Cloudflare Launches 1.1.1.1 Consumer DNS Service With a Focus On Privacy

BrianFagioli writes: Today, Cloudflare announces a new consumer DNS service with a focus on privacy. Called '1.1.1.1.' it quite literally uses that easy-to-remeber IP address as the primary DNS server. Why announce on April Fool's Day? Because the IP is four ones and today's date is 4/1 -- clever. The secondary server is 1.0.0.1 -- also easy to remember.

The big question is why? With solid offerings from Google and Comodo, for instance, does the world need another DNS service? The answer is yes, because Cloudflare intends to focus on both speed, and more importantly, privacy.

Tried it, it's fast

[admin7087]

Looks good so far. The Piratebay is not censored (but is usually in my country), for example.

Re:Tried it, it's fast

[PolygamousRanchKid+]

Looks good so far.

. . . apparently, we haven't had enough time to Slashdot it yet . . .

Re:Tried it, it's fast

[apoc.famine]

1) Slashdotting hasn't been a thing for like a decade now.
2) This is fucking cloudflare. You know, one of the companies SPECIFICALLY IN BUSINESS TO HELP WEBSITES AVOID THINGS LIKE SLASHDOTTING.

If /. could take them down, that would rather sink their business model.

Re: Tried it, it's fast

Cliadflare is only partial.good for /.ing. I see it miss and skip all the time. Having to F5 through âoefile not foundâ or âoeserver not foundâ.

Re:Tried it, it's fast

[jrumney]

The performance may not be great for busy sites like youtube.

If I look up m.youtube.com, @8.8.8.8 returns me a different address every time I run the query, spreading the load across multiple servers. @1.1.1.1 returns the same address every time, so that server is going to end up overloaded. Both are directing me to a local server, which is good (but this may be handled by the routing tables rather than DNS).

Re:Tried it, it's fast

[denbesten]

More likely is that 1.1.1.1 is returning the same IP address for you, but a different IP address for the next person.

Re:Tried it, it's fast

Anywhere, except for the standard dig tool from the bind suite used by basically every UNIX since the eighties?

Re:Tried it, it's fast

[rtb61]

Slashdot not longer swamps the internet, it just programs it, entirely different thing, all done via the bio processing units.

Re: Tried it, it's fast

[Brockmire]

This post hurt my brain. P.s. you don't know what the fuck you're talking about. We're talking DNS requests, "file not found" has nothing to do with DNS.

Re:Tried it, it's fast

If I look up m.youtube.com, @8.8.8.8 returns me a different address every time I run the query, spreading the load across multiple servers. @1.1.1.1 returns the same address every time, so that server is going to end up overloaded. Both are directing me to a local server, which is good (but this may be handled by the routing tables rather than DNS).

I would assume the address provided by 1.1.1.1 for m.youtube.com is another layer of distributed load balancers. If it needs to handle more traffic than 8.8.8.8, Google will adapt.

Re:Tried it, it's fast

[jrumney]

How does it know I'm the same person? I tried from two different locations with IP addresses on two different ISPs, it is always returning the same IP from both locations. From a third location on an AWS instance though, it returns the same list of 5 IP addresses that 4.2.2.4 returns from all 3 locations.

Re:Tried it, it's fast

[Dast]

We also apparently didn't read the fucking man page for dig, did we? Here, let me help.

man dig

NAME
              dig - DNS lookup utility

SYNOPSIS
              dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m] [-p port#] [-q name] [-t type] [-x addr] [-y [hmac:]name:key] [-4] [-6] [name] [type] [class] [queryopt...]

              dig [-h]

              dig [global-queryopt...] [query...]

Re:Tried it, it's fast

...in Perl...

Too bad Cisco uses this for a virtual IP in some o

Like their wireless lan controllers.

Re: Too bad Cisco uses this for a virtual IP in so

Who is Ian?

Does not compute

Cloudflare is an American company which was funded as and began its life as a "honey-pot", where the owners realized that the only way to extend its reach was to grow and style it as a genuine business.

As an American company they also have to respond to and carry out orders from the NSA and CIA if there is a court order present (which there always is -- they have their own "courts").

There is a lot of power in being able to tell who is looking at what website, and being able to possibly redirect them elsewhere when needed. If you think for a second that your browsing is private and that this service will not be used for shady purposes, then you are kidding yourself.

Re:Does not compute

[OrangeTide]

I'm wrapping my cablemodem with tinfoil as we speak.

Re:Does not compute

If you think for a second that your browsing is private and that this service will not be used for shady purposes, then you are kidding yourself.

Thanks, then I'll go ahead and use them. It's obvious you're a shill for the other companies and that those companies are compromised and contaminated. Lol, thought you could trick me, lol!

Re:Does not compute

It depends on if they log queries. I bet Google & probably Comodo do but Cloudflare doesn't.

Re:Does not compute

Why bother, they're already all up in your shit, ignoramus. Did you think the NSA and CIA leaks were some kind of joke?

Re:Does not compute

Great, now just make sure you're not on the wrong side of any social justice protests.

Re: Does not compute

Test test test

Home is behind firewall so changing on machine switch while network.

I am getting drop outs and failed downloads after 4hrs. So switching hibred. Google first 4.4.4.4 then Cloudfkare 1.1.1.1

Re: Does not compute

Bad typo

8.8.8.8 and 8.8.4.4 for google

Re:Does not compute

[pots]

Courts can't compel Cloudflare to collect information, they can only compel them to turn over the information which they already have. Cloudflare says:

While we need some logging to prevent abuse and debug issues, we couldn't imagine any situation where we'd need that information longer than 24 hours. And we wanted to put our money where our mouth was, so we committed to retaining KPMG, the well-respected auditing firm, to audit our code and practices annually and publish a public report confirming we're doing what we said we would.

In the end you're still probably better off using the DNS that your VPN provides, but this seems like a good alternative to 8.8.8.8.

Re: Does not compute

You also misspelled Clownflare.

Re:Does not compute

[amiga3D]

If I was a terrorist wanting to blow up a subway or something I'd worry about it. I seriously doubt the NSA is really worried about thepiratebay. When they get to that level we will be fucked.

Re:Does not compute

[Frosty+Piss]

I'm trying desperately not to whip out my roll of tinfoil. But...

While we need some logging to prevent abuse and debug issues, we couldn't imagine any situation where we'd need that information longer than 24 hours.

Don't you suppose they would say that? Do you really think they would say...

We collect TONS of logs just like everyone else, but please trust us, we're not giving them up yo anyone...

Good grief, you think they just walked into that IP address? Got to be some WEIGHT to get that IP and be "allowed" to use it for commercial purposes.

If this isn't a Honey Pot for the Three Letter Agencies *now*, it certainly will be shortly.

Re: Does not compute

Maybe courts can't, but laws can. Just like ISPs are required to keep enough logs so they can answer court orders to produce them.

Re: Does not compute

They don't have to log it, they just let the NSA have a real time copy. An optical splitter on the fiber won't show up in a code audit.

Re:Does not compute

[SumDog]

They made it impossible for one website to function and led to their censorship, then later backpedaled and claimed it was a mistake:

https://fightthefuture.org/article/the-new-era-of-corporate-censorship/

They're the last company I'd trust to prevent censorship.

Re: Does not compute

You have the right to be an asshole. They have the right to call out your bullshit. If you don't like it, snowflake, crawl back into your bunker and drink your own urine for a while.

Re: Does not compute

So if i trust the American intelligence less than i trust my own country's, much less both my country and the Americans who have a back end legal treaty anyway, I shouldn't not not use 1.1.1.1?

Ok, will do!

-Posted from my Apple iPhone, using Gmail sourced FacebookID on my cell phone carrier's free wifi affiliate network. Because security matters so much to everyone.

Re: Does not compute

[Brockmire]

Whoosh, right?

Re: Does not compute

[Brockmire]

Don't let the summary get in the way of answering your basic fucking question. (Cloudflare allowed APNIC to use Cloudflare infrastructure for testing and learning about all the fuckers misusing 1.1.1.1). A back scratch deal.

Re:Does not compute

[Thorizdin]

That's inaccurate, at least in the larger scale of things. While it's true that there is no federal law compelling them to log and so they can't be forced to hand over what they don't have. A CALEA (and several other types) of warrant will compel them to start logging and hand off a copy of all traffic (in unencrypted form) to and from a specific IP or set of IP addresses.

Re: Does not compute

[GameboyRMH]

https://torrentfreak.com/nsa-a...

Re:Does not compute

[eth1]

Courts can't compel Cloudflare to collect information, they can only compel them to turn over the information which they already have. Cloudflare says:

While we need some logging to prevent abuse and debug issues, we couldn't imagine any situation where we'd need that information longer than 24 hours. And we wanted to put our money where our mouth was, so we committed to retaining KPMG, the well-respected auditing firm, to audit our code and practices annually and publish a public report confirming we're doing what we said we would.

In the end you're still probably better off using the DNS that your VPN provides, but this seems like a good alternative to 8.8.8.8.

In other words, they are already collecting that information, so the court doesn't need to compel them to. The court only needs to compel them to not destroy evidence they've already collected (stop deleting logs after 24hr), which is something they do all the time.

Re:Does not compute

[desdinova+216]

I don't think it's the NSA who wants that, more likely the MPAA/RIAA

Re:Does not compute

[Agripa]

Courts can't compel Cloudflare to collect information, they can only compel them to turn over the information which they already have. Cloudflare says:

While we need some logging to prevent abuse and debug issues, we couldn't imagine any situation where we'd need that information longer than 24 hours. And we wanted to put our money where our mouth was, so we committed to retaining KPMG, the well-respected auditing firm, to audit our code and practices annually and publish a public report confirming we're doing what we said we would.

Columbia Pictures Industries v. Bunnell:

Since information copied in RAM could be the basis of legal liability, the magistrate court in Bunnell reasoned it should also qualify as electronically stored information for the purposes of discovery. Although RAM may be more temporary than other forms of computer memory, the Bunnell Court concluded that RAM should also be included as a type of storage appropriate for production during discovery.

Re:Does not compute

[pots]

Well that does seem to be applicable. One of those articles does say that, "the Court tempered its holding noting that: [i]ts ruling should not be read to require litigants in all cases to preserve and produce electronically stored information that is temporarily stored only in RAM." but it's hard to believe that that case and this one are qualitatively different.

Re:Does not compute

[dhenry]

Don't forget to wrap your outlets in tinfoil as well!

Re:Does not compute

[Agripa]

It is not a controlling court decision but it is an example where a court ordered a defendant to alter programming to preserve data which was only stored temporarily in RAM.

How much for low numbered IPs?

This is the lowest IP number on the internet. Why isn't it worth more money, With a shortage of IPv4 addresses you would think getting the number 1 ip address would be worth millions.

Re:How much for low numbered IPs?

[Bigbuzzman]

This is the lowest IP number on the internet. Why isn't it worth more money, With a shortage of IPv4 addresses you would think getting the number 1 ip address would be worth millions.

1.0.0.0 is the lowest valid IP address. 0.0.0.0/8 are reserved for link local addressing

Re:How much for low numbered IPs?

Not everything in the world is about money, my friend.

Re:How much for low numbered IPs?

[Megane]

A zero host address in the local subnet in IPv4 means a reference to the local network. No matter your subnet length, 1.0.0.0 will always have a zero host address. 0/8 is reserved for "Local Identification". So 1.0.0.1 is the lowest valid IPv4 address.

So now we have DNS servers on 1.1.1.1, 4.4.4.4, and 8.8.8.8. Who has 2.2.2.2 and can they put a DNS server on it?

Re:How much for low numbered IPs?

[Waffle+Iron]

So now we have DNS servers on 1.1.1.1, 4.4.4.4, and 8.8.8.8. Who has 2.2.2.2

OK, all these different numerical addresses are starting to get confusing. Someone ought to invent some kind of protocol to automatically map human-readable names onto these obscure numbers.

Re:How much for low numbered IPs?

[SuricouRaven]

I looked it up. France telecom.

Re:How much for low numbered IPs?

[bruce_the_loon]

Whois has 2.2.0.0/16 assigned to France Telecom Orange and 2.2.2.2 isn't pingable at the moment.

Re:How much for low numbered IPs?

[rpetre]

Nah. it's valid. If you have the IP routed to your device, there are ways to listen and respond on it.

Re: How much for low numbered IPs?

Seeing what people are resolving can be worth millions

Re:How much for low numbered IPs?

[93+Escort+Wagon]

OK, all these different numerical addresses are starting to get confusing. Someone ought to invent some kind of protocol to automatically map human-readable names onto these obscure numbers.

One one one one
Four four four four
Eight eight eight eight

Re: How much for low numbered IPs?

No, the lowest number IP would be 0.0.0.1

Re:How much for low numbered IPs?

You missed 9.9.9.9

Re: How much for low numbered IPs?

For years using 4.2.2.1 and 4.2.2.2

Re:How much for low numbered IPs?

So now we have DNS servers on 1.1.1.1, 4.4.4.4, and 8.8.8.8. Who has 2.2.2.2 and can they put a DNS server on it?

https://www.iana.org/assignmen...

2/8 is allocated to RIPE (Europe) by IANA in 2009
Whois shows 2.2.0.0/16 as France Telecom Orange

1/8 is allocated to APNIC (Asia Pacific) by IANA in 2010
4/8 and 8/8 is allocated to Level 3 (one of the larger backbones) in 1992

As to if they can put a DNS server on that address, technically speaking of course they can, the real question is who "they" might actually be. It may be in a block allocated to a customer.

Re:How much for low numbered IPs?

[sims+2]

1.1.1.1 valid cloudflare
2.2.2.2 invalid owned by Orange S.A. according to RIPE
3.3.3.3 invalid owned by Amazon
4.4.4.4 invalid owned by Level 3 Communications, Inc
5.5.5.5 invaild owned by TelefÃnica Germany
6.6.6.6 invalid owned by Headquarters, USAISC
7.7.7.7 invalid owned by DoD Network Information Center
8.8.8.8 valid google
9.9.9.9 valid quad9

Re:How much for low numbered IPs?

Who has 2.2.2.2 and can they put a DNS server on it?

From whois:

inetnum: 2.0.0.0 - 2.15.255.255
netname: FR-TELECOM-20100712
country: FR
org: ORG-FT2-RIPE
[...]

Re:How much for low numbered IPs?

Hello, Which service do you require?

Re:How much for low numbered IPs?

[thegarbz]

This is the lowest IP number on the internet.

And yet it doesn't seem any more favorable than my own IP address. It doesn't have ocean views, doesn't get discounts at the local restaurant, and the chicks don't really give a damn. Also thanks to the service run on it you never need to give a damn what your IP address is.

So what makes it so valuable in you eyes?

Re:How much for low numbered IPs?

[thegarbz]

You're forgetting 9.9.9.9 which is https://www.quad9.net/ and also a DNS server.

Re:How much for low numbered IPs?

[jeremyp]

6.6.6. the network of the Beast

Re:How much for low numbered IPs?

[pnutjam]

also 1.0.0.1, that's cloudflare's backup DNS.

Re:How much for low numbered IPs?

[nadass]

You're forgetting 9.9.9.9 which is https://www.quad9.net/ and also a DNS server.

9.9.9.9 is/was owned/allocated by/to IBM. Their partnership is allowing Quad9 to utilize the IP for their marketing purposes.

Re:How much for low numbered IPs?

>1.0.0.1 is the lowest valid IPv4 address.
Why do I get a response when pinging 1.0.0.0?

Re:How much for low numbered IPs?

Level3's dns is 4.2.2.2 not 4.4.4.4

Re:How much for low numbered IPs?

[Smallpond]

2.2.2.2 is Orange (France Telecom) according to whois data.

Re:How much for low numbered IPs?

Just found out that I own 10.10.10.10, so I'm putting my DNS there to mark my territory.

Re:How much for low numbered IPs?

[IGnatius+T+Foobar]

On a worldwide corporate network that I maintain, we set up 10.10.10.0/24 as an Anycast space so that we can have 10.10.10.10 answer as the DNS server for every location.

Re: How much for low numbered IPs?

For at least the last two decades (or nearly forget in Internet years), devices are able to use the network address. Try it: connect a couple of devices on say 10.2.3.0/24 and assign one of them the address 10.2.3.0 and it will work.

So the lowest IP available on the Internet is 1.0.0.0.

Re: How much for low numbered IPs?

s/forget/forever/ #DamnYouAutocorrect

Re:How much for low numbered IPs?

On a worldwide corporate network that I maintain, we set up 10.10.10.0/24 as an Anycast space so that we can have 10.10.10.10 answer as the DNS server for every location.

Since we do the same thing where I work, I am sort of suspecting you work where I do.
You claim to maintain the network though, so it's possible I know you... or you just work somewhere else entirely.

Huh.

Re:How much for low numbered IPs?

So we now have
1.1.1.1
9.9.9.9
8.8.8.8
4.4.4.4
I'm sure it's just a coincidence

Re: How much for low numbered IPs?

Not true. You can use 1.0.0.0 if your mask is /32 or /31. As long as you use a classless routing protocol, totally valid schema.

Re: How much for low numbered IPs?

[Brockmire]

That sounds like added hassle for no good reason.

Re: How much for low numbered IPs?

The lowest usable IP is 1.0.0.1

Re:How much for low numbered IPs?

Why do I get a response when pinging 1.0.0.0?

Either your networking is broken, or possibly you are on a Cisco AP managed wifi network (aka your networking is broken)

Re:How much for low numbered IPs?

Hmmm... that's not it:

# traceroute 1.0.0.0
[...snip...]
  8 cloudflare.fra.ecix.net (62.69.146.42) 102.691 ms 104.871 ms 101.735 ms
  9 1.0.0.0 (1.0.0.0) 94.357 ms 92.976 ms 91.904 ms

Re: How much for low numbered IPs?

[Brockmire]

I could add 10.2.3.0 alias to my linux box but Windows 10 said no. That's incorrect on Linux, no?

Re:How much for low numbered IPs?

Just found out that I own 10.10.10.10, so I'm putting my DNS there to mark my territory.

Your security sucks! I just hacked into your 10.10.10.10 server and installed a bunch of malware!

This DNS stops ISPs from knowing sites you visit?

[JoeyRox]

From the article:

"What many Internet users don't realize is that even if you're visiting a website that is encrypted -- has the little green lock in your browser -- that doesn't keep your DNS resolver from knowing the identity of all the sites you visit. That means, by default, your ISP, every wifi network you've connected to, and your mobile network provider have a list of every site you've visited while using them," says Cloudflare.

How does this stop ISPs from knowing which sites you visit? Once Cloudfare's DNS serves up the IP address (instead of your ISP's DNS), you still need to send/receive traffic from that IP address, which the ISP can easily monitor. The only way to prevent this is to use a VPN, while making sure to use your VPN's DNS as well.

Re:Tried it, it's fast - TPB.org

[charliemerritt03]

The Pirate bay was not censored for me. Fast.

Re:This DNS stops ISPs from knowing sites you visi

[hrbrmstr]

On the surface, yes. But, there are a number of options available for transport privacy that do not require using a VPN (provided you actually trust Cloudflare not to use your data and are savvy enough to setup one of the options) https://developers.cloudflare....

Re: Too bad Cisco uses this for a virtual IP in so

[guruevi]

I think you're confusing it with 10.x.x.x. Although I've seen others type 1 or 100 due to typos, no self respecting network admin would do that though.

Contrast with Quad9

[MSG]

Their priorities make the service an interesting alternative to Quad9: https://www.globalcyberallianc...

Are they also going to offer DNS over TLS?

Re:Contrast with Quad9

Yes, they already do. Don't know why we have to have summaries that like to betanews when they could just link to the actual cloud flair post.
https://blog.cloudflare.com/announcing-1111/

Re:Contrast with Quad9

Yes: https://developers.cloudflare.com/1.1.1.1/dns-over-tls/

Seems to work well for me so far. If you are using pfsense you can use it with a few config lines:
https://forum.pfsense.org/index.php?topic=138966.0

shameless plug.. my post.

OpenNIC and DNSCRYPT

How is this better than OpenNIC and DNSCrypt? Remember that Cloudfare is the company that has a CEO that "woke up in a bad mood" and decided to ban a domain from their service. Yeah, it was a bunch of Nazis, but it shows that they're not really committed to freedom ... just freedom for points of view that don't irritate them.

Re:OpenNIC and DNSCRYPT

[greenwow]

Exactly. You must take a stand against freedom of speech in order to protect it.

Re: OpenNIC and DNSCRYPT

No.

YOU consider Nazis to be Evil and worthy of extermination (as do I.) In some places, the same sentiment exists towards gays, Christians, Muslims, Jews, insert name of political party here, etc.
The only way to ensure that DNS is not used against legitimate ideas is to ensure it does not allow ANY site to be blocked over content. DNS should never do more than ensure entires are legitimate and not hijacked.

Re:OpenNIC and DNSCRYPT

Exactly. You must take a stand against freedom of speech in order to protect it.

Then you must support drowning out other people's speech by even louder speech, after all it wouldn't truly be free speech if they weren't free to speak as much and loudly as they want to.

Re:OpenNIC and DNSCRYPT

[kenai_alpenglow]

Don't you think you're being a little extreme?

Re:OpenNIC and DNSCRYPT

[rtb61]

Which is sign of how that pay for that free DNS service. Obviously Google will datamine the crap out of their, we own your browsing history DNS, service. Cloudflare sells no advertising yet, how the hell will it pay for it, to justify the expenditure. Probable answer it makes the security services they sell much cheaper to provide, it saves more money, than it costs, it provides tighter security and of course the CEO fessed up with zero pressure indicative of acknowledgement that it was a bad idea that will not be repeated.

Re:OpenNIC and DNSCRYPT

[Bert64]

Attempting to attack nazis, making them angry and drawing attention to them is helping them.
Attempting to ban nazi or other extremist propaganda turns it into the forbidden fruit, which also attracts people.
The only sensible way to combat extremism is to ensure that people are well educated, people will reject it on their own without needing to hide it.

Re:OpenNIC and DNSCRYPT

Attempting to attack nazis, making them angry and drawing attention to them is helping them.

This is dead wrong. History shows that ignoring nazis doesn't work--they will use their rhetoric to blame some minority or another for economic disparity and if they are allowed to preach their poisonous people will begin to believe them and their efforts gain momentum.

Re:OpenNIC and DNSCRYPT

Er, no, you don't. There is well-established law on this, (ultimately boiling down to the "Shouting "FIRE!" argument). Like all "freedoms", there has to be some level of accountability to the individual from the society they live in. You can own a car for example - but that doesn't give you the right to drive all over people's front gardens or speed in a school zone. Speech, even "free" speech is regulated and yes, even the USA's much-lauded "founding fathers" realised and recognised this. More importantly, like anything the masses get to enjoy, taking a stand to have some rules, ensures a few louts don't ruin it for the rest of us. I helped build a corner of the global Internet in the nineties - we believed the free flow of information really would change things. Of course the kiddie-fiddling scum out there created the legal toe-hold the regulators needed to get the thin end of a very large regulatory wedge into the Internet. Then came the music piracy, film piracy and so on. Ultimately the communities abusing the freedom (and the power that came with that freedom) handed the promise of the public Internet to its enemies. SO yeah, sometime you should take a stand against speech because not all of it is particularly worthwhile - but it is just wicked enough to give the real enemies of freedom the wedge they need to shut the lot down.

Nice!

[WolfgangVL]

Works faster than level 3, hello Cloudflare.

Why trust CF?

[hrbrmstr]

Not casting aspersions, but I've yet to see a reason why I (or anyone) should trust CF. The "KPMG" 'audit' reason is absolutely not sufficient, too.

The service is free and lures folks in with "fast". When a service is free, you're the product (see recent FB kerfuffle).

And, no IPv6 endpoint seems like a big missing component when "competitors" have it.

Re:Why trust CF?

They do have an IPv6 endpoint as well.

Re:Why trust CF?

Most Free Linux distributions, most open source software, and Firefox are evidence that free does not mean you are the product.

Re:Why trust CF?

[cascadingstylesheet]

And, no IPv6 endpoint seems like a big missing component when "competitors" have it.

it doesn't?

Re:Why trust CF?

Not as sexy as the IPv4 addresses but they work 2606:4700:4700::1111 and 2606:4700:4700::1001

Re:Why trust CF?

[Kohath]

The service is free and lures folks in with "fast". When a service is free, you're the product (see recent FB kerfuffle).

Wikipedia is free.

Re:Why trust CF?

[thegarbz]

When a service is free, you're the product

Not always. You have to have something of value from you along with a buyer for you in order for you to be the product. Cloudfare isn't.

Sometimes when a service is free for you, you're lucky to ride on the paying service of others.

Follow the money. Sometimes there is a free lunch.

Re:Why trust CF?

Oh FFS, the service isn't free. YOU are not the product.

The 'free' versions are quite limited and really there because they're so damn cheap to provide. But if you become a hassle for them on the free tier, the game changes.

And from my point of view in MY country, the list of providers is:

* Cloudflare
* Akamai

That's the thing that pisses me off about this holier than thou attitude - cloudlfare are one of the VERY small minorities that seem to understand that "world isn't USA or Europe". I'm honestly not aware of any others that are here.

Re:Why trust CF?

[Bert64]

Software has a fixed cost to produce, they can have infinite additional users for zero extra cost once the software is written.
The costs to provide a service increase as you add users.
It's much harder to provide a free service than free software, especially if it becomes popular.

Re:Why trust CF?

[Hodr]

Playing Devil's advocate, would it be possible to be the "product", for them to be profitable, and for it still to not invade your privacy? I.E. they could track generic usage to find market trends, popular brands, shifts in politics. This data is probably valuable without requiring them to track individuals or invade any particular persons privacy.

Re:Why trust CF?

[q4Fry]

The service is free and lures folks in with "fast". When a service is free, you're the product (see recent FB kerfuffle).

Wikipedia is free.

With Wikipedia, you curate the product. Also, Jimmy keeps trying to guilt you into donating.

Re:Why trust CF?

Cloudflare's product is content delivery. They aren't selling your information they are selling the ability for you to be able to connect to their customers.

A functioning DNS is a link in this chain that is why they are offering it. They will no doubt use it to push changes in DNS that will benefit their CDN but as far as the users go this is indeed a free lunch.

Re: Too bad Cisco uses this for a virtual IP in s

Dell IPMI defaults the network address to this ip when it doesn't get a response from the dhcp server. This makes this great feature incompatible with my network!

Could I suggest 10.1.1.1?

Re:This DNS stops ISPs from knowing sites you visi

many sites per ip...

what happened to this place?

Re: Too bad Cisco uses this for a virtual IP in s

[K.+S.+Kyosuke]

Dell IPMI

So the old maxim that the Internet routes around the damage is true!

Re: Too bad Cisco uses this for a virtual IP in so

[Tim+the+Gecko]

I think you're confusing it with 10.x.x.x.

I don't think they are. For example: https://supportforums.cisco.co...

fuck cloudflare

Cloudflare lost all credibility after what they did to the Daily Stormer. Look: I'm sure CF thinks they'll protect your privacy, but that goes out the door someone thinks you're a "Nazi". And you're a Nazi these days if you believe there are fewer than 52 genders.

So fuck Cloudflare.

Re:fuck cloudflare

No, you're a nazi when you think that any of those 52 (or less) genders, or races, is inherently superior to any other. You're a nazi when you think that differences can simply be summed up by "superior" or "inferior". You're a nazi when you think that any of those genders/races is/are responsible for all the problems in the world and should be segregated, enslaved, or exterminated.

You're a nazi when your simple, primitive mind fails to see all the subtle shades or gray, tones of color in this thing called "reality", and sees the world only in binary concepts of "good and evil", "black and white", "right and wrong", "us and them", etc.

Re: fuck cloudflare

Cloud flare sucks cock.

Re: fuck cloudflare

Naxi supporters say cloudflare is bad?

Thanks, I'll have to check them out.

Re: fuck cloudflare

Heil Hitler !!

Re: fuck cloudflare

[GameboyRMH]

I know, awesome feature! Anything can be improved by antagonizing nazi snowflakes!

Re: fuck cloudflare

>Nazi
>snowflakes
Pick one.

Re: fuck cloudflare

[GameboyRMH]

Why? Nazis are the most delicate snowflakes of all, constantly complaining that others' rights of free speech and association are hurting their widdle feelings.

Re: fuck cloudflare

Why? Nazis are the most delicate snowflakes of all, constantly complaining that others' rights of free speech and association are hurting their widdle feelings.

It's pretty easy to identify a nazi, they're they ones saying nazis aren't snowflakes.

Re:fuck cloudflare

Cloudflare lost all credibility after what they did to the Daily Stormer. Look: I'm sure CF thinks they'll protect your privacy, but that goes out the door someone thinks you're a "Nazi". And you're a Nazi these days if you believe there are fewer than 52 genders.

So fuck Cloudflare.

Best endorsement ever.

Pretty fast

[TFlan91]

Just ran a benchmark of the service, here are my results:

  Final benchmark results, sorted by nameserver performance:
  (average cached name retrieval speed, fastest to slowest)

        1. 0. 0. 1 | Min | Avg | Max |Std.Dev|Reliab%|
    - Cached Name | 0.020 | 0.023 | 0.029 | 0.002 | 98.0 |
    - Uncached Name | 0.022 | 0.090 | 0.287 | 0.075 | 100.0 |
    - DotCom Lookup | 0.049 | 0.055 | 0.066 | 0.003 | 100.0 |
                        1dot1dot1dot1.cloudflare-dns.com
                    CLOUDFLARENET - Cloudflare, Inc., US

        1. 1. 1. 1 | Min | Avg | Max |Std.Dev|Reliab%|
    - Cached Name | 0.021 | 0.023 | 0.030 | 0.002 | 95.9 |
    - Uncached Name | 0.022 | 0.096 | 0.325 | 0.082 | 100.0 |
    - DotCom Lookup | 0.048 | 0.073 | 0.166 | 0.043 | 100.0 |
                        1dot1dot1dot1.cloudflare-dns.com
                MEGAPATH2-US - MegaPath Networks Inc., US

        8. 8. 4. 4 | Min | Avg | Max |Std.Dev|Reliab%|
    + Cached Name | 0.048 | 0.052 | 0.057 | 0.002 | 100.0 |
    + Uncached Name | 0.060 | 0.104 | 0.344 | 0.073 | 100.0 |
    + DotCom Lookup | 0.063 | 0.070 | 0.158 | 0.014 | 100.0 |
                          google-public-dns-b.google.com
                                  GOOGLE - Google LLC, US

        8. 8. 8. 8 | Min | Avg | Max |Std.Dev|Reliab%|
    + Cached Name | 0.049 | 0.053 | 0.060 | 0.002 | 98.0 |
    + Uncached Name | 0.057 | 0.106 | 0.367 | 0.077 | 100.0 |
    + DotCom Lookup | 0.063 | 0.073 | 0.156 | 0.020 | 100.0 |
                          google-public-dns-a.google.com
                                  GOOGLE - Google LLC, US

Re:Pretty fast

Google's public DNS servers must have been having a good day when you ran your tests. They typically take 700-800ms to respond when I try them.

Re:This DNS stops ISPs from knowing sites you visi

[JoeyRox]

But, there are a number of options available for transport privacy that do not require using a VPN (provided you actually trust Cloudflare not to use your data and are savvy enough to setup one of the options)

What alternate options does Cloudfare provide that don't require a VPN? I didn't see them mentioned in the link you provided. Is it an https tunnel through their servers?

Re: Trump can't use this in prison though

Russian bots running on iPhone confirmed.

Re: Too bad Cisco uses this for a virtual IP in

could we suggest getting a new network?

The rest of the world would go with an IP of 4

[OzPeter]

Why? 1/4 of course!

Meh

[jawtheshark]

I just run my own. Not that hard.

Re:Meh

[grub]

So set up Cloudflare's DNS as your forwarders. I just did that.

Re:Meh

[arth1]

So set up Cloudflare's DNS as your forwarders. I just did that.

Hell, no. Then you tell Cloudflare - and by extension any American three letter agency - which fully qualified domain names you look up. I may be OK with a root name server seeing my user query what the authoritative DNS is for .de, but not that he or she then goes on to look up www.dkp.de.
So no thanks, no forwarders, at least not ones located in police states.

Also 1.1

[rpetre]

To note that in most IP parsing libraries (or at least the ones I'm familiar with) 1.1.1.1 can be also expressed as 1.1 (if less than four numbers the last number is interpreted on as many bits are left till 32). So you can now be cool and ping 1.1 or dig google.com @1.1., making the old favourite, 8.8.8.8, quite a mouthful in comparison.

Re:Also 1.1

I don't quite understand your explanation, but my ping implementation expands 1.1 to 1.0.0.1 which is their secondary, so it does work.

PING 1.1 (1.0.0.1) 56(84) bytes of data.

Re:Also 1.1

[rpetre]

1.1.1.1 can be also expressed as 1.1

And by 1.1.1.1 I meant 1.0.0.1, of course, and why does Slashdot still not allow comment editing?

Re:Also 1.1

[Rockoon]

and why does Slashdot still not allow comment editing?

Because its a stupid feature that would only benefit careless people such as yourself allowing you to feel no consequences for your carelessness, while potentially hurting everyone else who could then feel real consequences from your constant never ending carelessness.

Re:Also 1.1

# ping 1.1
PING 1.1 (1.0.0.1) 56(84) bytes of data.
64 bytes from 1.0.0.1: icmp_seq=1 ttl=55 time=17.5 ms
64 bytes from 1.0.0.1: icmp_seq=2 ttl=55 time=16.8 ms
64 bytes from 1.0.0.1: icmp_seq=3 ttl=55 time=16.9 ms
64 bytes from 1.0.0.1: icmp_seq=4 ttl=55 time=17.4 ms
^C
--- 1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 16.813/17.198/17.525/0.310 ms

Cool! I remember reading the :: to denote a string of 0's in an IPv6 address, but never knew about this parsing bug^H^H^H feature. Thanks!

some stupid vendors use the IP for Portal Authenti

some stupid vendors use the IP for Portal Authentication, for example: Cisco

I've been using Quad9. Seems similar.

https://www.quad9.net

Re:I've been using Quad9. Seems similar.

[nadass]

FWIW, Quad9 is a content-censorship service. There's privacy, but also at the cost of them deciding whether a host is serving "malicious" content.

Reember the Alao!

[Mister+Liberty]

They ate our & 's that day.

Neither private nor secure

My ISP, and others I expect, log and retain DNS queries. And any (wifi) network you use can intercept and change a DNS response.

How is this new DNS server useful?

Re: Neither private nor secure

It's not.

Re: Neither private nor secure

Dns over https

Re:This DNS stops ISPs from knowing sites you visi

Cloudflare’s DNS will offer support for both DNS-over-TLS and DNS-over-HTTPS, and the company is hoping that its HTTPS support will see more browsers and operating systems support the protocol.

Re: Too bad Cisco uses this for a virtual IP in

[nasch]

Did you try the alternate 1.0.0.1?

Re:This DNS stops ISPs from knowing sites you visi

[williamyf]

How does this stop ISPs from knowing which sites you visit? Once Cloudfare's DNS serves up the IP address (instead of your ISP's DNS), you still need to send/receive traffic from that IP address, which the ISP can easily monitor. The only way to prevent this is to use a VPN, while making sure to use your VPN's DNS as well.

While their attempt at privacy is comendable, I'll stick with my current setup:

* GlobalCyberAlliance's 9.9.9.9 as primay for added protection against nasties (not for me specificaly, but for the less tech savvy users in the houses).
* Google's 8.8.4.4 as alternate.
* And OpenDNS' at 208.67.222.222 for modems that support a thrid option.

Some people may preffer some other order, and there is nothing wrong with that . Perhaps priviledging OpenDNS' for the family friendly filtering, or Google's for raw speed and non-censorship...

My way gives me a nice balance of protection and speed, while avoiding the censorship of the State run ISP (CANTV Venezuela). But YMMV

Re: Too bad Cisco uses this for a virtual IP in so

He's the chap who works behind the counter at Walmart

Re:This DNS stops ISPs from knowing sites you visi

[bill_mcgonigle]

many sites per ip...

That's only usually true for small shared-hosting sites or multiple services from a single entity.

what happened to this place?

The Dunning-Kruger is still strong though!

Other easy to remember public DNS Servers

[Xenolith0]

Other easy to remember public DNS Servers

• Google (Unfiltered)
  • 8.8.4.4
  • 8.8.8.8
• Global Cyber Alliance (Filters malicious content)
  • 9.9.9.9
• Cloudflare
  • 1.0.0.1
  • 1.1.1.1
• Level 3 Communications
  • 4.2.2.1
  • 4.2.2.2
  • 4.2.2.3
  • 4.2.2.4
  • 4.2.2.5
  • 4.2.2.6

Re:Other easy to remember public DNS Servers

9.9.9.10 is unfiltered.

Been there, done that

The original free, canonical, secure, privacy assured DNS by Verisign:

• 64.6.64.6
• 64.6.65.6

Re:Been there, done that

[nadass]

From their website, "Verisign respects your privacy. We will not sell your public DNS data to third parties nor redirect your queries to serve you any ads."

In other words, they collect and analyze all sorts of traffic patterns and what-not... but they won't hijack your traffic to provide you with ads. That's all fine and good (and expected) but this isn't 2001 anymore; it would be nice if they simply never collected any traffic data in the first place... and that's what CloudFlare DNS is offering.

Re: This DNS stops ISPs from knowing sites you vis

How fucking dumb can people be to not realize that?

Re:Too bad Cisco uses this for a virtual IP in som

[Billly+Gates]

That is intentional. Cloudflare has their own commercial DNS service and do not want businesses to piggyback of their services

Hopefully it's bettern than NortonDNS which I stopped using for performance reasons.

Bogus DNS 9.9.9.9

dns.globalcyberalliance.org uses an invalid security certificate.
The certificate is only valid for the following names: *.quad9.net, quad9.net
Error code: SSL_ERROR_BAD_CERT_DOMAIN

Re:This DNS stops ISPs from knowing sites you visi

GlobalCyberAlliance

Their webpage looks and reads like a joke, like some evil Watch Dogs 3 corporation.They're looking for government contracts?

Classic lack of "root source of trust" problem

[joe_frisch]

With this and all other attempts to provide privacy or security, what chain of trust allows me to believe that this is actually private or secure.

Surely there are many organizations with the resources to flood Slashdot with posts assuring me that this, or any other service, is secure.

Is TOR secure, or a NSA honeypot? How could I possibly know? Without personally having deep technical expertise, how can I trust anything.

An comments about tinfoil hats could be legit, or yet more planted posts.

We need a root source of trust or everything else falls apart.

Re:Classic lack of "root source of trust" problem

"We need a root source of trust or everything else falls apart."

        You need Jesus. Happy Easter.

     

Re:Classic lack of "root source of trust" problem

[Kjella]

We need a root source of trust or everything else falls apart.

Yeah, we could call that the Ministry of Truth.

How could I possibly know? Without personally having deep technical expertise, how can I trust anything.

Personally you'll only be able to prove high school physics and none of history, that is if you're not trapped in the Matrix.

An comments about tinfoil hats could be legit, or yet more planted posts.

Personally I feel like you're trying to make a reductio ad absurdum argument so say that since you don't know any absolute truth, any loony bin theory could be true. Blind faith is not good, total disbelief of everything you haven't personally verified is also not good. If you disagree here's some fatally poisonous mushrooms, enjoy your Darwin award. Many people have too little healthy skepticism. But many also see fate, destiny and meaning in the random, conspiracies and lies in simple truth. I really don't know a "cure" for being say a flat-earther, if you're willing to discard that body of evidence I don't see how more evidence could convince you otherwise. That's really the trap, people get so convinced of their "truths" that no evidence can shake it.

Re:Classic lack of "root source of trust" problem

[nadass]

We need a root source of trust or everything else falls apart.

What does trust even mean? What is the purpose of establishing trust with a root source if the information itself should not be trusted?

Whether you trust a source or not, the value of the information depends on the individual consumer's actual needs. When you ask directions from somebody, you might not trust their character or judgment for all things (like their eye-witness account of a recent crime) but their general insights ("the theater is near city hall, maybe 3-4 traffic lights down the road") may be absolutely sufficient for your needs (e.g. confirming general directions).

Same thing applies to DNS queries. If you feel more comfortable trusting undercover foreign government spies more than your in-laws, then that's totally up to you -- nobody else should DICTATE whom you should allow yourself to trust. I, for one, trust network services firms with global footprints to assist with scalable name resolution services... you, go trust the devil you already know very, very well.

Re:Classic lack of "root source of trust" problem

[kevmeister]

DNSsec provides a chain n of trust using public keys. The root is never given the secret key, so, it the key validates, it is legitimate. The domain holder generates the key pair and loads the public key upstream.

Unfortunately, DNSsec is generally not implemented end-to-end, severely limiting its value.

Re:Classic lack of "root source of trust" problem

[joe_frisch]

Actually I've sometimes wondered if that was one of the functions of the medieval church: they served as an agreed-upon source of truth. That agreement was useful to society even if they were not actually truthful .

Re:Classic lack of "root source of trust" problem

[joe_frisch]

It may just be my background but science feels a little different: different scientific ideas interlock with each other. It would be difficult to fake a significant branch of science because all the interfaces with other types of science would be off. That seems different from trusting a hosting site, or an implementation of an encryption or communication system which could itself be flawed without other major consequences.

I'm a scientist, so my viewpoint may be very biased on this. If I were a computer scientist, I might have a very different idea of what could and couldn't be trusted.

Re:Classic lack of "root source of trust" problem

[joe_frisch]

What I mean by "root source of trust" is something people agree upon to be true. For instance if there were a trusted organization to verify that this DNS service is what it claims to be (discounting legitimate bugs), and not a front for some organization intent on using it to collect information

Re:Classic lack of "root source of trust" problem

[nadass]

So I assume you've never heard of Cloudflare before this piece of news? If you were familiar with their areas of expertise, then you would trust what they do (or not). Again, you might trust your entire personal network, even though they may not actually know the truth. Cloudflare is trusted as much or more than Akamai, if you're looking for a "root source of trust" (which is somehow "classic" which itself doesn't make sense to me).

Re:Classic lack of "root source of trust" problem

Is TOR secure

Today, nothing is secure. Hardware exploits are the bread and butter.

Oh, and calling it TOR is a flag that usually means the person doesn't know anything about "Tor".

Use Google DNS - you got to be kidding me?

Might as well let Facebook run a public DNS too then.

Both Facebook and Google are bilking us if we use their services, so any new public DNS on that scale is more than welcome.

Why help F'n'G make more money by using their "graciously" provided "free" services.

Fuck them, not CF.

Re:Use Google DNS - you got to be kidding me?

Any DNS service hosted in the US or any of the "Five Eyes" nations is compromised by US and other Western intelligence services.

CloudFlare is no different.

Do you think CloudFlare would refuse a warrant, court order, subpoena, or NSL demand for your query history?

The answer is easy if you think about it.

It's extremely likely that CloudFlare has received such demands for user query histories in the past from LEAs and TLAs.

CloudFlare has never been in the news fighting any such demands for data.

The logical conclusion is that CloudFlare will almost certainly turn over any DNS user query data if the government demands it either overtly through the judicial process or covertly through NSLs and other such quasi-legal tools.

Re: Use Google DNS - you got to be kidding me?

The trick is to maintain a low profile. By not doing anything that would draw the wrath of a three letter agency. And that isn't so hard to do.

Re: Too bad Cisco uses this for a virtual IP in so

Then they need to knock it the fuck off.
If you're going to squat on someone else's IP space, bad things start to happen.

Re: Too bad Cisco uses this for a virtual IP in so

[omkhar]

Maybe Cisco should stop doing things to break the way IP works. There are reserved IP ranges just for that purpose.

Re:Too bad Cisco uses this for a virtual IP in som

Too bad Cisco uses this for a virtual IP in some o
Like their wireless lan controllers.

It is a shame so many "networking companies" can so badly fuckup basics of networking like that.

Remember when Linksys hard coded a bunch of public MIT server addresses as "internal" because they didn't know the most commonly used private-reserved IP block was 192.168.*.* and thought all IPs under 192.* were?

Or when Juniper hard coded 128.* as a blackhole range?

Back on the current topic, 1.0.0.0/8 was reserved for packet radio networks from 1981 until only 2010.
I can only imagine Cisco isn't alone in incorrectly utilizing it for their own purposes.

A prior company I worked for used the 14.* block internally as well, although partially in their defense the company and its internal networks predated RFC1918 by a couple of years, and the 14/8 was similarly reserved as 1/8 for unroutable traffic before any blocks of addresses were specifically allocated as such.

Cloudflare and VPN

Cloudflare still constantly interferes with VPN connections and hasn't figured out how to distinguish between not traffic and real VPN traffic. It would be nice if they could focus on that. Normally I just AVOID sites with Cloudflare for that very reason.

Re:Cloudflare and VPN

[nadass]

Cloudflare still constantly interferes with VPN connections and hasn't figured out how to distinguish between not traffic and real VPN traffic. It would be nice if they could focus on that. Normally I just AVOID sites with Cloudflare for that very reason.

WUT?!

I can honestly say I don't fully understand your remark. VPN traffic is one thing, DNS resolution is another thing, and they provide so many other things (including CDN). So, umm, what's the problem with VPN connections between your client device and your VPN network provider's ability to route traffic properly?

Re: Cloudflare and VPN

[Brockmire]

Maybe Cloudflare avoids him, too. Fuck, a lot of people know fuck all about VPN'S and think they do.

Re: Cloudflare and VPN

[desdinova+216]

in soviet russia cloudflare avoids you?

They are called governments.

What, you can't trust your government?

Well, then who CAN you trust? :)

Seriously the only chance you have at established trust anymore is a chain of trust bootstrapped from people you know, and utilizing the 6 degrees of separation (or whatever depth of networked trust you need) who in turn sign off on other certificates/people they have vetted and work from there. A blockchain like Bitcoin, only hashing chains of crypto identities would allow this, although the specifics of implementation and 'permission levels' of trust to range from 'unverified but believed trustworthy, up to 'verified as a trusted server/friend of many years' would be needed to successfully utilize this system, along with a reduction in trust for identities signing off on sites that have been proven untrustworthy.

Re:They are called governments.

[joe_frisch]

I wish we could trust the government. I'd hope that in a democracy we could and they would provide that - but sadly we can't.

Re:They are called governments.

I wish we could trust the government. I'd hope that in a democracy we could and they would provide that - but sadly we can't.

I'd hope that we could have an actual democracy.

Re:Too bad Cisco uses this for a virtual IP in som

[pnutjam]

I worked at a company whose core network was 192.0.0.0/24. It took me two years to get everything moved to a real private IP space.

Just fishing

for user data. move along, nothing interesting to see here

Re: Too bad Cisco uses this for a virtual IP in so

Do you find anything wrong with opendns?

Re:This DNS stops ISPs from knowing sites you visi

Cloudflareâ(TM)s DNS will offer support for both DNS-over-TLS and DNS-over-HTTPS, and the company is hoping that its HTTPS support will see more browsers and operating systems support the protocol.

First time noticed DNS over HTTPS come across IETF announce I immediately assumed they want browsers to bypass our DNS filters and shared caches while creating brand new tracking opportunities.

Ever since then every time this has come up it's been the same BS justifications.

When RFC7873 is widely deployed then and only then will I mildly give a fuck about anything having to do with DNSSEC. Even then only in the context of TLSA. The concept of secure name lookup is rather pointless and redundant given underlying routing infrastructure is itself insecure.

Funny Question

Do they log?

Re:Funny Question

[nadass]

The Slashdot summary lacks depth, but their whole value proposition is that they don't even log... so performance is gained because they don't try to log all activities PRIOR to resolving your query; rather, they proactively discard all traffic-related logs within hours/days... and that's their long-term privacy AND network performance proposition.

Data Collection - Free is not Free

Facebook, Google, Cloudfare, etc... all these companies are in the business of data collection. Your data.

Why don't you ask yourself why these services are free? Why would any company offer a free service?
Because you are submitting your personal data to them, and they are selling it.
So do you really think Cloudfare or anybody else gives a flying fuck about your privacy?

Pick the Lesser Evil

Who's the lesser evil? Google, Cloudfare, or your ISP? They all will sell you out.

intellectual alert

[OrangeTide]

insult me in Latin, et tu brute?

cloudfare? privacy?

that's rich. that's fucking hilarious.

this is a company that not only sees where you go, but also what you do when you're there..... they track you across all their hosted or "protected" sites..... and they discriminate harshly against tor traffic.

cloudfare can fuck the hell right off.

Re:Too bad Cisco uses this for a virtual IP in som

(Parent poster again)

Yes I've both worked for and see many a company using public IP blocks internally.

Although in my case, all but one were not even technology companies so far as "computers" go.
I'm not saying doing that isn't wrong, but I'm willing to cut them much more slack for making the mistake as such things were far out of their field.
Also to be fair, at least the ones I am still in contact with have fixed their numbering long ago.

Did you see a sign..

..saying

'Dead

U out U `FWD . CONTD in CONTD . CONCORD `GYPPED .
KL in U . U . U out U `U out U `U we bes U out U `
U U . U . U . U we bes U we bes U we bes U out U `
U `U `U . U . U `PELL `U `PELL `CONTD in GYPPED .
U . U U . U . U out U `U out U `U we bes U . U in
U in KL . U . U out U `U out U `U we bes U in U .
U out U `FWD . CONTD in CONTD . CONCORD `U out U `


Storage?'

Re: Too bad Cisco uses this for a virtual IP in so

[LynnwoodRooster]

Are you serious? I mean, we're on /. - the home for geeks and nerds - and you ask who the FUCK is Sir Ian McKellen? Only the greatest wizard of all time, Gandalf! And if you thought - for one second - about Harry Potter when I said wizard, we're going to banish you to theverge.com or some other godforesaken corner of the Internet!

IPV6 pings

[NormanHaga2580]

CloudFlare
C:\Users\Norman>ping 2606:4700:4700::1111

Pinging 2606:4700:4700::1111 with 32 bytes of data:
Reply from 2606:4700:4700::1111: time=16ms
Reply from 2606:4700:4700::1111: time=16ms
Reply from 2606:4700:4700::1111: time=16ms
Reply from 2606:4700:4700::1111: time=16ms

Ping statistics for 2606:4700:4700::1111:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
        Minimum = 16ms, Maximum = 16ms, Average = 16ms

Google
C:\Users\Norman>ping 2001:4860:4860::8888

Pinging 2001:4860:4860::8888 with 32 bytes of data:
Reply from 2001:4860:4860::8888: time=16ms
Reply from 2001:4860:4860::8888: time=16ms
Reply from 2001:4860:4860::8888: time=16ms
Reply from 2001:4860:4860::8888: time=16ms

Ping statistics for 2001:4860:4860::8888:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
        Minimum = 16ms, Maximum = 16ms, Average = 16ms

Re:IPV6 pings

[nadass]

With NS Lookup times, a PING log is worthless when comparing DNS servers. The only thing a PING log can illustrate is the network performance of your ISP and its proximity to low-latency network segments.

Re:This DNS stops ISPs from knowing sites you visi

uhm, that doesn't solve the problem though. Yes, they may not know what you're sending and receiving, but your ISP will still know who you're sending and receiving from.

Re:This DNS stops ISPs from knowing sites you visi

[IGnatius+T+Foobar]

It's funny how people are concerned about their ISP snooping on them ... and then they go and visit Facebook.

How long until this generates revenue?

Wonder how long before Cloudflare is offering a paid Passive DNS feed

Re: Too bad Cisco uses this for a virtual IP in

Then open a support case with Dell and tell them they're violating RFC 3927: https://tools.ietf.org/html/rfc3927
by using a public IP they don't own.

They should be using 169.254.0.0/16 as all compliant devices do when no DHCP server responds.

DNS Watch

[nmb3000]

How is this better than DNS Watch? They are a free, not ad-sponsered, privacy-focused DNS provider with goals of neutrality and anti-censorship.

Cloudflare is basically the Big Brother gatekeeper of the Internet at this point, with strong ties to the US. Them claiming "privacy" as something they care about is pretty absurd.

Re: Too bad Cisco uses this for a virtual IP in so

Not in any WLC I have ever used

Re: Too bad Cisco uses this for a virtual IP in s

[NFN_NLN]

> Dell IPMI defaults the network address to this ip when it doesn't get a response from the dhcp server.

Already addressed in RFC3927 for quite some time. Have Dell update their firmware.

"169.254.0.0/16 - This is the "link local" block. As described in [RFC3927], it is allocated for communication between hosts on a single link. Hosts obtain these addresses by auto-configuration, such as when a DHCP server cannot be found."

Re:This DNS stops ISPs from knowing sites you visi

[whoever57]

Google name-based virtual hosting.

Your ISP knows which IP addresses you connected to, but a single IP address may host multiple sites.

Re: Too bad Cisco uses this for a virtual IP in s

Guess you dont serve a guest TOS agreement page?

Re:This DNS stops ISPs from knowing sites you visi

[Bert64]

And they can tell what site you accessed based on the HOST header or the SNI parameter when negotiating SSL...

Re: Too bad Cisco uses this for a virtual IP in s

Ian is an intern there. Theyâ(TM)re developing hardware theyâ(TM)re going to implant in him to make him fetch coffee via remote control

Re: Too bad Cisco uses this for a virtual IP in s

Those idiots couldn't vend a working update to their own modifications of intels bmc sdk. I think mentioning rfc would break their minds.

You have no brain.

Otherwise you would be pro-Unicode (and contra emoji crap [including literally] in Unicode).

Re:This DNS stops ISPs from knowing sites you visi

And by which damned host name you just looked up with DNS, even if you didn't use their names servers, because DNS is not encrypted.

No they dont

[GoRK]

Cisco does not use anything other than RFC1918 reserved blocks. They are actually incredibly diligent about that.

Re:No they dont

Actually, the parent is right. The default configured IP for the internal web-authentication portal defaults to 1.1.1.1, and many installers leave it that way. The thing is, it uses a redirect to get the client to that page as part of the initial configuration. If they were on the same subnet, this *could* cause an arp to map it on the client but who configures the wifi to us 1.1.1.0/x??? Client connects, internall the controller redirects the initial web access to the "ip" of the auth page, authentication proceeds and the client goes on it's merry way. I doubt that the way Cisco implemented it will cause an issue, even though it was technically stupid to use 1.1.1.1 as the default.

Most everyone I know who works with these has redesigned that ip as part of the upgrades when doing a second deployment or refresh.

Doesn't it strike everyone as odd?

[NichardRixon]

On their website, Cloudflare makes a big deal out of the privacy their DNS service provides--even citing the probability that ISPs collect and store data from those who use their (ISPs) DNS. Yet, as others have pointed out in this thread, the ISP can still log all of the IP addresses their customers connect to. What could really be gained, in terms of privacy, by using 1.1.1.1 or any other DNS service?

NR

run your own recursor

[cmaurand]

I run my own recursor that points to the roots. pdns-recursor on linux. even in a vm is superior to any other solution I've tried.

Re:This DNS stops ISPs from knowing sites you visi

First time noticed DNS over HTTPS come across IETF announce I immediately assumed they want browsers to bypass our DNS filters and shared caches while creating brand new tracking opportunities.

Of course they want the browser to control it. How else are they going to scrape the info before it's encrypted? If the user is using something like dnscrypt, Google won't have access to that data stream anymore. That makes Google has a sad.

It's most secure to use your ISPs DNS

If you use third-party DNS then two people know.

Re: Too bad Cisco uses this for a virtual IP in so

Cisco 2504 Wireless Controller uses 1.1.1.1 as a login page for certain types of wifi authentication, usually set up for guests.

Re: Too bad Cisco uses this for a virtual IP in so

so Gandalf became Magneto?

Re: Too bad Cisco uses this for a virtual IP in so

[LynnwoodRooster]

Yes - the Red Wizard!