Cloudflare launches a privacy-first DNS at 1.1.1.1

Which Domain Name System provider are you using, gerbils? Most folks are relying on the Domain Name Service (DNS) offered by their internet provider, although some savvy folks are using Google's DNS or perhaps OpenDNS. A new option from Cloudflare just appeared on the public DNS landscape yesterday, and it's simply named after its IPv4 address: 1.1.1.1.

Cloudflare promises that the new service will be both the fastest public DNS as well as the most secure. DNSs are a very easy way for a provider to track and manipulate users' traffic. According to Cloudflare, this idea came about after the US federal government discarded rules restricting ISPs from selling users' browsing data. The company says that its DNS service discards all logs after 24 hours. Cloudflare might have a much harder time building the kind of detailed profile that third parties might be interested in.

Furthermore, DNS services have been used for some time now to manipulate users' traffic. Users have been redirected to sites they didn't intend to visit for commercial reasons, and DNS has been used for censorship, too. As an example, Cloudflare points out how the government of Turkey ordered the country's ISPs to block the entirety of Twitter in 2014. Since Turkey doesn't operate a China-style Great Firewall, users could get back to tweeting by changing DNS providers.

The 1.1.1.1 address—along with the service's backup address 1.0.0.1—were owned by APNIC, the regional internet registry for the Asia-Pacific region. Thanks to their simplicity, the addresses were apparently being continually overwhelmed by nonsense traffic. Cloudflare discussed its goal to set up a public, high-speed DNS with APNIC, and was offered the use of the addresses. Cloudflare isn't being 100% altruistic; the company also gets the chance to analyze and interpret the garbage data. Still, that seems a generous exchange considering what's on offer to the public.

The decision to launch the new service on April Fool's Day is a curious one. Cloudflare says that since 1.1.1.1 has four 1s, it was an obvious choice. Given the date, most people naturally thought it was a joke, though it's clearly not. The company did indeed launch a new privacy-focused, high-speed public DNS on a Sunday that happened to be April Fool's Day, Easter, and smack in the middle of Passover.

If you're keen to try Cloudflare's new DNS for yourself, you can do it right now. The site at https://1.1.1.1/ has explicit instructions on how to set up the service for Windows devices, Apple machines running macOS or iOS, Linux and Android devices, and even a vague set of steps for setting up routers. Users shouldn't expect a dramatic change in performance, but they might rest easier knowing that their ISPs could have a harder time tracking their presence on the web.

Comments closed
    • Vaughn
    • 1 year ago

    Does Couldfare DNS suppose DNSSEC?

    • psuedonymous
    • 1 year ago

    On the one hand, an ISP gets to see [b<]all[/b<] the packets that they pass to you, but cannot snoop inside any secure connections (unless you do something silly like installing a cert self-signed by them). On the other hand, Cloudflare are [b<]hosting[/b<] a large portion of websites (but not all), so have the capability to snoop inside even secure connections if that site is hosted by them.

    • swaaye
    • 1 year ago

    Unless they have DNSCrypt as an option does it really do anything to prevent the ISP fron knowing domains? DNSCrypt seems like the way to go. It doesn’t get much press though.

      • khands
      • 1 year ago

      It supports DNS over TLS which is better IMO but still being adopted by a number of browsers, etc. If your router supports it I highly recommend it.

    • not@home
    • 1 year ago

    I do not work in IT, so I have a question. I switched my router over to use this DNS. How do I test to see if it is using 1.1.1.1 vs using my ISP? I tried tracert, and I did not see 1.1.1.1 in it at all.

      • DancinJack
      • 1 year ago

      ipconfig/all

        • moose17145
        • 1 year ago

        That may not work. He said he switched his router over. Not his pc. Although if your pc is setup to grab it’s DNS from the router automatically then that should work. You would also take a tcpdump and analyze it in wireshark to see where your pc is sending the dns packets.

          • DancinJack
          • 1 year ago

          It’ll still tell him what his PCs DNS servers are set to currently.

            • Leader952
            • 1 year ago

            Which will be useless since it will only show that the PC’s are using the DNS server in the router.

            I too switched my router to 1.1.1.1 and ipconfig /all shows: DNS Servers 192.168.123.254 which is my router.

            The reason to set the DNS server in the router is that all of your devices will then use the settings there.

      • davidbowser
      • 1 year ago

      If you switched the DNS settings at your router, you need to make sure it was also for the DHCP settings (what get’s automatically set on all the devices inside the router). You can check it on Windows by using the command DancinJack mentions (at a DOS prompt).

      EDIT – clarity

    • Neutronbeam
    • 1 year ago

    Was using OpenDNS on a paid basis, switched to Google for free and now another option….hmmm, what to do, what to do?

      • the
      • 1 year ago

      No reason why you can’t utilize more than one DNS provider, at least in a failover fashion. Most configurations are set in a primary/secondary fashion so one would obviously be used far more often than another. It would be interesting to find some means of configuration that would rotate DNS entries as primary so that request traffic is evenly distributed.

        • TwistedKestrel
        • 1 year ago

        That is 100% possible on Linux… but it’s been long enough that I don’t remember the specifics.

        Edit: see “rotate” option for resolv.conf for one example… I’m pretty sure there are other ways

    • colinstu12
    • 1 year ago

    How does this compare to Quad9? (9.9.9.9).

    I switched (and many others) to them a few months ago due to their privacy & security promises.
    I wonder how that compares to cloudflare’s new offering?

    I previously used OpenDNS before, and Google’s DNS before that.

      • prb123
      • 1 year ago

      Looks pretty good from this test:
      [url<]https://medium.com/@nykolas.z/dns-resolvers-performance-compared-cloudflare-x-google-x-quad9-x-opendns-149e803734e5[/url<]

      • juzz86
      • 1 year ago

      We were using Google, then Quad9 at home (Australia). Switched to 1.1.1.1 a couple of days ago.

      Subjectively, Google was always quickest – page loads weren’t waterfalls, it took a second or two and the whole she-bang loaded at once unless the page was heavy. But you know they’re not providing a free DNS out of the goodness of their heart. Quad9 was very slow for us. Waterfall loading and seconds behind on my usual bevy of sites (I don’t do much internetting outside my favourites or Shortbread links here).

      Wrong part of the world, I think – if they do what they say they do and it’s quicker elsewhere, I think it’d be a good service.

      So far, 1.1.1.1 seems a winner – definitely in load times at least.

    • hei
    • 1 year ago

    I’m quite confused. So my ISP won’t know when I lookup a domain’s ip address. Great. Someone else will instead. Fine.

    But the vast vast vast vast majority of my traffic ain’t through my DNS requests. So my ISP will still know every single ip address that I visit — which is all of them.

    For a quick moment, we’ll assume that my ISP doesn’t know which domains I visit. They’ll still know which ip addresses I’m visiting. For most of the sites that anyone would care about, that’s a simple reverse-lookup to a dedicated ip/domain.

    Ok, that quick moment is over. Given that virtually every web-site has a logo on the home page, and given that each one is different in size, that logo would easily act as a fingerprint for the sites sharing an ip address. So would a dozen other statistical factors, like page generation times, number of connections, et cetera.

    And of course, this is assuming all good https, and the very same https.

      • cmrcmk
      • 1 year ago

      Unless you’re running an always on [url=https://arstechnica.com/gadgets/2017/05/how-to-build-your-own-vpn-if-youre-rightfully-wary-of-commercial-options/<]vpn[/url<]. You're right that this doesn't hide your traffic from your ISP, it just removes one of the easiest ways they might profile your traffic for resale. If you're more paranoid, you definitely have to go further.

    • meerkt
    • 1 year ago

    I’d be more worried about Google or Cloudflare tracking my DNS looksups rather than my ISP.

      • tacitust
      • 1 year ago

      Yeah, because US ISPs have never been known to keep logs on user activity or engage in deep packet inspection…

      I doubt the vast majority of people in non-despotic nations have much to worry about any of these DNS providers, but if you’re engaged in any activity that might make you the target of the local or national authorities (e.g. reporting on local police or corporate corruption), then you’d be much better off having your DNS logs deleted after 24 hours.

        • meerkt
        • 1 year ago

        I don’t think Google provides DNS servers out of generosity.
        They’re not Facebook, but the general idea is not all that different.

      • tay
      • 1 year ago

      Google yes. Cloudfare? Maybe for their own business uses, which is fine by me.

    • chuckula
    • 1 year ago

    For Linux friends, here’s a handy guide on setting up resolv.conf under Arch Linux that can probably translate to other distros too: [url<]https://wiki.archlinux.org/index.php/Resolv.conf[/url<] In particular, note the section on manually setting the DNS even if you are using DHCP, which tends to wipe out manual DNS settings unless you take the correct configuration steps. FYI, Cloudflare is already listed as an option on that page.

      • tay
      • 1 year ago

      Thanks Chuck, very handy to have. Interesting to note that there are 4 different ways of doing this 🙂

        • chuckula
        • 1 year ago

        It’s Linux! I’m surprised there are only four options!

Pin It on Pinterest

Share This