Cloudflare introduces 1.1.1.1 DNS Resolver

I've just added those (1.1.1.1 and 1.0.0.1) to my unbound forwarder pool yesterday. :)

While testing with people on IRC, they were from France and Belgium (IIRC), for some reason 1.0.0.1 was considerably faster than 1.1.1.1. :-/

EDIT: it seems they also support "DNS Over TLS" on port 853.
 
Been running this at home since it was announced by the company last week. I’ve been using Google DNS for about 8 years and thought I’d give another provider a go. Initially I was getting half the response speed as 8.8.8.8 and appox 90% of the speed of Quad9 so never really used that one.

So for me it’s definitely a improvement, hopefully the speeds will remain as more people use the service.
 
I thought the FreeBSD gurus would stay away from the spy networks/infrastructure and programs - including their DNS Servers. I would think the gurus would be pushing for OS projects like the Opennic/DNSCrypt/DNS Resolvers with no logging/etc.

Anyway, each user (or guru) is the judge of their Supreme Court (of computer(s)).
 
Lamia
  1. DNSCrypt is a OpenDNS thing (and barely supported around, almost dead indeed), who not just log you but also "manage" the DNS queries. Anyway, DNSCrypt bring ZERO advantage in privacy matters, that does not encrypt the queries (like the name make it suggest) but do it in the exactly same way all other DNSs (but DNS Over TLS) and can easily be sniffed (if the server actually does not log you)... DNSCrypt do the same of DNSSEC but in a different way.
  2. why do you think OpenNIC actually does not log you when ANYONE can setup a DNS server and add that to the OpenNIC pool?
  3. try to run your own DNS resolver without any forwarder, just querying the root servers. Unless you are very lucky that will easily become unusable, most of the time just getting time outs.
Cheers!
 
There is also the DNS servers from the CCC, that is what I use.
 
I use the adguard dns servers since they remove pretty much all crap and is easier when we only have one computer in the house and we all mostly use tablets or phones for internet usage.
 
Lamia
try to run your own DNS resolver without any forwarder, just querying the root servers. Unless you are very lucky that will easily become unusable, most of the time just getting time outs.
Cheers!

For our servers (doing shared hosting) we setup 2 resolvers for caching. If the query is not cached it forwards it to cloudflare DNS. This is the fastest setup I can think as our servers have less than 0.2 ms latency from our resolvers and 5 ms latency from cloudflare dns.

I don't think it's an privacy issue even if cloudflare logs and keeps the logs for a long time, as they don't know the site that the request is made (we host thousand of sites).
 
  1. ...
  2. ...
  3. try to run your own DNS resolver without any forwarder, just querying the root servers. Unless you are very lucky that will easily become unusable, most of the time just getting time outs.
On my home server I got running local_unbound as a recursive caching resolver without forwarding for some years now. I must be very lucky, since it works perfectly in São Bernardo do Campo in Brazil. This one serves 10 clients at home. When I was travelling more all over the world (between 2004 to 2009), I activated named as a personal recursive resolver on my Mac PowerPook G4 and later on my Mac Book Pro exactly for privacy reasons and it simply worked from anywhere.

PS: A cause for time outs maybe outdated root zones. For this reason I let a cron job update the root zones once per month by excuting the following script:
Code:
#!/bin/sh
## Updating the root zones
/usr/bin/fetch -o /tmp/root-hints.zones "ftp://ftp.internic.net/domain/named.cache" \
  && /bin/mv /tmp/root-hints.zones /var/unbound/root-hints.zones \
  && /usr/sbin/service local_unbound restart
 
obsigna

You can set unbound to download the root.hints itself and it does about a couple of hours (IIRC). I am using it in here in this way.

About the slowness I had a talk on IRC sometime ago about that and most people in there experinced the same problem as me. I would guess just 1 out 10 had it working fast using root servers only.

Btw, I switched to 'TIM Live' (working pretty well), I must try a root servers only configuration again.

rorgoroth

If you use your own unbound/named instance you could use obsigna dns/void-zones-tools or dns/dns2blackhole to do that cleansing.

Crivens

UncensoredDNS (former Censurfridns) is a good one too, and SecureDNS also seems good.

EDIT: Oh, and the funny IBM 9.9.9.9. LoL

Another one with built-in malware blocking is Quad9.
 

The auto-trust-anchor file is not the root-hints file. These are two different animals. The first one serves for DNSSEC and the second one tells unbound the IP addresses and names of the DNS servers responsible for the root zones. In case the root hints file is outdated, unbound may time out when trying to recursively resolve domain names, since the root hints would inform wrong IP(s).
 
The auto-trust-anchor file is not the root-hints file. These are two different animals. The first one serves for DNSSEC and the second one tells unbound the IP addresses and names of the DNS server responsible for the root zones. In case the root hints file is outdated, unbound may time out when trying to recursively resolve domain name, since the root hints informed non-existent IP(s).

Oh, you are right, I really got confused in here and while reviewing my installation I found I actually have this on cron:

@weekly curl -o /usr/local/etc/unbound/root.hints https://www.internic.net/domain/named.cache

Thanks!
 
... I actually have this on cron:
@weekly curl -o /usr/local/etc/unbound/root.hints https://www.internic.net/domain/named.cache
Thanks!

Don't forget to restart unbound. I also recommend to first download the file to a temporary location, then check it for consistency and finally move it to the working location. How about:
Code:
#!/bin/sh
## Updating the root zones
rm -f /tmp/root-hints.md5 /tmp/root-hints.sig /tmp/root-hints.zones
/usr/bin/fetch -o /tmp/root-hints.md5   "https://www.internic.net/domain/named.cache.md5"
/usr/bin/fetch -o /tmp/root-hints.sig   "https://www.internic.net/domain/named.cache.sig"
/usr/bin/fetch -o /tmp/root-hints.zones "https://www.internic.net/domain/named.cache"
if [ -f /tmp/root-hints.md5 ] && [ -f /tmp/root-hints.zones ]; then
   author_md5=`/bin/cat /tmp/root-hints.md5`
   actual_md5=`/sbin/md5 -q /tmp/root-hints.zones`
   if [ "$author_md5" == "$actual_md5" ]; then
      gpgmsg=`/usr/local/bin/gpg --verify /tmp/root-hints.sig /tmp/root-hints.zones 2>&1`
      if [ $? != 0 ]; then
         keyid=`echo $gpgmsg | /usr/bin/sed -n '/gpg:.*using DSA key /{s///;s/ .*//;p;}'`
         /usr/local/bin/gpg --keyserver pgp.mit.edu --recv-key $keyid > /dev/null 2>&1
         if [ $? != 0 ]; then
            exit $?
         else
            /usr/local/bin/gpg --verify /tmp/root-hints.sig /tmp/root-hints.zones /dev/null 2>&1
            if [ $? != 0 ]; then
               exit $?
            fi
         fi
      fi
      /bin/mv /tmp/root-hints.zones /var/unbound/root-hints.zones && /usr/sbin/service local_unbound restart
   fi
fi
rm -f /tmp/root-hints.md5 /tmp/root-hints.sig /tmp/root-hints.zones
 
obsigna

Do you know if unbound-control reload also do reload the root.hints?

Nothing new but seem to be a good read (I didn't read yet, just take a quick look).
 

Attachments

  • dns-sinkhole-33523.pdf
    1.3 MB · Views: 593
Back
Top