
1.1.1.1 Cloudflare DNS Resolver Soon to Be Announced? - AFNobody
https://webcache.googleusercontent.com/search?q=cache:https://1.1.1.1/
======
amq
The concerning thing about this is that internet is increasingly dependent on
Cloudflare, making it a single point of failure and exploitation. Somehow,
people are not talking much about it, but a significant amount of sites have
opted in for Cloudflare proxying, allowing it to see the traffic in plain
text, while the visitors are made to believe that the connection is secure.
Similarly, users will now use their fast DNS server, which is also advertised
as more secure.

~~~
zitterbewegung
What about akamai? They are a much larger CDN (no one talks about it on HN
because they are not a startup). I agree with your assertion that it will
become a single point of failure with many web properties but also I think
that HN has a sort of filter bubble on startups (for obvious reasons) and I'm
not sure cloudflare is as big as people make it out to be.

Also, Google has 8.8.8.8 which could be for the same thing and has similar
problems (large scale data collection, singe point of failure).

~~~
fludlight
CloudFlare publishes their pricing. Akamai doesn't.

Dealing with salespeople is a massive PITA. They're not going to tell me
anything that's not in the docs or support forums and I don't want to spend a
week negotiating. I've seen many others make this point on HN over the years.

Maybe Akamai only focuses on large enterprise customers while CloudFlare also
goes for the SMB market. IDK. The HN crowd seems to work at SMBs (startups
included) or at companies big enough to operate their own CDN.

~~~
LeoPanthera
Fuck I hate this. I've avoided buying storage servers from ixsystems, despite
the fact their products seem to be exactly what we need, because they won't
tell me how much they fucking cost. They want to have a "conversation" about
"solutions".

Fuck you. Sell me boxes and tell me how much they cost. But they won't.

~~~
freehunter
I work for a vendor and I'm not allowed to tell my clients pricing because I'm
not qualified to make deals. We don't even have a list price published
internally, it's all at the salesman's discretion. That means some clients pay
$150k, some pay $300k, some get it for free bundled with another purchase. Far
too often I'm asked "budgetary pricing" but even that is a conversation with a
solution architect and a virtual procurement cycle and an NDA and all that
nonsense. Just so we can make sure someone is getting overcharged.

~~~
stryk
Ugh. So many terms that when I actually say out loud and try to be serious I
throw up in the back of my mouth a little.

Is there room in this space for a new no-nonsense vendor? Someone who cuts out
all the goddamn middlemen and just asks what hardware you want, how you want
it configured, and quotes you a frickin price without all the bullshit?

~~~
stock_toaster
abmx maybe?

~~~
stryk
First I've heard of them (but I'm not any kind of expert). Are they good? I
usually just hear the usual suspects mentioned such as iXSystems and
Supermicro. Linux guys will mention one called PogoLinux every once in a while
also

~~~
stock_toaster
I have bought a few servers from them (4 or so over the years), and they have
served me pretty well so far. I haven't had to do any RMA's or replacements
though, so not sure how good the company is about that.

------
ocdtrekkie
This is awesome to hear, and for all of the criticism Cloudflare has gotten in
the past, they have spoken loudly against censorship, not just for people they
like, but those they dislike as well. I'd much rather point my DNS at them
than Google, an ad company where tracking is the whole business model.

~~~
durkie
Really? Didn't the CEO kick stormfront off Cloudflare because they thought
they were assholes?

~~~
ocdtrekkie
Specifically, the Cloudflare CEO kicked the Daily Stormer off of Cloudflare
because the Daily Stormer had been suggesting that Cloudflare secretly
supported them/their politics: [https://blog.cloudflare.com/why-we-terminated-
daily-stormer/](https://blog.cloudflare.com/why-we-terminated-daily-stormer/)

Had the Daily Stormer folks kept their mouths shut, they probably would've
been fine.

And then Cloudflare continues on to describe why they don't think companies
should censor content, whereas Google has numerous blogs and entire
technologies revolving around how to censor content even more than they do
now.

~~~
Gigablah
Ah yes. There’s nothing to censor if you keep your mouth shut ;)

~~~
dictum
There's a difference between saying "[highly controversial statement]. We know
company X will not censor us." and "[highly controversial statement]. We know
company X will not censor us because the people at company X are really on our
side!"

~~~
corobo
They really should have booted them for that reasoning rather than by feeling.
They even have it in their Terms of Service (and when I looked, did have it at
the time of terminating the site)

> Section 18 - Because Cloudflare has no control over such sites and
> resources, you acknowledge and agree that Cloudflare is not responsible for
> the availability of such external sites or resources, _and does not endorse_
> and is not responsible or liable for any content, advertising, products, or
> other materials on or available from such sites or resources.

It's a clear ToS breach, a bit of thought would have avoided the whole thing.
You got lawyers on hand? Talk to lawyers!

------
nerdbaggy
Interesting that [https://1.1.1.1/](https://1.1.1.1/) has a valid SSL Cert
when you can't issue public valid certs for IPs

~~~
edsouza
The certificate "Common Name" is: dns.cloudflare.com.

There is a certificate extension - Certificate Subject Alternative Name that
lists the following:

    
    
      DNS Name: *.dns.cloudflare.com
      DNS Name: dns.cloudflare.com
      IP Address: 1.1.1.1
      IP Address: 1.0.0.1
    

Most likely the extension was included as part of the certificate signing
request.

~~~
prdonahue
Most CAs ignore the subjectAltName extension when parsing CSRs (as it's a
pain[1] for users to generate one properly). They just extract the public key,
CN, and let you fill in SANs.

1 - Before Cloudflare I used to do this with OpenSSL and it requires half a
dozen steps, but with cfssl you can do this quite easily:
[https://github.com/cloudflare/cfssl/wiki/Creating-a-new-
CSR](https://github.com/cloudflare/cfssl/wiki/Creating-a-new-CSR).

~~~
silverwind
You can generate SAN CSRs with a openssl one-liner, not that hard.

~~~
prdonahue
With a default install/config? Do tell.

------
pixl97
Well crap. I was used to going to 1.1.1.1 on my cellphone when on wireless APs
that tried to redirect you an agreement page. Now there is a valid
cert/website at that address.

Guess I'll have to pick a new one.

~~~
Faaak
Plenty of captive portals operators use the 1.1.1.0/24 ip subnet for their
authentication pages. A shame they thought these IPs would never be used

~~~
iforgotpassword
Don't some VoIP devices use 1.1.1.1 too to check connection type or something?

There was a paper from a couple years ago when 1.1.1/24 (or bigger, don't
remember) was still unassigned; at some AS they logged what kind of traffic
was targeted at that subnet, by IP, port and protocol and 1.1.1.1 stood out.
Can't find that paper just now unfortunately. :-(

~~~
asclepi
[https://www.nanog.org/meetings/nanog49/presentations/Monday/...](https://www.nanog.org/meetings/nanog49/presentations/Monday/karir-1slash8.pdf)

------
scrollaway
So am I correct assuming they support DNSCrypt if they claim they support
encryption?

If that's the case that's really nice actually. Google DNS kinda silently
launched DNS-over-HTTPS in 2016 but still no DNSCrypt; opendns are the only
major ones supporting it.

Of course I stopped using dnscrypt at some point because it was a pain to
maintain, and wasnt supported on most of my devices :/

~~~
codetrotter
(Removed.)

~~~
jedisct1
Use dnscrypt-proxy 2.x -- The 1.x branch has reached end of life.

Cloudflare's resolvers have been supported by dnscrypt-proxy for quite some
time and are even present in the example configuration.

~~~
codetrotter
Thanks.

------
bogomipz
There was a good experiment that Merit did when they announced 1.0.0.0/8 for 1
week back in 2010. The findings are here:

[https://www.merit.edu/wp-
content/uploads/2016/01/1.0.0.08.pd...](https://www.merit.edu/wp-
content/uploads/2016/01/1.0.0.08.pdf)

------
Asdfbla
>supports encrypted DNS as well as DNS over HTTPS

Are encrypted DNS requests used by default? Does 1.1.1.1 somehow advertise to
your client (whether it's a browser, the OS or a router) that encryption is
possible? Do I have to configure my endpoint, which may expect to be able to
send normal plaintext DNS requests, for it?

I guess DNS over HTTPS will surely not be supported by normal routers, but I
don't know what other protocol Cloudflare refers to as "encrypted DNS", so
maybe that will work.

~~~
zackbloom
Encrypted DNS usually refers to making TLS-secured connection to a DNS server
over port :853. You can read more here:
[https://tools.ietf.org/html/rfc7858](https://tools.ietf.org/html/rfc7858)

~~~
Asdfbla
Thanks a lot, that was what I looking for. Seems most realistic to configure
DNS-over-TLS on the OS level then.

------
jwlake
Lots of bad networking equipment assumes 1.1.1.1 isn't a real address and use
it for things like captive portals and administration making this a terrible
address to use for a service you want to be widely available.

------
decko
Didn't realize this wasn't official yet. A few days ago dns.cloudflare.com
pointed to a landing page describing how to change your DNS to 1.1.1.1 and
1.0.0.1 and how they were not going to censor or log anything.

It also said it would support DNS over HTTPS.

Edit: Here's the snapshot from wayback machine,
[https://web.archive.org/web/20180328150501/https://dns.cloud...](https://web.archive.org/web/20180328150501/https://dns.cloudflare.com/)

------
citrusui
Archived link since it seems to removed from Google's cache
[https://archive.is/QB0sW](https://archive.is/QB0sW)

~~~
exikyut
Thanks - I just searched the page for "archive.is" hoping to see a comment
exactly like this one :)

------
ko27
How would one setup an automatic DNS-over-HTTPS on your home PC?

~~~
jedisct1
Use [https://simplednscrypt.org/](https://simplednscrypt.org/) and just pick
"Cloudflare" in the list of available servers.

------
dasrecht
Found the page in google cache :
[http://webcache.googleusercontent.com/search?q=cache:4Mdo7Yu...](http://webcache.googleusercontent.com/search?q=cache:4Mdo7YuHRPEJ:every1dns.com/+&cd=3&hl=de&ct=clnk&gl=ch)

[https://1.1.1.1](https://1.1.1.1) and also every1dns.com seem to point there

------
mrb
Wonder how much it cost Cloudflare to buy 1.1.1.0/8 from China Telecom...

~~~
bogomipz
Where did you get China Telecom from? The IANA released 1.0.0.0/8 to APNIC in
2010 and 1.1.1.0/24 was assigned to APNIC-LABS. The IRR Netname is actually
still APNIC-LABS too. See:

[https://stat.ripe.net/1.1.1.1#tabId=at-a-
glance](https://stat.ripe.net/1.1.1.1#tabId=at-a-glance)

~~~
mrb
The IANA released 1.0.0.0/8 to APNIC, and APNIC subsequently sold parts of it
to China Telecom. I deduct this because neighboring IP ranges
([https://stat.ripe.net/1.1.0.0#tabId=at-a-
glance](https://stat.ripe.net/1.1.0.0#tabId=at-a-glance) and
[https://stat.ripe.net/1.1.2.0#tabId=at-a-
glance](https://stat.ripe.net/1.1.2.0#tabId=at-a-glance)) belong to China
Telecom. So 1.1.1.0 likely did too. I think the whois information may have
reflected the China Telecom ownership before it was updated.

APNIC-LABS is probably just a joint partner in that Cloudflare resolver
project.

~~~
tialaramex
No. 1.1.1.0/24 was not allocated because idiots poisoned it. For a long time
address ranges like these were left unused because it wasn't worth anybody's
time handling the problems but since IPv4 is now full we may as well do what
we can with them.

So China Telecom will never have been given 1.1.1.0/24

~~~
bogomipz
Indeed, and there was always great worry about how polluted that IP space
might be. I posted this link elsewhere:

[https://www.merit.edu/wp-
content/uploads/2016/01/1.0.0.08.pd...](https://www.merit.edu/wp-
content/uploads/2016/01/1.0.0.08.pdf)

~~~
mrb
Very insightful slides. I was wrong about 1.1.1.0/8

------
shadowfacts
The website at 1.1.1.1 isn't running, but the DNS service seems to be
operating.

~~~
jasongill
Why would there be a website at that IP? Google and OpenDNS don't serve a
website from their resolver IP's; don't think I've ever seen any that do

~~~
stordoff
The submitted link is the Google Cache page for a website running at that IP:

"This is Google's cache of [https://1.1.1.1/."](https://1.1.1.1/.")

------
waffen
It become public on 1 April

[https://isptalk.net/d/18-cloudflare-
dns-1-1-1-1-1-0-0-1/3](https://isptalk.net/d/18-cloudflare-
dns-1-1-1-1-1-0-0-1/3)

------
vengefulduck
In case it's interesting to anyone I ran nmap against the ip and it seems that
the domain associated with it is one.cloudflare-dns.com, also all of the ports
are closed currently

------
binoyxj
Announcing 1.1.1.1: the fastest, privacy-first consumer DNS service
[https://blog.cloudflare.com/announcing-1111/](https://blog.cloudflare.com/announcing-1111/)

------
marcrosoft
This protects against a tremendous amount of local and ISP level DNS request
collection which is great; however, we ultimately need a zero-trust DNS
system. KPMG auditing Cloudflare provides security through
bureaucracy/obscurity which doesn't help.

------
ensignavenger
Appears to be a joint venture between Cloudflare and APNIC, not sure the
relative involvement of APNIC, they provide the IP addresses at the very
least.I don't know if they retain any oversight of operations.

~~~
vimda
As with all previous times APNIC has let a company advertise that IP range, I
assume APNIC will be doing analysis on the traffic that comes in

------
xstartup
What are the rate limit before I start using it on my servers?

------
jedisct1
To connect using DNS-over-HTTP/2, just use dnscrypt-proxy 2.x and put this in
the configuration file:

server_names = ['cloudflare']

------
ksec
All other issues aside, is it faster then Google DNS?

And I wonder if all ISP should group together to start a single / few DNS.

------
jedisct1
To use this on iOS, download DNSCloak from the App Store and choose
"Cloudflare" in the list.

~~~
earenndil
You can change the dns server easily from wifi settings on ios.

~~~
wut42
DNSCloak app makes it uses DNSCrypt, not standard DNS you can set on the Wifi
Settings.

~~~
jedisct1
Yep, and it works well with Cloudflare (and has for quite some time).

------
hsivonen
How (if at all) does using this affect e.g. what Netflix content server gets
assigned to you?

~~~
foobarbazetc
If it supports EDNS0 it should be fine.

~~~
q3k
Not to mentioning that running under one (anycasted) address doesn't imply
having the same cache globally.

------
themew
Works and is a fast resolver!! Thanks for posting it.

------
Pokepokalypse
I generally go to GRC's tool "DNSBench" for a list of performing DNS
responders. If 1.1.1.1 shows up on that list, I might consider it.

------
djrogers
Darn, no IPv6 address?

~~~
simias
>For IPv4: 1.1.1.1, 1.0.0.1

>For IPv6: 2001:2001::, 2001:2001:2001::

~~~
vimda
But those IPv6 address aren't actually working, unlike the IPv4 ones. Also
those addresses are owned by Telia, so I have my suspicions that those are the
go-live ipv6 addresses

------
artursapek
How does a company like Cloudflare come to acquire a "vanity" IP address like
that? Are they just sold privately to high bidders?

~~~
diggan
It worked like this (according to the submitted website archive):

> Cloudflare had the network. APNIC had the IP address (1.1.1.1). Both of us
> were motivated by a mission to help build a better Internet. You can read
> more about each organization’s motivations on our respective posts:
> Cloudflare Blog / APNIC Blog.

The blog post links just links to the blog themselves, not actually to a post,
so this submission seems premature.

------
LinuxBender
I can't fault them for wanting to know what DNS requests people are making.
There is a gap in tracking people only via http and webrtc.

