
Virtual DNS: DDoS Mitigation and Global Distribution for DNS Traffic - jgrahamc
https://blog.cloudflare.com/announcing-virtual-dns-ddos-mitigation-and-global-distribution-for-dns-traffic/
======
chinathrow
Yes, some of us argue, that CloudFlare is the biggest MITM on the net. Now
with added DNS interception feature.

Some: [https://blog.paymium.com/2014/02/19/the-cloudflare-
mitm/](https://blog.paymium.com/2014/02/19/the-cloudflare-mitm/)

of: [https://stirling.co/blog/cloudflare-
mitm/](https://stirling.co/blog/cloudflare-mitm/)

us:
[https://news.ycombinator.com/item?id=8377029](https://news.ycombinator.com/item?id=8377029)

~~~
jgrahamc
I'm always disappointed when I read these comments about CloudFlare because
we've done so much work to respect people's privacy, stand up for threatened
groups/organizations [0], secure our systems [1], be transparent [2], push for
better encryption and support lawsuits around National Security Letters [3].

[0] [https://www.cloudflare.com/galileo](https://www.cloudflare.com/galileo)

[1] [https://blog.cloudflare.com/kyoto-tycoon-secure-
replication/](https://blog.cloudflare.com/kyoto-tycoon-secure-replication/)

[2]
[https://www.cloudflare.com/transparency](https://www.cloudflare.com/transparency)

Read the statements in there:

    
    
        CloudFlare has never turned over our SSL keys or our customers SSL keys to anyone.
        CloudFlare has never installed any law enforcement software or equipment anywhere on our network.
        CloudFlare has never terminated a customer or taken down content due to political pressure.
        CloudFlare has never provided any law enforcement organization a feed of our customers' content transiting our network.
    

[3]
[https://upload.wikimedia.org/wikipedia/foundation/5/54/Twitt...](https://upload.wikimedia.org/wikipedia/foundation/5/54/Twitter_v_Holder_amicus.pdf)

~~~
ukandy
As honourable as you guys are, if your network is compromised it doesn't
matter.

~~~
UnoriginalGuy
Isn't that true with: Your bank, payment processors, your doctors, social
security office, credit rating agencies, the NSA, and so on and so forth.

Statement like these are, frankly, very low quality and add nothing to the
discussion. It is just a worst case scenario that seeks to dismiss all
opposition with no actual facts or legitimate logic to back it up e.g.: "What
good is it if commercial aircraft have ACAS (traffic collision avoidance
system), when the wings could just fall off! Or with a tiny fuel leak it could
explode! ACAS won't help you then!!!"

I don't really have a horse in this race, but these arguments against
CloudFlare are so low quality and thoughtless that I feel I must speak against
them.

------
sajal83
quick question. is one of cloudflare's nameserver is down or its some kind of
security screening?

digitalocean.com is served by kim.ns.cloudflare.com. and
walt.ns.cloudflare.com.
([http://pastie.org/private/ky5ytls1prxkblndab0ja#16-17](http://pastie.org/private/ky5ytls1prxkblndab0ja#16-17))

But query to walt.ns.cloudflare.com gets blackholed.

From Ziggo (NL) : [http://pastie.org/10017148](http://pastie.org/10017148)
From True (TH) :
[http://pastie.org/10017139#1,22](http://pastie.org/10017139#1,22)

From both these places I can ping walt just fine... Chose Digital Ocean cause
thats mentioned as star customer.

~~~
majke
Well spotted. We're working on the fix. Please do keep on scrutinising us :)

~~~
aaronpeters
Any news on this? It's still broken...

~~~
imperialdrive
I admire your train of thought. You decided to kick the tires, which people
seldom do in a straight-forward manner these days. I do this constantly for
companies and it's amazing what hides in plain sight.

And in this case - still no fix? amusing

------
blfr
Very cool. Will Virtual DNS be available to regular Joes with a small DNS
server of their own or is it strictly for large hosting providers?

------
Nux
I always browse with the WorldIP extension on, showing me AS number and name
of websites and it's SCARY how many are behind Cloudflare now.

I'm sure the guys behind Cloudflare have good intentions, but nothing good can
ultimately come from such massive centralisation. It's the opposite of how it
should be.

~~~
jgrahamc
Do you feel the same way about AWS?

~~~
Nux
Yes

------
kbuck
Is this just a service selling DNS slaves, or is there something deeper about
how this works? From the URL, it just looks like the normal operation of a
slave DNS server. What makes it "virtual"?

~~~
X-Istence
It's not a slave in that it doesn't get the full zone, nor does it get updates
immediately. Instead it does recursion to the original DNS servers, and
replies back to the original client. Think of it like a reverse proxy for
HTTP, except for DNS.

------
kevinr
Article says: "Secondly, Virtual DNS masks the true origin IP addresses of the
provider's nameservers behind CloudFlare’s IP addresses. Visitors and/or
attackers only see CloudFlare’s IP addresses when requesting answers, keeping
customer nameservers safe from being targeted by attackers."

If I sign up for this service, do I get a list of Cloudflare IPs so I can
firewall everybody else off? Otherwise this is mostly security through
obscurity. Nameserver names are often easily guessable (ns1.example.com,
ns2.example.com, ...).

~~~
karaziox
A quick google search gave this page :
[https://www.cloudflare.com/ips](https://www.cloudflare.com/ips)

I think this is what you want.

