agencies *now*, it certainly will be shortly.

        • Don't let the summary get in the way of answering your basic fucking question. (Cloudflare allowed APNIC to use Cloudflare infrastructure for testing and learning about all the fuckers misusing 1.1.1.1). A back scratch deal.
      • That's inaccurate, at least in the larger scale of things. While it's true that there is no federal law compelling them to log and so they can't be forced to hand over what they don't have. A CALEA (and several other types) of warrant will compel them to start logging and hand off a copy of all traffic (in unencrypted form) to and from a specific IP or set of IP addresses.

      • by eth1 ( 94901 )

        Courts can't compel Cloudflare to collect information, they can only compel them to turn over the information which they already have. Cloudflare says:

        While we need some logging to prevent abuse and debug issues, we couldn't imagine any situation where we'd need that information longer than 24 hours. And we wanted to put our money where our mouth was, so we committed to retaining KPMG, the well-respected auditing firm, to audit our code and practices annually and publish a public report confirming we're doing what we said we would.

        In the end you're still probably better off using the DNS that your VPN provides, but this seems like a good alternative to 8.8.8.8.

        In other words, they are already collecting that information, so the court doesn't need to compel them to. The court only needs to compel them to not destroy evidence they've already collected (stop deleting logs after 24hr), which is something they do all the time.

      • by Agripa ( 139780 )

        Courts can't compel Cloudflare to collect information, they can only compel them to turn over the information which they already have. Cloudflare says:

        While we need some logging to prevent abuse and debug issues, we couldn't imagine any situation where we'd need that information longer than 24 hours. And we wanted to put our money where our mouth was, so we committed to retaining KPMG, the well-respected auditing firm, to audit our code and practices annually and publish a public report confirming we're doing what we said we would.

        Columbia [eff.org] Pictures [gibbonslaw.com] Industries v. Bunnell [washington.edu]:

        Since information copied in RAM could be the basis of legal liability, the magistrate court in Bunnell reasoned it should also qualify as electronically stored information for the purposes of discovery. Although RAM may be more temporary than other forms of computer memory, the Bunnell Court concluded that RAM should also be included as a type of storage appropriate for production during discovery.

        • by pots ( 5047349 )
          Well that does seem to be applicable. One of those articles does say that, "the Court tempered its holding noting that: [i]ts ruling should not be read to require litigants in all cases to preserve and produce electronically stored information that is temporarily stored only in RAM." but it's hard to believe that that case and this one are qualitatively different.
          • by Agripa ( 139780 )

            It is not a controlling court decision but it is an example where a court ordered a defendant to alter programming to preserve data which was only stored temporarily in RAM.

    • by amiga3D ( 567632 )

      If I was a terrorist wanting to blow up a subway or something I'd worry about it. I seriously doubt the NSA is really worried about thepiratebay. When they get to that level we will be fucked.

    • by SumDog ( 466607 )

      They made it impossible for one website to function and led to their censorship, then later backpedaled and claimed it was a mistake:

      https://fightthefuture.org/article/the-new-era-of-corporate-censorship/

      They're the last company I'd trust to prevent censorship.

  • by JoeyRox ( 2711699 ) on Sunday April 01, 2018 @12:27PM (#56363303)
    From the article:

    "What many Internet users don't realize is that even if you're visiting a website that is encrypted -- has the little green lock in your browser -- that doesn't keep your DNS resolver from knowing the identity of all the sites you visit. That means, by default, your ISP, every wifi network you've connected to, and your mobile network provider have a list of every site you've visited while using them," says Cloudflare.

    How does this stop ISPs from knowing which sites you visit? Once Cloudfare's DNS serves up the IP address (instead of your ISP's DNS), you still need to send/receive traffic from that IP address, which the ISP can easily monitor. The only way to prevent this is to use a VPN, while making sure to use your VPN's DNS as well.
    • On the surface, yes. But, there are a number of options available for transport privacy that do not require using a VPN (provided you actually trust Cloudflare not to use your data and are savvy enough to setup one of the options) https://developers.cloudflare.... [cloudflare.com]

      • But, there are a number of options available for transport privacy that do not require using a VPN (provided you actually trust Cloudflare not to use your data and are savvy enough to setup one of the options)

        What alternate options does Cloudfare provide that don't require a VPN? I didn't see them mentioned in the link you provided. Is it an https tunnel through their servers?
    • How does this stop ISPs from knowing which sites you visit? Once Cloudfare's DNS serves up the IP address (instead of your ISP's DNS), you still need to send/receive traffic from that IP address, which the ISP can easily monitor. The only way to prevent this is to use a VPN, while making sure to use your VPN's DNS as well.

      While their attempt at privacy is comendable, I'll stick with my current setup:

      * GlobalCyberAlliance's 9.9.9.9 as primay for added protection against nasties (not for me specificaly, but for the less tech savvy users in the houses).
      * Google's 8.8.4.4 as alternate.
      * And OpenDNS' at 208.67.222.222 for modems that support a thrid option.

      Some people may preffer some other order, and there is nothing wrong with that . Perhaps priviledging OpenDNS' for the family friendly filtering, or Google's for raw speed and

    • It's funny how people are concerned about their ISP snooping on them ... and then they go and visit Facebook.
    • Google name-based virtual hosting.

      Your ISP knows which IP addresses you connected to, but a single IP address may host multiple sites.

      • by Bert64 ( 520050 )

        And they can tell what site you accessed based on the HOST header or the SNI parameter when negotiating SSL...

  • Their priorities make the service an interesting alternative to Quad9: https://www.globalcyberallianc... [globalcyberalliance.org]

    Are they also going to offer DNS over TLS?

  • OpenNIC and DNSCRYPT (Score:3, Interesting)

    by Anonymous Coward on Sunday April 01, 2018 @12:40PM (#56363341)

    How is this better than OpenNIC and DNSCrypt? Remember that Cloudfare is the company that has a CEO that "woke up in a bad mood" and decided to ban a domain from their service. Yeah, it was a bunch of Nazis, but it shows that they're not really committed to freedom ... just freedom for points of view that don't irritate them.

    • by rtb61 ( 674572 )

      Which is sign of how that pay for that free DNS service. Obviously Google will datamine the crap out of their, we own your browsing history DNS, service. Cloudflare sells no advertising yet, how the hell will it pay for it, to justify the expenditure. Probable answer it makes the security services they sell much cheaper to provide, it saves more money, than it costs, it provides tighter security and of course the CEO fessed up with zero pressure indicative of acknowledgement that it was a bad idea that will

  • by WolfgangVL ( 3494585 ) on Sunday April 01, 2018 @12:40PM (#56363343)

    Works faster than level 3, hello Cloudflare.

  • Why trust CF? (Score:5, Interesting)

    by hrbrmstr ( 324215 ) on Sunday April 01, 2018 @12:41PM (#56363345) Homepage Journal

    Not casting aspersions, but I've yet to see a reason why I (or anyone) should trust CF. The "KPMG" 'audit' reason is absolutely not sufficient, too.

    The service is free and lures folks in with "fast". When a service is free, you're the product (see recent FB kerfuffle).

    And, no IPv6 endpoint seems like a big missing component when "competitors" have it.

    • Re:Why trust CF? (Score:5, Informative)

      by cascadingstylesheet ( 140919 ) on Sunday April 01, 2018 @01:12PM (#56363463) Journal

      And, no IPv6 endpoint seems like a big missing component when "competitors" have it.

      it doesn't? [cloudflare.com]

    • by Kohath ( 38547 )

      The service is free and lures folks in with "fast". When a service is free, you're the product (see recent FB kerfuffle).

      Wikipedia is free.

      • by q4Fry ( 1322209 )

        The service is free and lures folks in with "fast". When a service is free, you're the product (see recent FB kerfuffle).

        Wikipedia is free.

        With Wikipedia, you curate the product. Also, Jimmy keeps trying to guilt you into donating.

    • Re:Why trust CF? (Score:5, Interesting)

      by thegarbz ( 1787294 ) on Sunday April 01, 2018 @03:44PM (#56363829)

      When a service is free, you're the product

      Not always. You have to have something of value from you along with a buyer for you in order for you to be the product. Cloudfare isn't.

      Sometimes when a service is free for you, you're lucky to ride on the paying service of others.

      Follow the money. Sometimes there is a free lunch.

    • by Hodr ( 219920 )

      Playing Devil's advocate, would it be possible to be the "product", for them to be profitable, and for it still to not invade your privacy? I.E. they could track generic usage to find market trends, popular brands, shifts in politics. This data is probably valuable without requiring them to track individuals or invade any particular persons privacy.

  • fuck cloudflare (Score:1, Insightful)

    by Anonymous Coward

    Cloudflare lost all credibility after what they did to the Daily Stormer. Look: I'm sure CF thinks they'll protect your privacy, but that goes out the door someone thinks you're a "Nazi". And you're a Nazi these days if you believe there are fewer than 52 genders.

    So fuck Cloudflare.

  • Pretty fast (Score:5, Informative)

    by TFlan91 ( 2615727 ) on Sunday April 01, 2018 @12:50PM (#56363383)

    Just ran a benchmark [grc.com] of the service, here are my results:


      Final benchmark results, sorted by nameserver performance:
      (average cached name retrieval speed, fastest to slowest)

            1. 0. 0. 1 | Min | Avg | Max |Std.Dev|Reliab%|
        - Cached Name | 0.020 | 0.023 | 0.029 | 0.002 | 98.0 |
        - Uncached Name | 0.022 | 0.090 | 0.287 | 0.075 | 100.0 |
        - DotCom Lookup | 0.049 | 0.055 | 0.066 | 0.003 | 100.0 |
                            1dot1dot1dot1.cloudflare-dns.com
                        CLOUDFLARENET - Cloudflare, Inc., US

            1. 1. 1. 1 | Min | Avg | Max |Std.Dev|Reliab%|
        - Cached Name | 0.021 | 0.023 | 0.030 | 0.002 | 95.9 |
        - Uncached Name | 0.022 | 0.096 | 0.325 | 0.082 | 100.0 |
        - DotCom Lookup | 0.048 | 0.073 | 0.166 | 0.043 | 100.0 |
                            1dot1dot1dot1.cloudflare-dns.com
                    MEGAPATH2-US - MegaPath Networks Inc., US

            8. 8. 4. 4 | Min | Avg | Max |Std.Dev|Reliab%|
        + Cached Name | 0.048 | 0.052 | 0.057 | 0.002 | 100.0 |
        + Uncached Name | 0.060 | 0.104 | 0.344 | 0.073 | 100.0 |
        + DotCom Lookup | 0.063 | 0.070 | 0.158 | 0.014 | 100.0 |
                              google-public-dns-b.google.com
                                      GOOGLE - Google LLC, US

            8. 8. 8. 8 | Min | Avg | Max |Std.Dev|Reliab%|
        + Cached Name | 0.049 | 0.053 | 0.060 | 0.002 | 98.0 |
        + Uncached Name | 0.057 | 0.106 | 0.367 | 0.077 | 100.0 |
        + DotCom Lookup | 0.063 | 0.073 | 0.156 | 0.020 | 100.0 |
                              google-public-dns-a.google.com
                                      GOOGLE - Google LLC, US

  • I just run my own. Not that hard.
    • Re:Meh (Score:4, Informative)

      by grub ( 11606 ) <slashdot@grub.net> on Sunday April 01, 2018 @02:36PM (#56363683) Homepage Journal
      So set up Cloudflare's DNS as your forwarders. I just did that.
      • by arth1 ( 260657 )

        So set up Cloudflare's DNS as your forwarders. I just did that.

        Hell, no. Then you tell Cloudflare - and by extension any American three letter agency - which fully qualified domain names you look up. I may be OK with a root name server seeing my user query what the authoritative DNS is for .de, but not that he or she then goes on to look up www.dkp.de.
        So no thanks, no forwarders, at least not ones located in police states.

  • To note that in most IP parsing libraries (or at least the ones I'm familiar with) 1.1.1.1 can be also expressed as 1.1 (if less than four numbers the last number is interpreted on as many bits are left till 32). So you can now be cool and ping 1.1 or dig google.com @1.1., making the old favourite, 8.8.8.8, quite a mouthful in comparison.
  • by Anonymous Coward

    https://www.quad9.net

  • by Mister Liberty ( 769145 ) on Sunday April 01, 2018 @01:03PM (#56363435)
    They ate our & 's that day.
  • by Xenolith0 ( 808358 ) on Sunday April 01, 2018 @01:43PM (#56363543)

    Other easy to remember public DNS Servers

    • Google (Unfiltered)
      • 8.8.4.4
      • 8.8.8.8
    • Global Cyber Alliance (Filters malicious content)
      • 9.9.9.9
    • Cloudflare
      • 1.0.0.1
      • 1.1.1.1
    • Level 3 Communications
      • 4.2.2.1
      • 4.2.2.2
      • 4.2.2.3
      • 4.2.2.4
      • 4.2.2.5
      • 4.2.2.6
  • by joe_frisch ( 1366229 ) on Sunday April 01, 2018 @02:18PM (#56363615)

    With this and all other attempts to provide privacy or security, what chain of trust allows me to believe that this is actually private or secure.

    Surely there are many organizations with the resources to flood Slashdot with posts assuring me that this, or any other service, is secure.

    Is TOR secure, or a NSA honeypot? How could I possibly know? Without personally having deep technical expertise, how can I trust anything.

    An comments about tinfoil hats could be legit, or yet more planted posts.

    We need a root source of trust or everything else falls apart.

    • by Kjella ( 173770 )

      We need a root source of trust or everything else falls apart.

      Yeah, we could call that the Ministry of Truth.

      How could I possibly know? Without personally having deep technical expertise, how can I trust anything.

      Personally you'll only be able to prove high school physics and none of history, that is if you're not trapped in the Matrix.

      An comments about tinfoil hats could be legit, or yet more planted posts.

      Personally I feel like you're trying to make a reductio ad absurdum argument so say that since you don't know any absolute truth, any loony bin theory could be true. Blind faith is not good, total disbelief of everything you haven't personally verified is also not good. If you disagree here's some fatally poisonous mushrooms, enjoy your D

      • It may just be my background but science feels a little different: different scientific ideas interlock with each other. It would be difficult to fake a significant branch of science because all the interfaces with other types of science would be off. That seems different from trusting a hosting site, or an implementation of an encryption or communication system which could itself be flawed without other major consequences.

        I'm a scientist, so my viewpoint may be very biased on this. If I were a computer s

    • DNSsec provides a chain n of trust using public keys. The root is never given the secret key, so, it the key validates, it is legitimate. The domain holder generates the key pair and loads the public key upstream.

      Unfortunately, DNSsec is generally not implemented end-to-end, severely limiting its value.

  • DNS Watch (Score:4, Interesting)

    by nmb3000 ( 741169 ) on Sunday April 01, 2018 @08:24PM (#56364595) Journal

    How is this better than DNS Watch [dns.watch]? They are a free, not ad-sponsered, privacy-focused DNS provider with goals of neutrality and anti-censorship.

    Cloudflare is basically the Big Brother gatekeeper of the Internet at this point, with strong ties to the US. Them claiming "privacy" as something they care about is pretty absurd.

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...