Fast, encrypted DNS 1.1.1.1

[sengsational]

DNS is the Internet's "yellow pages", translating your destination, like "www.early-retirement.org" into the address understood by the Internet's routers.


Many ISP's record what sites you visit by keeping track of your DNS lookups. They often sell that information. Not a huge deal, but if you'd rather they mind their own business, Cloudflare is offering a solution, and their privacy policy is much better.


If you go to https://1.1.1.1 you can see they're offering it to Apple and Android. The app creates a local DNS resolver which passes on to Cloudflare after being encrypted (so nobody in the middle can see it). And I've checked using GRC DNS Benchmark...this is the fastest DNS I've found.


So, just a PSA for those of you who like to marginally improve speed and privacy.

 

[GalaxyBoy]

I've been using it for a week or so. One can simply change their default DNS servers to 1.1.1.1 (and 1.0.0.1 as a backup) in preferences on any machine. The 1.1.1.1 app on iOS also enables a VPN.

Seems fast, and is supposedly safe. I'd like to hear more on security from others more knowledgable than me. I found this article at https://www.zdnet.com/article/1-1-1-1-cloudflares-new-dns-attracting-gigabits-per-second-of-rubbish/ but frankly it's a bit over my head.

 

[jimbee]

I've been using Cloudflare DNS with my Pi-hole (https://pi-hole.net/), and it's been working well for me.

 

[dvalley]

Thanks for the PSA. I heard about it about a month or so ago and made the switch from Google's DNS servers but I personally haven't seen much difference since Google's was pretty fast. Prior to Google I used OpenDNS which allowed customized filtering, they have both free and paid offerings but I think I still prefer Google's servers for simplicity...old habits die hard.

 

[braumeister]

Legitimate and effective. But the wrinkle is that many of the bad guys use Cloudflare, to protect themselves from the same kinds of attacks they use on others.

Comment from Krebs last month:

I’ve long taken Cloudflare to task for granting DDoS protection for countless DDoS-for-hire services, to no avail. I’ve maintained that Cloudflare has a blatant conflict of interest here, and that the DDoS-for-hire industry would quickly blast itself into oblivion because the proprietors of these attack services like nothing more than to turn their attack cannons on each other. Cloudflare has steadfastly maintained that picking and choosing who gets to use their network is a slippery slope that it will not venture toward.

 

[OldShooter]

Cisco seems to offer a similar but somewhat more comprehensive service at opendns.com. One of the Cisco disaster services techs told me about it, but I have not investigated in detail yet. I believe that his home configuration included a VPN that kept his ISP from gathering any information at all about his internet activity.

 

[sengsational]

I'd like to hear more on security from others more knowledgable than me. I found this article at https://www.zdnet.com/article/1-1-1-1-cloudflares-new-dns-attracting-gigabits-per-second-of-rubbish/ but frankly it's a bit over my head.

That article just says that the original intent of 1.1.1.1 was for experimentation only, so not supposed to really "DO" anything. Now it's doing something, but since people had been experimenting using that IP address, there's a lot of "junk" that gets routed there. As far as I'm concerned, if Cloudflare doesn't have a problem ignoring the non-DNS junk flowing in, then we shouldn't care. Also some businesses incorrectly set up 1.1.1.1 to really use, and this breaks those things. But they shouldn't have set it up that way in the first place.

 

[sengsational]

I've been using it for a week or so. One can simply change their default DNS servers to 1.1.1.1 (and 1.0.0.1 as a backup) in preferences on any machine. The 1.1.1.1 app on iOS also enables a VPN.

Putting it in as your default DNS on a computer gives you a fast resolver, but doesn't offer encryption (thus, like any standard DNS query, your ISP can, and probably does, sniff it).

The phone apps, on the other hand, have a local resolver that forwards the request through an encrypted TCP request. Your traffic is not going over a VPN. There's a VPN profile on the phone, but only the DNS resolution is encrypted.

 

[steelyman]

A lot of this is beyond me (not entirely networking-ignorant but far from being as knowledgeable as many others here). I didn’t know of Cisco’s service but changed my router to use their DNS. Seems to work fine.

To help me understand: all I’ve done is change to a hopefully faster resolver for domain names, correct?

I’ve no idea where the default DNS was. I’m guessing, as a Spectrum customer, it was assigned to my router by them? And the router does the favor for devices on my home network?

I don’t see any encryption being done in this picture. I do have a VPN that I don’t use at home, only when out on open public networks.

 

[OldShooter]

... I didn’t know of Cisco’s service but changed my router to use their DNS. ... To help me understand: all I’ve done is change to a hopefully faster resolver for domain names, correct? ...

The Cisco tech told me that the DNS server will refuse or maybe warn about connections to known dangerous IPs, unlike "dumb" servers which simply do the name/IP mapping blindly. As I said, though, I have not yet really looked into what their paid and free services do.

 

[steelyman]

The Cisco tech told me that the DNS server will refuse or maybe warn about connections to known dangerous IPs, unlike "dumb" servers which simply do the name/IP mapping blindly. As I said, though, I have not yet really looked into what their paid and free services do.

Thanks, I’m only using their free offering that amounts to switching DNS settings on your device, didn’t even create an account (getting more and more stingy about handing my email address over to anyone who wants it!).

 

[Lawrencewendall]

Not to derail this but several years ago I read an article from a virus analyst/researcher. He heard about a new virus he wanted to analyze and set up a machine to be infected so he could analyze it. Even though he knew sites that hosted the virus, he could not get his machine infected. After days of frustration, he realized his DNS was set to comodo. He called them and sure enough, they had virus detection built in. My thoughts were that if just changing my DNS gave me another layer of protection, why not take some of the load off my own AV software. Additional reading is here along with their IP addresses. I've been using it for about 10 years now.

https://www.comodo.com/secure-dns/

 

[sengsational]

Devices get their IP address and DNS when they connect to the data provider. So a computer on a home network gets it from the cable modem / router. This is where the data provider earns some money on you, by selling your DNS queries along with your name and address. Both computers and phones can override the default DNS, but it's more transparent on computers...just a configuration setting. On computers, there is no encryption of DNS queries, but if you switch to an alternative DNS provider, your ISP isn't getting anything it can sell.



So what you get depends on the device. Phones (with the app) gives you a faster DNS lookup and privacy of those lookups. That's the encryption bit, which happens because the app takes the responsibility of DNS locally, then encrypts and sends the query onto 1.1.1.1. On a computer, there is no app to do encryption, but is still gives you a faster DNS lookup.

 

[target2019]

A lot of this is beyond me (not entirely networking-ignorant but far from being as knowledgeable as many others here). I didn’t know of Cisco’s service but changed my router to use their DNS. Seems to work fine.

To help me understand: all I’ve done is change to a hopefully faster resolver for domain names, correct?

I’ve no idea where the default DNS was. I’m guessing, as a Spectrum customer, it was assigned to my router by them? And the router does the favor for devices on my home network?

I don’t see any encryption being done in this picture. I do have a VPN that I don’t use at home, only when out on open public networks.

ipconfig /all will show you configuration for your networking. It's a good place to start.
https://en.wikipedia.org/wiki/Ipconfig

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : x
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.115(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, November 15, 2018 5:05:46 AM
   Lease Expires . . . . . . . . . . : Saturday, December 01, 2018 1:30:42 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 1.1.1.1
                                       1.0.0.1

Before I switched DNS per instructions in this thread, I had two Comcrap DNS servers listed...

 

[steelyman]

ipconfig /all will show you configuration for your networking. It's a good place to start.

Thanks for the further explanations and memory jog (sengsational and target2019). They sink in with a little thought and my Unix/Linux background coupled with MacOS Terminal helps to poke around.

My current thought is that at home, DNS queries to the outside world come from the router. Away from home on a smartphone, it’s negotiated when the connection is established and I’ll investigate further. I live in a pretty “wired” area, so you never know quite what you get. For example, Spectrum (aka Time Warner) offers “hot spots” that are encrypted if you’re a customer and have a profile installed.

No wonder networking and security people are in demand!

 

[steelyman]

p.s. I had Comcast in the Midwest. I called them Comsuck as they didn’t appear able to keep an Internet connection alive to save their life.

 

[OldShooter]

Well, I decided to try the opendns.com service. And failed.

First, I tried to sign up for the premium service 2 users = $40. First obstacle was they insisted on having a company name. I have an LLC that will serve, but they refused the name because it had a period in it.

Fixed that, then failed twice to use PayPal. opendns simply crashed back to the initial signup screen. So I signed up a third time with a credit card, only to find that they require permission to automatically charge renewals and cancellation of renewal must be at least 30 days before the date. No thanks.

Finally just decided to sign up for the free service, only to run into completely ridiculous rules for passwords. So complex (upper, lower, number, special, ... ) that I did not even try to understand. I do not need an NSA-grade password to access a free service.

So, game over.

 

[steelyman]

So, game over.

Wow. Nofunatall. You can still use their DNS addresses if you want. Skip the part about creating an account.

I really try to avoid anything that involves a subscription model. Not always possible but often there are no-cost alternatives.

 

[OldShooter]

... You can still use their DNS addresses if you want. ...

Yup. I did that after I cooled down. They work fine and, using Cisco's demo link (InternetBadGuys.com) confirmed that their servers do block sites if they are thought to be bad guys.

Of course, the problem becomes identifying bad guys before they do bad things.

 

[steelyman]

Yup. I did that after I cooled down. They work fine and, using Cisco's demo link (InternetBadGuys.com) confirmed that their servers do block sites if they are thought to be bad guys.

Of course, the problem becomes identifying bad guys before they do bad things.

Fantastic!

“Shoot low Sheriff, I think they’re riding Shetlands”

 

[steelyman]

This is a sidetrack to the original topic but hopefully not too far away.

My switch to different DNS servers appears to be doing fine, so that’s a positive.

I bet many people are familiar with Speedtest, for testing realized ping/download/upload speeds. I use it on a semi-regular basis and it’s especially useful if you change something like ISP or hardware.

Is there a similar multiplatform tool for DNS lookup? Google points to a bunch but I don’t know which, if any, are considered to be a “standard”.

 

[target2019]

I would guess this is the quickest speed test to execute on a single IP address:

C:\Users\xxxxx>ping 1.0.0.1

Pinging 1.0.0.1 with 32 bytes of data:
Reply from 1.0.0.1: bytes=32 time=16ms TTL=55
Reply from 1.0.0.1: bytes=32 time=15ms TTL=55
Reply from 1.0.0.1: bytes=32 time=15ms TTL=55
Reply from 1.0.0.1: bytes=32 time=15ms TTL=55

Ping statistics for 1.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 15ms, Maximum = 16ms, Average = 15ms

https://www.itprotoday.com/compute-engines/what-switches-can-be-used-ping

Link above explains the ping command with other switches.

There are also apps that can do this without command line. An app may add other options, like "ping address every 5 minutes" and log results.

 

[mpeirce]

https://www.grc.com/dns/benchmark.htm

Sadly, it's Windows only.

 

[steelyman]

Sadly, it's Windows only.

Yes, too bad but it seems to be the kind of thing I’m after.

After posting, I wondered if the question was not all that relevant to the typical real world consumer. Once a name has been resolved, it’s there (for some time, anyway).

I suppose there are some ad-laden sites that have a bunch of names that need resolution.

 

[OldShooter]

https://www.grc.com/dns/benchmark.htm

Sadly, it's Windows only.

Thanks very much for this. I downloaded and ran it. It verified Cisco's claim to be much faster than going through my ISP's name servers. In fact, the ISP was the slowest of the many, many, servers that it tested. Cisco's servers were in the top three.