# Cloudflare introduces 1.1.1.1 DNS Resolver



## drhowarddrfine (Apr 2, 2018)

https://1.1.1.1/

I've tried it and web pages subjectively seem to be faster but running a ping to that does not seem to make a difference. I have done no other tests, however, there is this article about a test


----------



## rigoletto@ (Apr 3, 2018)

I've just added those (1.1.1.1 and 1.0.0.1) to my unbound forwarder pool yesterday. 

While testing with people on IRC, they were from France and Belgium (IIRC), for some reason 1.0.0.1 was considerably faster than 1.1.1.1. 

EDIT: it seems they also support "DNS Over TLS" on port 853.


----------



## ugly-051 (Apr 8, 2018)

Been running this at home since it was announced by the company last week. I’ve been using Google DNS for about 8 years and thought I’d give another provider a go. Initially I was getting half the response speed as 8.8.8.8 and appox 90% of the speed of Quad9 so never really used that one.

So for me it’s definitely a improvement, hopefully the speeds will remain as more people use the service.


----------



## Sensucht94 (Apr 8, 2018)

lebarondemerde said:


> EDIT: it seems they also support "DNS Over TLS" on port 853.



That's quite cool, I'd never heard of such a protocol, I assume it's TCP then?


----------



## fernandel (Apr 10, 2018)

I've tried too but IMO is not faster than OpenDNS which I  use many years.


----------



## PMc (Apr 11, 2018)

Hm... why would this shop want to gather DNS traffic?


----------



## fernandel (Apr 13, 2018)

Sensucht94 said:


> That's quite cool, I'd never heard of such a protocol, I assume it's TCP then?


As I read there are no one web browser which support DNS over HTTP. Firefox night build or whatever is name has now "network.trr.mode"


----------



## rigoletto@ (Apr 14, 2018)

You can setup unbound with `forward-zone:` to them (DNS over HTTP servers) and then use your unbound instance as your DNS server normally.


----------



## Lamia (Apr 14, 2018)

I thought the FreeBSD gurus would stay away from the spy networks/infrastructure and programs - including  their DNS Servers. I would think the gurus would be pushing for OS projects like the Opennic/DNSCrypt/DNS Resolvers with no logging/etc.

Anyway, each user (or guru) is the judge of their Supreme Court (of computer(s)).


----------



## rigoletto@ (Apr 14, 2018)

Lamia

DNSCrypt is a OpenDNS thing (and barely supported around, almost dead indeed), who not just log you but also "manage" the DNS queries. Anyway, DNSCrypt bring *ZERO* advantage in privacy matters, that does not encrypt the queries (like the name make it suggest) but do it in the exactly same way all other DNSs (but DNS Over TLS) and can easily be sniffed (if the server *actually* does not log you)... DNSCrypt do the same of DNSSEC but in a different way.
why do you think OpenNIC actually does not log you when *ANYONE* can setup a DNS server and add that to the OpenNIC pool?
try to run your own DNS resolver without any forwarder, just querying the root servers. Unless you are very lucky that will easily become unusable, most of the time just getting time outs.
Cheers!


----------



## Crivens (Apr 14, 2018)

There is also the DNS servers from the CCC, that is what I use.


----------



## rorgoroth (Apr 14, 2018)

I use the adguard dns servers since they remove pretty much all crap and is easier when we only have one computer in the house and we all mostly use tablets or phones for internet usage.


----------



## CyberCr33p (Apr 14, 2018)

lebarondemerde said:


> Lamia
> try to run your own DNS resolver without any forwarder, just querying the root servers. Unless you are very lucky that will easily become unusable, most of the time just getting time outs.
> Cheers!



For our servers (doing shared hosting) we setup 2 resolvers for caching. If the query is not cached it forwards it to cloudflare DNS. This is the fastest setup I can think as our servers have less than 0.2 ms latency from our resolvers and 5 ms latency from cloudflare dns.

I don't think it's an privacy issue even if cloudflare logs and keeps the logs for a long time, as they don't know the site that the request is made (we host thousand of sites).


----------



## obsigna (Apr 14, 2018)

lebarondemerde said:


> ...
> ...
> try to run your own DNS resolver without any forwarder, just querying the root servers. Unless you are very lucky that will easily become unusable, most of the time just getting time outs.


On my home server I got running local_unbound as a recursive caching resolver without forwarding for some years now. I must be very lucky, since it works perfectly in São Bernardo do Campo in Brazil. This one serves 10 clients at home. When I was travelling more all over the world (between 2004 to 2009), I activated named as a personal recursive resolver on my Mac PowerPook G4 and later on my Mac Book Pro exactly for privacy reasons and it simply worked from anywhere.

PS: A cause for time outs maybe outdated root zones. For this reason I let a cron job update the root zones once per month by excuting the following script:

```
#!/bin/sh
## Updating the root zones
/usr/bin/fetch -o /tmp/root-hints.zones "ftp://ftp.internic.net/domain/named.cache" \
  && /bin/mv /tmp/root-hints.zones /var/unbound/root-hints.zones \
  && /usr/sbin/service local_unbound restart
```


----------



## rigoletto@ (Apr 14, 2018)

obsigna

You can set unbound to download the root.hints itself and it does about a couple of hours (IIRC). I am using it in here in this way.

About the slowness I had a talk on IRC sometime ago about that and most people in there experinced the same problem as me. I would guess just 1 out 10 had it working fast using root servers only.

Btw, I switched to 'TIM Live' (working pretty well), I must try a root servers only configuration again.

rorgoroth

If you use your own unbound/named instance you could use obsigna dns/void-zones-tools or dns/dns2blackhole to do that cleansing.

Crivens

UncensoredDNS (former Censurfridns) is a good one too, and SecureDNS also seems good.

EDIT: Oh, and the funny IBM 9.9.9.9. LoL

Another one with built-in malware blocking is Quad9.


----------



## Eric A. Borisch (Apr 14, 2018)

lebarondemerde said:


> You can setup unbound with `forward-zone:` to them (DNS over HTTP servers) and then use your unbound instance as your DNS server normally.



Do you have an example of this?


----------



## Eric A. Borisch (Apr 14, 2018)

lebarondemerde said:


> EDIT: Oh, and the funny IBM 9.9.9.9. LoL
> 
> Another one with built-in malware blocking is Quad9.



Quad9 == 9.9.9.9, fwiw.


----------



## rigoletto@ (Apr 14, 2018)

Eric A. Borisch

Calomel.org have one. 

fernandel and my own words:  "DNS over HTTPS" != "DNS over TLS".


----------



## Eric A. Borisch (Apr 14, 2018)

lebarondemerde said:


> Eric A. Borisch
> 
> Calomel.org have one.
> 
> fernandel and my own words:  "DNS over HTTPS" != "DNS over TLS".



I've looked at that one; and it appears to be DNS over TLS (port853), and not DNS over HTTPS.


----------



## obsigna (Apr 14, 2018)

lebarondemerde said:


> obsigna You can set unbound to download the root.hints itself and it does about a couple of hours (IIRC). I am using it in here in this way. ...


I cannot find this facility, and I searched unbound.conf(5) and the internet.


----------



## rigoletto@ (Apr 14, 2018)

obsigna

auto-trust-anchor-file: "/usr/local/etc/unbound/root.key

Just be aware if unbound try to update the file and at that specific moment there is no connection the daemon usually break. It is a good idea to use some service supervisor utility like sysutils/fsc.


----------



## obsigna (Apr 14, 2018)

lebarondemerde said:


> auto-trust-anchor-file: "/usr/local/etc/unbound/root.key ...



The auto-trust-anchor file is not the root-hints file. These are two different animals. The first one serves for DNSSEC and the second one tells unbound the IP addresses and names of the DNS servers responsible for the root zones. In case the root hints file is outdated, unbound may time out when trying to recursively resolve domain names, since the root hints would inform wrong IP(s).


----------



## rigoletto@ (Apr 14, 2018)

obsigna said:


> The auto-trust-anchor file is not the root-hints file. These are two different animals. The first one serves for DNSSEC and the second one tells unbound the IP addresses and names of the DNS server responsible for the root zones. In case the root hints file is outdated, unbound may time out when trying to recursively resolve domain name, since the root hints informed non-existent IP(s).



Oh, you are right, I really got confused in here and while reviewing my installation I found I actually have this on cron:

`@weekly curl -o /usr/local/etc/unbound/root.hints https://www.internic.net/domain/named.cache`

Thanks!


----------



## obsigna (Apr 15, 2018)

lebarondemerde said:


> ... I actually have this on cron:
> `@weekly curl -o /usr/local/etc/unbound/root.hints https://www.internic.net/domain/named.cache`
> Thanks!



Don't forget to restart unbound. I also recommend to first download the file to a temporary location, then check it for consistency and finally move it to the working location. How about:

```
#!/bin/sh
## Updating the root zones
rm -f /tmp/root-hints.md5 /tmp/root-hints.sig /tmp/root-hints.zones
/usr/bin/fetch -o /tmp/root-hints.md5   "https://www.internic.net/domain/named.cache.md5"
/usr/bin/fetch -o /tmp/root-hints.sig   "https://www.internic.net/domain/named.cache.sig"
/usr/bin/fetch -o /tmp/root-hints.zones "https://www.internic.net/domain/named.cache"
if [ -f /tmp/root-hints.md5 ] && [ -f /tmp/root-hints.zones ]; then
   author_md5=`/bin/cat /tmp/root-hints.md5`
   actual_md5=`/sbin/md5 -q /tmp/root-hints.zones`
   if [ "$author_md5" == "$actual_md5" ]; then
      gpgmsg=`/usr/local/bin/gpg --verify /tmp/root-hints.sig /tmp/root-hints.zones 2>&1`
      if [ $? != 0 ]; then
         keyid=`echo $gpgmsg | /usr/bin/sed -n '/gpg:.*using DSA key /{s///;s/ .*//;p;}'`
         /usr/local/bin/gpg --keyserver pgp.mit.edu --recv-key $keyid > /dev/null 2>&1
         if [ $? != 0 ]; then
            exit $?
         else
            /usr/local/bin/gpg --verify /tmp/root-hints.sig /tmp/root-hints.zones /dev/null 2>&1
            if [ $? != 0 ]; then
               exit $?
            fi
         fi
      fi
      /bin/mv /tmp/root-hints.zones /var/unbound/root-hints.zones && /usr/sbin/service local_unbound restart
   fi
fi
rm -f /tmp/root-hints.md5 /tmp/root-hints.sig /tmp/root-hints.zones
```


----------



## rigoletto@ (Apr 15, 2018)

obsigna 

Do you know if `unbound-control reload` also do reload the root.hints?

Nothing new but seem to be a good read (I didn't read yet, just take a quick look).


----------



## obsigna (Apr 15, 2018)

lebarondemerde said:


> Do you know if `unbound-control reload` also do reload the root.hints?


I don't know, however form reading unbound-control(1), I am tending to believe that it does so.


			
				man unbound-control said:
			
		

> ...
> reload Reload the server. This flushes the cache and reads the configfile fresh.
> ...


Since we inform the path to the root-hints in the config file, and this path may be matter of change, it would not make much sense to selectively keep the hints to the root zones and reload everything else. Anyway, believing is not the same as knowing.


----------



## PMc (Apr 16, 2018)

lebarondemerde said:


> Lamia
> 
> try to run your own DNS resolver without any forwarder, just querying the root servers. Unless you are very lucky that will easily become unusable, most of the time just getting time outs.



Who say so? Should have noticed, as I was running that for many years, without problem. Then I switched to AXFR root, also without problems. But here it is about reliability, not about sparing a few milliseconds.


----------



## mefizto (Apr 17, 2018)

lebarondemerde said:


> try to run your own DNS resolver without any forwarder, just querying the root servers. Unless you are very lucky that will easily become unusable, most of the time just getting time outs.



Another lucky guy. ;-)


----------

