1.1.1.1: Cloudflare's New DNS Attracting 'Gigabits Per Second' of Rubbish

An anonymous reader quotes a report from ZDNet: Cloudflare's new speed and privacy enhancing domain name system (DNS) servers, launched on Sunday, are also part of an experiment being conducted in partnership with the Asia Pacific Network Information Center (APNIC). The experiment aims to understand how DNS can be improved in terms of performance, security, and privacy. "We are now critically reliant on the integrity of the DNS, yet the details of the way it operates still remains largely opaque," wrote APNIC's chief scientist Geoff Huston in a blog post. "We are aware that the DNS has been used to generate malicious denial of service attacks, and we are keen to understand if there are simple and widely deployable measures that can be taken to mitigate such attacks. The DNS relies on caching to operate efficiently and quickly, but we are still unsure as to how well caching actually performs. We are also unclear how much of the DNS is related to end user or application requirements for name resolution, and how much is related to the DNS chattering to itself."

The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and 1.0.0/24, which have been reserved for research use. Cloudflare's new DNS uses two addresses within those ranges, 1.1.1.1 and 1.0.0.1. These address ranges were originally configured as "dark traffic addresses", and some years ago APNIC partnered with Google to analyze the unsolicited traffic directed at them. There was a lot of it. "Our initial work with it certainly showed it to be an unusually strong attractor for bad traffic. At the time we stopped doing it with Google, it was over 50 gigabits per second. Quite frankly, few folk can handle that much noise," Huston told ZDNet on Wednesday. By putting Cloudflare's DNS on these research addresses, APNIC gets to see the noise as well as the DNS traffic -- or at least "a certain factored amount" of it -- for research purposes.

Opaque?

[Viol8]

"yet the details of the way it operates still remains largely opaque"

Opaque to whom? Not to net admins and other people who understand DNS. If they're hoping Joe Schmoe will understand or care then they've got a long wait.

Re:Everybody gets what they want

If you are worried about this I would suggest you disconnect from the internet.

Re:Gigabits per second of rubbish? No shit.

Windoze (pun intended) doesn't have a built-in sleep command for batch files. What fun!

Re:Research

[arth1]

I would be very interested in following the research they are undertaking. Anyone know how/where this will be published?

And when the research will be completed, with the 1.1.1.1 and 1.0.0.1 addresses going back to IANA and no longer serving DNS? I bet that some people bought the hype and thought that these would be perpetual addresses, and not just a research run.

Re:Gigabits per second of rubbish? No shit.

I keep seeing people complaining about this breaking batch scripts that ping 1.1.1.1, but Cloudflare isn't responding to ICMP requests as far as I can tell. Just because an IP address is active, doesn't mean that it will respond to a ping.

Re:now also being slashdotted

[RobertNotBob]

... I hope it doesn't turn out to be a mistake that to have hired people who don't understand DNS...

Yeah, that stood out to me, too. ... How can you hire a "Chief Scientist" who doesn't understand the basic mechanisms of the environment you're operating within?