How many have made the switch to Cloudflare's secure DNS?

Daily reminder that Cloudflare is getting multiple Gbit/s of garbage on 1.1.1.1 from corporate retards who haven't configured their networks properly

tech.slashdot.org/story/18/04/05/0420247/1111-cloudflares-new-dns-attracting-gigabits-per-second-of-rubbish

>Faster
>Have to send queries across have the world
Pick one

Or you could use one of hundreds of DNS servers that aren't owned by a multi-million dollar company that's most likely in bed with the US government.

opennic.org/

I've used slow, unreliable DNS before and it isn't very pleasant.

Don't see how this is any better than goolag's dns in terms of privacy considering they both capture roughly the same metadata. I guess at least with cloudflare they've made a statement they don't plan to censor """hate speech""" but if privacy is your concern I would favor opennic over either.

Attached: botnets.png (1553x700, 110K)

I just straight up don't trust it. I don't trust google either, or my ISP. I don't know what to do.

Does google anonymize the data like cloudflare claims?

It's faster than google and my own ISP. It claims to respect your privacy and offers dns over https. It hasn't been around long enough to verify its authenticity, but let's be honest you aren't doing anything worth caring about anyway

Of course not. Google dns provides no encryption.

>do this
>get added to a list

Not me, that's for damn sure.

And why the fuck not?

>Slow, unreliable
Werks on my machine, get better internet.

>do 1.1.1.1
>All your DNS requests are in a government server

Looks like they both store detailed data including IP addresses temporarily (24-48hrs goolag, 24hrs cloudflare), and aggregated/anonymized data permanently after that. Goolag stores more detailed location data in that temporary period, but cloudflare is also sharing their data with a 3rd party. So choose your poison.

developers.google.com/speed/public-dns/privacy

developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy/

>that web 3.0 design
Pass

Internet connection is clearly not the problem. Everything runs great when I set DNS to 1.1.1.1/1.0.0.1 or 8.8.8.8/8.8.4.4.

>Cloudflare
>Secure

Lol, may as well be using 8.8.8.8 if that's your idea of security.

>He's probably on 8.8.8.8
I work at Google and thank you for forfeiting your data over

Everything runs great when I set my DNS to one of the many servers on opennic! Sounds like you just have a shit internet connection bro.

Attached: smug46.png (529x251, 239K)

>A is not perfect
>Let's just use B which is literal hell

i literally downloaded a 10gb file in 1p seconds with that dns.

You don't seem to understand, if B is hell then A is also hell, they do the same shit; Both are going to burn you.

>muh speed
get a local dns cache you fucks

Let's just forget about the pointless argument for a second.

Are you aware that what you're doing is thoroughly flawed reasoning? I'm hoping you're just trolling, but there's so many people who are genuinely mentally deficient these days, you just can't tell.

It's an old tactic, comparing two things when one is much worse than the other, but because both are flawed you just pretend they're both just as bad.

The Cloudflare CEO is an outspoken privacy activist, so much so that he's on a first name basis with the Tor people, even though things are a little tense.

Google.

You know there's a name for this, an appeal to hypocrisy. AKA whataboutism.

Attached: stalin.png (402x402, 174K)

they need a warrant to specifically target a US citizen. Much harder to do than being dragnetted.

>A and B both suck but A sucks less so you should use it!
>N..no.. no, don't look at C, look over here, hey! Look here, Use A! No! Not C! A is good enough!

Go shove both your hammer and your sickle up your probably LGBT ass.

LOL, surely you jest

Google's DNS is faster? Wtf

Attached: 1510654903385.png (762x461, 86K)

not in my country

sorry freedom and due process only applies for US citizens. If you wanted constitutional protections you should have been born american.

>Don't look at C
You're the only one saying that, user. You're the only one saying "don't look at C"

Maybe you're mad people don't use C, maybe you think C is unfairly ignored. Maybe you're not being very honest with yourself.

The truth is C seems to be an amateur, small scale project. Their speed is terrible. It barely sees any maintenance, and their servers randomly fall offline for days at the time.
It's a shitshow.

Why are people using 1.1.1.1 and not 1.0.0.1?

On average, Google is slower, unless you happen to live right near a Google point of presence, then they sometimes beat 1.1.1.1 by a couple milliseconds.

>ping measures the time it takes a dns server to respond to a dns request
Absolute brainlet.

1.1.1.1 is the main server, and 1.1 the backup

>(((secure)))
How many fucking times does it have to be said? RUN YOUR OWN!

Attached: 1522465451839.jpg (710x887, 64K)

Where are you going to bootstrap from, the root-servers?

If I do a time nslookup Jow Forums.org on 8.8.8.8 and 1.1.1.1 I get 0.09s for Google and 0.05s for Cloudflare.
Cloudflare pings about 1ms higher than Google, so it's not just network latency that is the difference.

Aren't you supposed to notate 0 octets as
1...1 (as in your example)?
Or in another example
192.168.0.1 becomes 192.168..1 ?

Nah, that syntax is valid and accepted pretty much anywhere.

It's IPv6 that has to use the double colon syntax.

>It's an old tactic, comparing two things when one is much worse than the other
I have yet to see any evidence of that. Based on it looks like they're basically logging the same thing.

The CEO's stance on privacy doesn't effect what's being logged nor does it change what can be accessed by a warrant. And if you're not being warranted then each company's policy is basically equivalent in terms of your privacy.

If you actually care about privacy you wouldn't be using either of these, you'd be running your own DNS or using one that doesn't log anything at all.

That's an IPv6 thing. I've never seen it used for IPv4.

It is trivial for your isp to track exactly what websites you visit moron. Changing your dns won't do shit if hostnames are still still sent in clear on initial tcp request.

Roll your own dns

It's easy and counterproductive to attack a stance just because there's a much more extreme thing you could possibly do.

Because if you really cared about privacy you'd throw away your phone, browse the web through Tor in a Qubes VM on FSF-approved hardware in a coffee shop not near your home.

Or maybe just don't give all your data to the company who makes a living spying on you to maximize your ad click rate.

In what capacity are you suggesting people run their own? Even if you set up a local caching server it will need to make requests to upstream servers.

>User's geolocation information
>Client's AS
For what purpose.

>the only internet activity on your computer that requires a DNS request beforehand is browser traffic that uses SNI
oh sweet summer child

>get a local dns cache you fucks
>How many fucking times does it have to be said? RUN YOUR OWN!
>Roll your own dns

Can everyone please respond to the query posted in on this? DNS was flawed and corrupt from its very inception. It's time to make the Internet Jow Forumsreat _again_.

>Can everyone please respond to the query posted in
They won't because they can't. You're correct that running your own resolver will need to contact upstream resolvers.

OP isn't suggesting you run a caching service, they're suggesting you run a full local dns server. Yes you still have to pull DNS records but since you're pulling all of the records, the DNS provider can't tell which server you're connecting to. Requests are to your local DNS server.

Is that even possible? Don't the root servers only have information about their authorative TLDs? How many records from how many different servers would have to pull until you had "all" of them?

Wrong. You can go directly to the root. That's exactly what 3rd party servers do.

Who runs the root dns servers?

(((That's right)))

privacy from whom? your ISP? even with encrypted DNS your ISP can still see what addresses you send data to and from as well as through things like SNI. you add no real privacy.

(((the jews)))

Attached: stan-aspergers.jpg (625x352, 23K)

*whom'st

He is a us citizen in the us. Read the news and use common sense

Yeah, but the root servers only hold the root zone file. You still need to reference each authoritative DNS server to get individual records. You're saying 3rd party DNS servers pre-populate all this data all the time? I was under the impression that even they just cache it, it's just that they get so many requests that most of the common destinations are usually already present.

You're making the mistake of thinking that every hole has to be plugged for it to be worthwhile to do anything at all. Is it still possible for your ISP to snoop on you if you're using some form of DNS encryption? Yes. But it makes it harder and more expensive for them to do so. It also shuts down their ability to MitM DNS.

>Read the news and use common sense
give me an example of a 3 letter agency targeting US citizens on US soil in purely domestic traffic without getting a warrant or probable cause. Dragnet operations and conspiracy theories excluded.

This is a very good point. It is still a step in the right direction.

Yet you still haven't addressed the point of my argument, which is that it's pointless to choose between either of these two evils considering the CEO's stance has literally no effect on what is being logged and what's being logged is clearly laid out in both cases. Anything beyond what is documented is pure speculation on your part, and I would argue that's far more counterproductive.

I'm not saying you should use a DNS with no logging (although you should), but if you're not going to you've already decided that you care more about speed than privacy anyway. Both of these DNS services are effectively logging the same thing and for the same amount of time. Use the one that's faster for you and be done with it.

>use slow ass pedo dns
>be more closely watched by gov
okay user

>probable cause.
license to do whatever the fuck we want

And the more people that do that, and the more small resolvers there are, the more difficult and expensive that surveillance gets, because instead of sending one NSL to cloudflare knowing that a gorillion people use it, you have to think about dozens of different resolvers in a bunch of different countries.

That's the problem. If they're doing it, we wouldn't know. Hence the value of making it more difficult for governments to access information, warrant or no warrant.

Running your own recursive resolver tells each resolver between the root nameservers and the authoritative nameserver exactly what domain you're looking up, in addition to letting your ISP see them. There is also no way to encrypt the outgoing queries of your own recursive resolver because you can't know if every resolver you're going to hit supports whatever method of encryption you want to use. With a single third party resolver that supports encryption, at least you can encrypt your connection on the way to it so your ISP can't see it.

>Is that even possible?
Is what possible? Running your own recursive resolver? Of course it is.
>Don't the root servers only have information about their authorative TLDs?
Basically, yes
>How many records from how many different servers would have to pull until you had "all" of them?
Running your own resolver doesn't mean gathering all possible records at once. Whenever you want to resolve a domain name, you ask a root nameserver for domain.com, and it tells you "I don't know but here's the nameserver for *.com" so you contact it and it says "I don't know but here's the nameserver for domain.com" and so you contact it and it says "Yeah I'm the authoritative nameserver for domain.com, here's the IP". Then your resolver caches it for hawever long the TTL says.

>Running your own resolver doesn't mean gathering all possible records at once.
That's what I thought. I don't think anyone saying "roll your own" really understands how DNS works. Using DNS over TLS from a single provider is probably the best way to go for now as you stated.

>Using DNS over TLS
How exactly is this done on all devices, though? If I'm trying to think of the bigger picture here as it applies to normies, is DNS/TLS even implemented on 99% of devices? Can Windows/Android/iOS even do this?

Encryption works best when everyone is doing it, for everything.

The idea is that you're going to give up your data anyways. If that's the case, I'd rather give it to a Chinese company that can do relatively little to me than compared to my host country.

I'd rather a Russian company has my DNS queries than a US company because the US company can more easily coerced by a legal system I'm beholden to.

Why would you centralize your DNS access?
Why not just switch DNS servers for every request you make?

Certainly don't make it easy on the government to spy on you when they inevitably subpoena the DNS.

no

Attached: Screenshot (23).png (1041x529, 182K)

Could easily be much worse.

Attached: uMatrix_Vice.jpg (539x864, 176K)

That's a clever idea. Kinda like openvpn has some built-in roulette thing IIRC for the client configurations, so it will (psuedo)randomly select a server as a (bad) implementation of load-balancing.

That gives me an idea. Of all the local servers you can run, is it possible to make them keep a historical archive of results that you can view as a sort of history, kind of how like the web archive presents it? I think that would be cool in case a domain gets seized.

That's sort of the problem with DNS right now. There's no easy and reliable way to get encrypted DNS on all devices. You can set up your own caching DNS server at home that obtains records via TLS, but that doesn't cover use from your cellphone while on the go. It also doesn't solve the problem of having to place trust in the upstream DNS provider.

There are a few proposals in front of the IETF in regards to fixing DNS. Hopefully in the next few years we'll see some movement towards a better standard, but for now there's no silver bullet.

I just set it up on my pfsense router, with TLS connections and DNSSEC enabled in Unbound. I had been using OpenNIC previously, but without support for these options.

Thanks, but no thank you. My DNScrypt is still works and 100% free of botnet

I'm an idiot -- I just deleted all of the forwarding addresses and am having Unbound just directly query the authoritative name servers. Works nicely and I don't have to deal with anybody else's bullshit. Also set up a firewall rule that forces all LAN DNS requests through Unbound on the router.

>secure DNS that protects your privacy
does such a thing exist? I call bullshit

wait... since when can you do a DNS request through TLS? what clients do support this, and how fast it would be, taking into account the TLS handshake itself?

also...
$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.698 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.491 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=64 time=0.492 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=64 time=0.498 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=64 time=0.706 ms
^C
--- 1.1.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4093ms
rtt min/avg/max/mdev = 0.491/0.577/0.706/0.102 ms

the fuck is going on here?

your network probably uses 1.1.1.1 as a internal network address even though it isn't supposed to be.
this is a problem for many users.

well, it's redirecting me to the ISP-provided router...
good thing I bought a new router, which is what I'll be using from now. though I have to admit, this one is very stable. but I can't trust it anyway.

How does this compare to OpenDNS?

Yes, goyim, trust these NOBODIES with all to gain and nothing to lose!

Phones are essentially impossible to secure. The only good solution is to not browse the web on them.

Nice false flag Cloudflare.

Why is this recommended? I've be more creeped out by one of these randos arching my data than some big butt company that has millions of users.

The big company has much more incentive to spy on you. They can make a lot more money off of it than some random guy with a tiny DNS server ever could. The random guy would have to go to quite a bit of trouble to fuck with you, the big company already has dozens of people whose whole job is to spy on people - they just call it "analytics" or "telemetry". Plus the danger of big companies is their centralizing influence. A DNS server run by some random fuck with ten thousand users is not a huge target for an attack, either by governments or by other criminals. A big company's DNS server with many millions of users is not only a bigger target, but they have a much bigger incentive to not just close up shop and erase everything when confronted with an NSL. They're making money off of it, they're much more likely to play ball to stay in business.

A DNS server run by an outfit as big as Google, Cloudflare, or an ISP is inherently untrustworthy, just because of the characteristics and incentives of those kinds of organizations.

>It's actually slightly faster
No it fucking isn't.