Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Fast, encrypted DNS 1.1.1.1
Old 11-30-2018, 09:41 AM   #1
Moderator
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 5,526
Fast, encrypted DNS 1.1.1.1

DNS is the Internet's "yellow pages", translating your destination, like "www.early-retirement.org" into the address understood by the Internet's routers.


Many ISP's record what sites you visit by keeping track of your DNS lookups. They often sell that information. Not a huge deal, but if you'd rather they mind their own business, Cloudflare is offering a solution, and their privacy policy is much better.


If you go to https://1.1.1.1 you can see they're offering it to Apple and Android. The app creates a local DNS resolver which passes on to Cloudflare after being encrypted (so nobody in the middle can see it). And I've checked using GRC DNS Benchmark...this is the fastest DNS I've found.


So, just a PSA for those of you who like to marginally improve speed and privacy.
__________________

sengsational is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 11-30-2018, 09:46 AM   #2
Thinks s/he gets paid by the post
GalaxyBoy's Avatar
 
Join Date: Jul 2009
Location: The Beautiful Blue Ridge Mountains
Posts: 1,571
I've been using it for a week or so. One can simply change their default DNS servers to 1.1.1.1 (and 1.0.0.1 as a backup) in preferences on any machine. The 1.1.1.1 app on iOS also enables a VPN.

Seems fast, and is supposedly safe. I'd like to hear more on security from others more knowledgable than me. I found this article at https://www.zdnet.com/article/1-1-1-...nd-of-rubbish/ but frankly it's a bit over my head.
__________________

GalaxyBoy is offline   Reply With Quote
Old 11-30-2018, 09:51 AM   #3
Recycles dryer sheets
jimbee's Avatar
 
Join Date: Oct 2010
Posts: 492
I've been using Cloudflare DNS with my Pi-hole (https://pi-hole.net/), and it's been working well for me.
jimbee is offline   Reply With Quote
Old 11-30-2018, 09:57 AM   #4
Full time employment: Posting here.
 
Join Date: Jul 2013
Posts: 897
Thanks for the PSA. I heard about it about a month or so ago and made the switch from Google's DNS servers but I personally haven't seen much difference since Google's was pretty fast. Prior to Google I used OpenDNS which allowed customized filtering, they have both free and paid offerings but I think I still prefer Google's servers for simplicity...old habits die hard.
dvalley is offline   Reply With Quote
Old 11-30-2018, 10:00 AM   #5
Moderator Emeritus
braumeister's Avatar
 
Join Date: Feb 2010
Location: Flyover country
Posts: 13,237
Legitimate and effective. But the wrinkle is that many of the bad guys use Cloudflare, to protect themselves from the same kinds of attacks they use on others.

Comment from Krebs last month:
Quote:
Iíve long taken Cloudflare to task for granting DDoS protection for countless DDoS-for-hire services, to no avail. Iíve maintained that Cloudflare has a blatant conflict of interest here, and that the DDoS-for-hire industry would quickly blast itself into oblivion because the proprietors of these attack services like nothing more than to turn their attack cannons on each other. Cloudflare has steadfastly maintained that picking and choosing who gets to use their network is a slippery slope that it will not venture toward.
__________________
I thought growing old would take longer.
braumeister is offline   Reply With Quote
Old 11-30-2018, 10:06 AM   #6
Thinks s/he gets paid by the post
OldShooter's Avatar
 
Join Date: Mar 2017
Location: City
Posts: 3,321
Cisco seems to offer a similar but somewhat more comprehensive service at opendns.com. One of the Cisco disaster services techs told me about it, but I have not investigated in detail yet. I believe that his home configuration included a VPN that kept his ISP from gathering any information at all about his internet activity.
OldShooter is offline   Reply With Quote
Old 11-30-2018, 11:04 AM   #7
Moderator
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 5,526
Quote:
Originally Posted by GalaxyBoy View Post
I'd like to hear more on security from others more knowledgable than me. I found this article at https://www.zdnet.com/article/1-1-1-...nd-of-rubbish/ but frankly it's a bit over my head.
That article just says that the original intent of 1.1.1.1 was for experimentation only, so not supposed to really "DO" anything. Now it's doing something, but since people had been experimenting using that IP address, there's a lot of "junk" that gets routed there. As far as I'm concerned, if Cloudflare doesn't have a problem ignoring the non-DNS junk flowing in, then we shouldn't care. Also some businesses incorrectly set up 1.1.1.1 to really use, and this breaks those things. But they shouldn't have set it up that way in the first place.
sengsational is offline   Reply With Quote
Old 11-30-2018, 11:08 AM   #8
Moderator
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 5,526
Quote:
Originally Posted by GalaxyBoy View Post
I've been using it for a week or so. One can simply change their default DNS servers to 1.1.1.1 (and 1.0.0.1 as a backup) in preferences on any machine. The 1.1.1.1 app on iOS also enables a VPN.
Putting it in as your default DNS on a computer gives you a fast resolver, but doesn't offer encryption (thus, like any standard DNS query, your ISP can, and probably does, sniff it).

The phone apps, on the other hand, have a local resolver that forwards the request through an encrypted TCP request. Your traffic is not going over a VPN. There's a VPN profile on the phone, but only the DNS resolution is encrypted.
sengsational is offline   Reply With Quote
Old 11-30-2018, 01:24 PM   #9
Thinks s/he gets paid by the post
steelyman's Avatar
 
Join Date: Feb 2011
Location: NC Triangle
Posts: 4,162
A lot of this is beyond me (not entirely networking-ignorant but far from being as knowledgeable as many others here). I didnít know of Ciscoís service but changed my router to use their DNS. Seems to work fine.

To help me understand: all Iíve done is change to a hopefully faster resolver for domain names, correct?

Iíve no idea where the default DNS was. Iím guessing, as a Spectrum customer, it was assigned to my router by them? And the router does the favor for devices on my home network?

I donít see any encryption being done in this picture. I do have a VPN that I donít use at home, only when out on open public networks.
__________________

steelyman is offline   Reply With Quote
Old 11-30-2018, 01:37 PM   #10
Thinks s/he gets paid by the post
OldShooter's Avatar
 
Join Date: Mar 2017
Location: City
Posts: 3,321
Quote:
Originally Posted by steelyman View Post
... I didnít know of Ciscoís service but changed my router to use their DNS. ... To help me understand: all Iíve done is change to a hopefully faster resolver for domain names, correct? ...
The Cisco tech told me that the DNS server will refuse or maybe warn about connections to known dangerous IPs, unlike "dumb" servers which simply do the name/IP mapping blindly. As I said, though, I have not yet really looked into what their paid and free services do.
OldShooter is offline   Reply With Quote
Old 11-30-2018, 01:40 PM   #11
Thinks s/he gets paid by the post
steelyman's Avatar
 
Join Date: Feb 2011
Location: NC Triangle
Posts: 4,162
Quote:
Originally Posted by OldShooter View Post
The Cisco tech told me that the DNS server will refuse or maybe warn about connections to known dangerous IPs, unlike "dumb" servers which simply do the name/IP mapping blindly. As I said, though, I have not yet really looked into what their paid and free services do.

Thanks, Iím only using their free offering that amounts to switching DNS settings on your device, didnít even create an account (getting more and more stingy about handing my email address over to anyone who wants it!).
__________________

steelyman is offline   Reply With Quote
Old 11-30-2018, 01:51 PM   #12
Recycles dryer sheets
Lawrencewendall's Avatar
 
Join Date: Feb 2017
Location: Severn
Posts: 455
Not to derail this but several years ago I read an article from a virus analyst/researcher. He heard about a new virus he wanted to analyze and set up a machine to be infected so he could analyze it. Even though he knew sites that hosted the virus, he could not get his machine infected. After days of frustration, he realized his DNS was set to comodo. He called them and sure enough, they had virus detection built in. My thoughts were that if just changing my DNS gave me another layer of protection, why not take some of the load off my own AV software. Additional reading is here along with their IP addresses. I've been using it for about 10 years now.

https://www.comodo.com/secure-dns/
Lawrencewendall is offline   Reply With Quote
Old 11-30-2018, 02:01 PM   #13
Moderator
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 5,526
Devices get their IP address and DNS when they connect to the data provider. So a computer on a home network gets it from the cable modem / router. This is where the data provider earns some money on you, by selling your DNS queries along with your name and address. Both computers and phones can override the default DNS, but it's more transparent on computers...just a configuration setting. On computers, there is no encryption of DNS queries, but if you switch to an alternative DNS provider, your ISP isn't getting anything it can sell.



So what you get depends on the device. Phones (with the app) gives you a faster DNS lookup and privacy of those lookups. That's the encryption bit, which happens because the app takes the responsibility of DNS locally, then encrypts and sends the query onto 1.1.1.1. On a computer, there is no app to do encryption, but is still gives you a faster DNS lookup.
sengsational is offline   Reply With Quote
Old 11-30-2018, 02:12 PM   #14
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
target2019's Avatar
 
Join Date: Dec 2008
Posts: 5,254
Quote:
Originally Posted by steelyman View Post
A lot of this is beyond me (not entirely networking-ignorant but far from being as knowledgeable as many others here). I didnít know of Ciscoís service but changed my router to use their DNS. Seems to work fine.

To help me understand: all Iíve done is change to a hopefully faster resolver for domain names, correct?

Iíve no idea where the default DNS was. Iím guessing, as a Spectrum customer, it was assigned to my router by them? And the router does the favor for devices on my home network?

I donít see any encryption being done in this picture. I do have a VPN that I donít use at home, only when out on open public networks.
ipconfig /all will show you configuration for your networking. It's a good place to start.
https://en.wikipedia.org/wiki/Ipconfig

Code:
Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : x
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.115(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, November 15, 2018 5:05:46 AM
   Lease Expires . . . . . . . . . . : Saturday, December 01, 2018 1:30:42 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 1.1.1.1
                                       1.0.0.1
Before I switched DNS per instructions in this thread, I had two Comcrap DNS servers listed...
target2019 is offline   Reply With Quote
Old 11-30-2018, 02:23 PM   #15
Thinks s/he gets paid by the post
steelyman's Avatar
 
Join Date: Feb 2011
Location: NC Triangle
Posts: 4,162
Quote:
Originally Posted by target2019 View Post
ipconfig /all will show you configuration for your networking. It's a good place to start.

Thanks for the further explanations and memory jog (sengsational and target2019). They sink in with a little thought and my Unix/Linux background coupled with MacOS Terminal helps to poke around.

My current thought is that at home, DNS queries to the outside world come from the router. Away from home on a smartphone, itís negotiated when the connection is established and Iíll investigate further. I live in a pretty ďwiredĒ area, so you never know quite what you get. For example, Spectrum (aka Time Warner) offers ďhot spotsĒ that are encrypted if youíre a customer and have a profile installed.

No wonder networking and security people are in demand!
__________________

steelyman is offline   Reply With Quote
Old 11-30-2018, 02:26 PM   #16
Thinks s/he gets paid by the post
steelyman's Avatar
 
Join Date: Feb 2011
Location: NC Triangle
Posts: 4,162
p.s. I had Comcast in the Midwest. I called them Comsuck as they didnít appear able to keep an Internet connection alive to save their life.
__________________

steelyman is offline   Reply With Quote
Old 11-30-2018, 03:35 PM   #17
Thinks s/he gets paid by the post
OldShooter's Avatar
 
Join Date: Mar 2017
Location: City
Posts: 3,321
Well, I decided to try the opendns.com service. And failed.

First, I tried to sign up for the premium service 2 users = $40. First obstacle was they insisted on having a company name. I have an LLC that will serve, but they refused the name because it had a period in it.

Fixed that, then failed twice to use PayPal. opendns simply crashed back to the initial signup screen. So I signed up a third time with a credit card, only to find that they require permission to automatically charge renewals and cancellation of renewal must be at least 30 days before the date. No thanks.

Finally just decided to sign up for the free service, only to run into completely ridiculous rules for passwords. So complex (upper, lower, number, special, ... ) that I did not even try to understand. I do not need an NSA-grade password to access a free service.

So, game over.
OldShooter is offline   Reply With Quote
Old 11-30-2018, 03:43 PM   #18
Thinks s/he gets paid by the post
steelyman's Avatar
 
Join Date: Feb 2011
Location: NC Triangle
Posts: 4,162
Quote:
Originally Posted by OldShooter View Post
So, game over.

Wow. Nofunatall. You can still use their DNS addresses if you want. Skip the part about creating an account.

I really try to avoid anything that involves a subscription model. Not always possible but often there are no-cost alternatives.
__________________

steelyman is offline   Reply With Quote
Old 11-30-2018, 04:15 PM   #19
Thinks s/he gets paid by the post
OldShooter's Avatar
 
Join Date: Mar 2017
Location: City
Posts: 3,321
Quote:
Originally Posted by steelyman View Post
... You can still use their DNS addresses if you want. ...
Yup. I did that after I cooled down. They work fine and, using Cisco's demo link (InternetBadGuys.com) confirmed that their servers do block sites if they are thought to be bad guys.

Of course, the problem becomes identifying bad guys before they do bad things.
OldShooter is offline   Reply With Quote
Old 11-30-2018, 04:17 PM   #20
Thinks s/he gets paid by the post
steelyman's Avatar
 
Join Date: Feb 2011
Location: NC Triangle
Posts: 4,162
Quote:
Originally Posted by OldShooter View Post
Yup. I did that after I cooled down. They work fine and, using Cisco's demo link (InternetBadGuys.com) confirmed that their servers do block sites if they are thought to be bad guys.

Of course, the problem becomes identifying bad guys before they do bad things.


Fantastic!

ďShoot low Sheriff, I think theyíre riding ShetlandsĒ
__________________

__________________

steelyman is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How does an encrypted email svc work with an unencrypted one (gmail, etc)? gretah Other topics 24 10-16-2018 09:50 AM
DNS Changer mickeyd Other topics 5 07-07-2012 01:42 PM
Home Network Encrypted cube_rat Other topics 15 11-21-2005 02:57 PM
Fast Company-- "Where Are The Women?" Nords Other topics 8 01-20-2005 03:19 PM

» Quick Links

 
All times are GMT -6. The time now is 03:00 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2019, vBulletin Solutions, Inc.