
1.1.1.1 for Families - jgrahamc
https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
======
ddevault
This would have been better if it _was_ a joke. Big welcome to our new moral
police, now encoded in two bits of a vanity IP address! Not a word spared for
what kind of content is filtered, how they evaluate websites, any kind of
appeals process... they did manage to portray it as helping the COVID-19
pandemic relief, though.

Edit: I missed this text:

> In the coming months, we will provide the ability to define additional
> configuration settings for 1.1.1.1 for Families. This will include options
> to create specific whitelists and blacklists of certain sites. You will be
> able to set the times of the day when categories, such as social media, are
> blocked and get reports on your household's Internet usage.

Regardless, I am still opposed to this service, and opposed to all forms of
internet censorship and spyware. CloudFlare is already really bad for the
internet, and this isn't helping their case.

~~~
jasode
_> Regardless, I am still opposed to this service, and opposed to all forms of
internet censorship_

I'm genuinely confused as to where your complaint is coming from. Isn't this
Cloudflare DNS server "opt in" for families? Why would _voluntary filters_ be
censorship? Censorship is more "top down" (e.g. government) that you can't opt
out of.

Likewise, I just "opted into" into NextDNS a few days ago to block ads so I
didn't have to set up a Raspberry Pi-hole. Is NextDNS "censoring" ads? Well
yes, because that's what I want.

~~~
ddevault
A "family" is not a single entity. It's not voluntary for those who are being
blocked.

~~~
gcthomas
It is not voluntary for my children to leave their phones downstairs and go to
bed at a bedtime I picked myself, but I think that's OK.

It is entirely commonplace for a family to impose restrictions on its children
— anything less is neglect.

~~~
kick
If your children are young enough that they need a specific time to go to bed,
why did you give them phones in the first place? Surely they'd be too young
for them?

It also seems very strange to deem _not_ restricting information as neglect.
Why not just have a conversation about them as to why they shouldn't do
whatever you want them not to do? Advice doesn't breed distrust, but
censorship and other regulations do.

------
Symbiote

      $ host www.sex.com
      www.sex.com is an alias for dmz01.cdn.live.
      dmz01.cdn.live has address 15.222.131.21
      
      $ host www.sex.com 1.1.1.3
      Host www.sex.com not found: 5(REFUSED)
      
      $ host www.nothing 1.1.1.3
      Host www.nothing not found: 3(NXDOMAIN)
    

I hadn't noticed a DNS REFUSED response before. That seems reasonable,
although a web browser's error message doesn't differ between REFUSED and
NXDOMAIN.

~~~
andyjpb
The error may differ if the zone is signed with DNSSEC.

NXDOMAIN is a valid response that won't pass a signature verification.

REFUSED just means that DNS Server can't or won't provide a response at this
time.

~~~
psz
"Can't provide a response" should be SERVFAIL.

------
rshurts
While anyone technical can easily get around DNS filter it is a nice option
for helping prevent accidental exposure to pornography.

I'm looking forward to when the customization options are available as an
alternative/addition to OpenDNS. The morality police argument doesn't seem to
hold much water if they are going to let you whitelist or blacklist anything
you want or turn categories on or off.

~~~
tootie
I can imagine some impatient parents will start black listing Kidz Bop videos
or anything else that bothers them. It will also lead to some very creative
punishments. Like blocking online gaming.

~~~
411111111111111
some work without dns though!

battle.net comes to mind... that always connected, even if my providers DNS
failed.

------
vowelless
My friends who grew up in the middle east: Remember how our ISPs used to block
"adult content". Did that stop anyone? It just lead to repression and a black
market. On the bright side, circumventing those blocks as a kid got me
interested in computers in the first place.

Regardless, it is an interesting service. I would imagine that corporations,
who have the tech support and need, will find this more useful than non-
technical families.

Examples:

[https://www.vpn-accounts.com/blog/how-to-open-blocked-
sites-...](https://www.vpn-accounts.com/blog/how-to-open-blocked-sites-in-
saudi-arabia-2/)

[https://www.jakarta100bars.com/2019/10/porn-websites-
blocked...](https://www.jakarta100bars.com/2019/10/porn-websites-blocked-
dubai-uae-unblock.html)

~~~
thomascgalvin
> On the bright side, circumventing those blocks as a kid got me interested in
> computers in the first place.

Porn really is the driver of many technical innovations. Home movies and
online financial transactions, for example, wouldn't be where they are today
if people weren't so dedicated to watching other people smush.

------
pergadad
Adult content - is this

* Just porn * Erotic content (eg lingerie shops) * Any sexual content (eg Wikipedia article on anal sex) * Or also e.g. medically relevant (sex ed, abortion provider sites, ...) * Gore, violence, videos of people dying ... * Information on or shops for drugs * Content on terrorism, weapons, manuals to build bombs * Content on Al Qaeda, Scientology and other extreme/dangerous religious stuff * ...

?

~~~
ainiriand
Things that are not for kids. I think it is a broad category. What element is
not fitting there for you?

~~~
Symbiote
"Not for kids" varies widely in the western world.

The average American seems happy with plenty of violence, but any nudity at
all is strictly off-limits.

I can't write "average European" for this, but most would prefer less violence
and accept more nudity. There's still plenty of difference within Europe.

There are also websites that are for teenagers, which some parents would be
uncomfortable with -- LGBT support and advice sites for example, or even
general sex education.

~~~
stonogo
> I can't write "average European" for this,

You can't write "average American" for this, either.

~~~
Symbiote
The US has a common film rating system for all cinemas etc, which is at least
some standard the whole country is implicitly supporting.

Europe doesn't, and so a film can receive different ratings in each country.

The first film I found searching for a good example of this, _Eight Grade_ ,
is rated suitable for children in Luxembourg, Spain, Sweden etc, and 15 year
olds in the UK and Ireland -- with the UK possibly more concerned with the
language than the sex.

The US rates the film R, so 17.

[https://www.imdb.com/title/tt7014006/parentalguide?ref_=tt_s...](https://www.imdb.com/title/tt7014006/parentalguide?ref_=tt_stry_pg#certification)

~~~
DanBC
Eight Grade has a 15 rating in the UK.

Here's the BBFC (British Board of Film Classification) listing for it:
[https://bbfc.co.uk/releases/eighth-
grade-2018](https://bbfc.co.uk/releases/eighth-grade-2018)

The ratings info says this:

> Language

> There is strong language ('f __k '), as well as milder terms (for example,
> 'dick', 'shit', 'goddamn', 'God', 'Jesus Christ').

> Sex

> There is a scene in which a web search shows a woman explaining a sexual
> technique, accompanied by strong sex references.

> There is also a scene in which a young teenage girl suffers a panic attack,
> as well as one in which an older teenage boy tries to pressurise a younger
> teenage girl into having sex; however, she does not agree to this.

I don't know enough about BBFC to say which of these they place more
importance upon.

(Eighth Grade is a very good film btw, and A24 are currently my favourite film
production / distribution company).

------
surround
It’s not a good idea to trust a single large organization with your data, even
if they make claims to privacy. It’s even worse to let them control what get
censored and what gets through.

If you care about privacy, I recommend running your _own_ resolver with
Unbound, and block ads/tracking/malware/adult content etc. using Pi-Hole.

[https://nlnetlabs.nl/projects/unbound/about/](https://nlnetlabs.nl/projects/unbound/about/)

[https://pi-hole.net/](https://pi-hole.net/)

------
tinalumfoil
DNS isn't appropriate for filtering porn or ads. It's easy to get around and
not fine-grained enough. In fact, the largest porn site in the world is
unblocked.

    
    
        $ dig @1.1.1.3 reddit.com
        reddit.com. 298 IN A 151.101.65.140
    

And the largest advertising and tracking site.

    
    
        $ dig @1.1.1.3 pagead2.googlesyndication.com
        pagead2.googlesyndication.com. 262 IN CNAME pagead46.l.doubleclick.net.
        pagead46.l.doubleclick.net. 262 IN A 172.217.7.2

~~~
JorgeGT
Plus a lot of other family-friendly sites for the edification of your kids:

    
    
        $ host www.stormfront.org 1.1.1.3
        www.stormfront.org has address 104.22.6.143

~~~
qqssccfftt
Most HN users would prefer that site isn't blocked, so bad example.

------
yalogin
I have little kids and don’t want them to accidentally stumble onto malware or
porn sites. But I still don’t like this kind of policing happening at the DNS
layer. Even more do given his their previous service became a huge success.

Btw I see some resemblance with google here. Initially they were all “do no
harm”. Only after they captured the whole market we realized we shouldn’t have
succumbed to free shit. These guys are following the same model. Give free
shit and get traffic, even though they lose money. They themselves claim they
only charge businesses not consumers.

~~~
rshurts
> I have little kids and don’t want them to accidentally stumble onto malware
> or porn sites. But I still don’t like this kind of policing happening at the
> DNS layer.

Where do you set up the filtering or accountability? With so many connected
devices in houses I've found DNS is common denominator. It's perhaps the
easiest to circumvent, but it covers all the mobile devices, gaming consoles,
etc. that are connected to my home network.

My kids are too young to circumvent things, but if they start doing that I'll
be equal parts proud and preparing for a loving talk.

~~~
mgalgs
Right, and IMHO by the time they're old enough to start circumventing the
filters then they're old enough to see the content. It's a self-enforcing
gate. You're not mature enough to see the content until you're mature enough
to circumvent the filters :D

------
zuck9
YouTube says "Some results have been removed because Restricted Mode is
enabled by your network administrator." when I'm on the Family DNS. How does
this work? How can they know what DNS I'm using?

~~~
filleokus
Huh! Did some quick Googling:

> YouTube Restrict works by re-mapping YouTube IP addresses to the CNAME
> restrict.youtube.com (or restrictmoderate.youtube.com). It means that
> instead of visiting YouTube at their normal IP addresses, you will re-route
> the traffic to a special load balancer provided by Google that will block
> access to non children friendly videos.

I did not know about that

[https://cleanbrowsing.org/articles/block-youtube-comments-
re...](https://cleanbrowsing.org/articles/block-youtube-comments-restricted-
mode)

------
ryandvm
Sadly, the trend for browsers to bypass system-level DNS resolution in favor
of DNS-over-HTTPS means this kind of filtering is quickly becoming obsolete.

~~~
moviuro
There is a canary domain in Firefox to prevent it from switching to DoH:
[https://support.mozilla.org/en-US/kb/canary-domain-use-
appli...](https://support.mozilla.org/en-US/kb/canary-domain-use-application-
dnsnet)

~~~
warhorse10_9
You could also user a policy.json for Firefox to permanently disable it. I
don't see Firefox dropping this option as it is important for enterprise
users.

[https://github.com/mozilla/policy-
templates](https://github.com/mozilla/policy-templates)

------
nreece
So '1.1.1.1 for Families' is actually 1.1.1.2 or 1.1.1.3. Bit confusing, for
non-tech-savvy families. Why not just call it 1.1.1.2 (viz version 2).

~~~
buzzerbetrayed
1.1.1.2 is no more confusing than 1.1.1.1 to someone who has no idea what dns
is. Both are completely meaningless.

~~~
anamexis
The confusing part is that the name of 1.1.1.2 is “1.1.1.1 for families.”

~~~
rrix2
Because 1.1.1.1 is a Brand to them

~~~
kempbellt
It's just an IP to me. I see OPs point. Thinking of your IP address as a brand
is confusing.

At least with a word like Apple, the capital "A" designates it as a proper
noun and can easily be recognized as a brand or company name in most cases.

------
stabbles
On Android you have to specify a hostname for DNS (a bit ironic), which is
1dot1dot1dot1.cloudflare-dns.com.

However, it does not seem 1dot1dot1dot3.cloudflare-dns.com works yet.

------
therealmarv
Stopped using Cloudflare's DNS some weeks ago. I got from time to time errors
(no page showing, forgot the exact error message) which never happened with
Google's DNS. FYI I'm using DoT (DNS over TLS) on the router exclusively and
I'm not living in USA.

~~~
jgrahamc
Did you report this to us? Would be interested to know why.

~~~
hmahncke
(I’m not the OP) My experience was that 1.1.1.1 didn’t interact well with
captive.apple.com so I had a lot of confusing experiences on planes and
airports, and eventually had to stop using it.

~~~
zackbloom
How long ago was that, if I can ask?

------
anilgulecha
If we get a 1.1.1.4 with all of easylist ad blocked.. that would be smashing!
Pi-hole for the internet.

------
gpvos
I read two pages before I realized this was obviously an April 1 joke. Then I
got to the "Not A Joke" section. What??? I don't think Cloudflare should be in
this business.

Also, how are they going to make this configurable like they write? Tie the
configuration to the IP address? What if someone has a shared or dynamic IP
address?

~~~
djrogers
> Also, how are they going to make this configurable like they write? Tie the
> configuration to the IP address? What if someone has a shared or dynamic IP
> address?

Likely the same way as opendns, nextdns, and a ton of other dns providers who
do the same. It's for home use - if it doesn't fit your home use case, then
use another filter.

~~~
gpvos
Thanks. Interesting, I had no idea this was so much of a thing already.

------
abakker
As a general response to negativity here (which seems to largely stem around
technical concerns over what is implemented and how), I think this is cool and
fine.

As a kid I would have figured out a way to get around this, and that would
have been part of the fun, but, this option adds more choice to the market and
that is a good thing.

------
drummer
Where can the public see, in real time, a complete list of exactly which
domains are blocked on those servers?

------
jawns
I'd love to hear the pros/cons of filtering adult content at the DNS resolver
level. I'm assuming the (current) lack of whitelists, along with a black-box
algorithm to decide what constitutes adult content, reduces the usefulness.

~~~
JdeBP
The pros are obvious. The cons, irrespective of _what_ is blocked, are very
similar to the problems with DNS hijacking that ISPs and others have done over
the years. It affects _all protocols_ , not just HTTP(S). It affects
everything from turning IP addresses in logfiles into domain names, through
double-reverse-lookup checks in TCP services, to SMTP electronic mail.

Block _advertising_ this way, and one hits the further problem that one often
wants to operate based upon more than just the domain part of the URL. Or one
wants to do things like make temporary redirects to static placeholder images.
Fiddling with DNS service cannot achieve these.

* [http://jdebp.uk./FGA/verisign-internet-coup.html](http://jdebp.uk./FGA/verisign-internet-coup.html)

------
Corrado
I'm a network administrator for a small private school and this seems like it
would be a good solution for us. We generally try to keep the kids away from
the "bad" sites and their systems are mostly locked down (managed iPads and
Chromebooks).

In the past we used OpenDNS for DNS filtering and it worked pretty well. Then
they were purchased by Cisco and the prices went up and functionality went
down. If CloudFlare can offer some management capabilities (ie. whitelist /
blacklist) we would switch in a minute. I can't wait to see how this product
matures.

------
rudolph9
I was a little put off by this at first but can see why people want it and
happy they offer isolated malware filter (what ever that means, still
skeptical) and adult + malware filter.

------
andrewjf
I have unbound at my house providing normal DNS -> DoH to Cloudflare DNS.

I don't see any IPv6 endpoints published for the 1.1.1.2 and 1.1.1.3
equivalents, do they exist?

~~~
irtefa
You can see the IPv6 addresses here:
[https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-
famili...](https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/)

For malware:

* 2606:4700:4700::1112

* 2606:4700:4700::1002

For malware and adult:

* 2606:4700:4700::1113

* 2606:4700:4700::1003

------
bedah
"No Advertisement and No Tracking" would be nice. Right now I keep Web
Advertisment low with a manually installed anti-advertisement hosts file.

~~~
specto
Check out nextdns (pi-hole like service)

------
bilal4hmed
any idea on what it means as malware?

~~~
whatshisface
Or "Adult Content?"

~~~
woofcat
Adult content I think would be an easier category to filter on. However I
would love it if they released the list of their blocked domains.

~~~
aidenn0
Adult content is notoriously hard to filter on since nobody can agree what
qualifies, and pretty much any site with user-generated content has content
that is objectionable to _someone_.

Do you filter Wikipedia as "adult content"? Certainly one of these[1] images
qualifies under most standards?

1: _NSFW_
[https://en.wikipedia.org/wiki/MediaWiki:Bad_image_list](https://en.wikipedia.org/wiki/MediaWiki:Bad_image_list)

~~~
rsync
I have never seen the wikipedia "bad image list" before - and I am confused
... after clicking on a few of these images, randomly, every single one (under
File Usage) reports:

No pages on the English Wikipedia use this file (pages on other projects are
not listed).

... so why do these images persist in the wikipedia ?

~~~
Symbiote
The fourth one on the list is used on the page "Phallus".

But I can't answer your question.

------
LeoPanthera
gaycenter.org, a New York LGBTQ community center, is blocked.

Stormfront is not.

So. That's pretty gross.

~~~
dpbriggs
I would be curious to learn more about how they classify websites.

I would imagine they automatically crawl and do some basic keyword matching,
so false positives are expected. Curious about stormfront though.

------
TheCapn
CIRA doing the same thing:

[https://www.cira.ca/earlyaccess](https://www.cira.ca/earlyaccess)

------
ChrisArchitect
ha, had to include a "this is not a joke" April Fool's disclaimer at bottom.
Why not just release it tomorrow?

~~~
Hamuko
Launching 1.1.1.1 stuff on April first has been kinda their marketing strategy
for the 4 x 1 factor.

------
vbezhenar
Filtering out ad websites would be more useful for me. I'm using
[https://pgl.yoyo.org/adservers/](https://pgl.yoyo.org/adservers/) with my own
DNS, but probably big website like Cloudflare could block even more ad
websites.

------
ehutch79
For everyone complaining about the porn filtering, That malware filtering will
actually be a godsend for companies.

Running an extra internal dns server just to do 'last chance' filtering is
extra maintenance i don't want to have to do. I'd much rather let cloudflare
do that.

------
vlkmn
1.1.1.2/1.0.0.2 & 1.1.1.3/1.0.0.3 DNS resolvers incorrectly resolves one of
India's largest banks domain name "retail.onlinesbi.com" to 0.0.0.0

------
dzhiurgis
What are there other solutions for filtering content? My kid is very far from
getting any screen time but my imagination always was just block everything
except kids wiki and maybe some other sites (dunno yet at this point).

------
mantlepro
> Cloudflare's business has never involved selling user data or targeted
> advertising

The cloudfare site calls googletagmanager.com, marketo.com, linkedin.com, and
bizible.com. Do any of these sell user data or support targeted advertising?

------
soheil
I think an all encompassing system like this as a sort of big government
watching every move we make for "our benefit". It's probably wiser to install
a _tiny_ software that blocks unwanted content that you can uninstall than to
give power to a giant entity monitoring every site you visit online.

Sure you can change your country at an individual level but why create a
problem in the first place.

------
nottorp
Hmm. Do they block information about breast cancer because kids shouldn't be
exposed to breasts?

------
tcd
I feel that transparency would be key, to understand what cloudflare considers
good/bad.

As we can see in this thread, there's _already_ been a mistaken block - expect
many, many more of these to come.

They will be chasing their tail between their legs for years to come, and
they'll only get bad PR from this.

It'll be dead and buried in a year after a shit storm hits reddit

------
totorovirus
This is the solution that should have existed in the first place

------
amelius
Why are the people in the illustrations missing eyes?

------
pnako
For families of people without eyes, apparently.

------
knorker
Shame on you, cloudflare.

------
gameswithgo
gave 1.1.1.3 a try. unfortunately it blocks things like doctors lectures on
coronavirus on youtube.

~~~
_-david-_
This is DNS blocking so it would be blocking all of Youtube or none of it.

------
nimbius
this seems like a disturbing trend for the company that often championed the
idea of a free and open internet. First they dropped the Daily Stormer as a
customer, then 8chan, then chimpmania which was terminated with a change.org
petition. Now we have a new service no one asked for that seeks to block lewd
websites and "malware"?

Whats changed? did Matthew prince suddenly give up on free speech? or is it
just another way to identify a target demographic.

------
imafish
Nice April's fool. :)

Edit: Ok, I guess not. But how?

------
Thaxll
Having different DNS for different purpose is imo not a great solution for not
tech people.

~~~
iso1631
It's great, I can stick 1.3 on the dhcp serevr for the kids vlan and keep 1.1
on the office vlan.

~~~
heisenbit
If you believe your kids can't figure out tech nor their friends friends can
then maybe 1.3 may be safer on your office vlan.

~~~
warhorse10_9
If you have vlans set up at your house you might have a decent firewall that
can block dns requests to unauthorized servers, so there's that.

~~~
iso1631
The goal is to prevent accidental stuff coming through while we're sat on a
computer together.

------
kick
On one hand, this is really ridiculous.

On the other hand, it might lead to the next generation of children who kick
their technical careers off by figuring out how to circumvent censorship and
that despise the companies enforcing it.

Maybe not, though.

~~~
tc313
On the other hand, my solution to subverting AOL parental controls was to...
log into my mom's account.

------
yarrel
This is an excellent Twitter thread explaining in detail the problems with
providing such a service for """families""" -

[https://twitter.com/SarahJamieLewis/status/12453743777570406...](https://twitter.com/SarahJamieLewis/status/1245374377757040640)

------
aaron695
> Adult Content

They don't understand the political world they just entered.

Or the amount of work this will take.

They have to take a stance so many political issues from here.

From a company that prided itself on non-censorship (Minus two cases). This is
easy, twice they have broken and been hated for it.

Now, the twitter campaigns that will smash them on everything, in a sustained
way.....

~~~
JensRex
Cloudflare has never been anti-censorship. This kind of service fits them like
a glove. They're going to love being the moral police.

------
msla

        $ host www.glaad.org 1.1.1.3
        Using domain server:
        Name: 1.1.1.3
        Address: 1.1.1.3#53
        Aliases: 
    
        Host www.glaad.org not found: 5(REFUSED)
    

Looks like some things don't change. This is the kind of shit Peacefire was
exposing back in the 1990s: Completely innocuous GLBTQ+ content being labeled
as "inappropriate" by content censors. And Cloudflare doesn't even have the
figleaf excuse of having a financial incentive to dance to the tune of the
kinds of people who think GLAAD is somehow inherently bad.

[http://www.peacefire.org/](http://www.peacefire.org/)

Also:

    
    
        $ host www.peacefire.org 1.1.1.3
        Using domain server:
        Name: 1.1.1.3
        Address: 1.1.1.3#53
        Aliases: 
    
        www.peacefire.org is an alias for peacefire.org.
        peacefire.org has address 65.181.125.58
        peacefire.org mail is handled by 10 mail.peacefire.org.
    

This verges on the comedic.

~~~
Symbiote
Even worse:

    
    
      Host www.thetrevorproject.org not found: 5(REFUSED)
    

That's a site for teenagers with "trained counselors are here to support you
24/7\. If you are a young person in crisis, feeling suicidal, or in need of a
safe and judgment-free place to talk, call …"

It's also exactly the type of site that's first on the list of examples of
what _not_ to block, by any privacy / anti-censorship group. It should have
been an easy test before launching.

~~~
dknecht
This should definitely not be the case. We are getting this fixed. We will
have a reporting page up shortly to also make it easier to report these type
of issues.

~~~
dknecht
This has been fixed.

~~~
Symbiote
That is impressively fast!

There's a site run by the Open Rights Group in the UK, recording incorrect
blocks made by ISP-provided "parental control" filters.

They already check against OpenDNS, so I assume they'll add 1.1.1.3.

There are lists of overblocked domains:
[https://www.blocked.org.uk/stats](https://www.blocked.org.uk/stats)

~~~
jgrahamc
Super helpful. Thanks. Will get that to the team.

