April the 1st is a few things this year, it's April Fool’s day as it would be any year and it’s also Easter. As much as I love chocolate and messing with people, new services that benefit the internet are definitely cooler. Cloudflare is an amazing company which provides services to help secure and speed up the internet. The best part is, anyone can use Cloudflare for free. Of course, there's some more advanced features that are paid, but for most people (including me with this blog), their free services do everything I want and more. One of the things Cloudflare do is act as the authoritative DNS server for millions of websites. Today they've expanded their DNS offering with the launch of a DNS resolver that anyone can use.
The 1st of April may seem like an odd day to launch a new service, but if you like confusing people, then the 1st of April can be written as 4/1/2018 - in other words, 4/1 or 4 1's. This is a rather novel (albeit nerdy) launch date for their DNS resolver which has the IP address, 126.96.36.199. Cool eh?
There are already several widely used DNS resolvers, Google's 188.8.131.52 and 184.108.40.206 are very well known. OpenDNS have several with the main ones being 220.127.116.11 and 18.104.22.168. There's the ISP provided ones which most people will be using. The list goes on and on. No matter which service you use there's a few considerations, performance, reliability, security and privacy.
To be completely blunt, Cloudflare's entire reputation relies on it taking security and privacy seriously. They're a security company that sits in front of millions of sites, they have control of the DNS for domains owned by individuals like me up to incredibly large companies. Unless you just use them for DNS, all requests are routed through their network which means that they see everything in its unencrypted form. In other words, they have to take things seriously.
DNS is a protocol which wasn't designed for a security and privacy orientated world. There's DNSSEC which allows for verification of DNS records to stop them from being tampered with but is used by very few sites. Cloudflare made the great decision of supporting DNS-over-TLS and DNS-over-HTTPS from the get go. These allow for encrypted lookups which affords us security and privacy. If I ever meet someone from Cloudflare in person, I owe you a high five.
So we're set on the security front, though you might be thinking "Well, Google and OpenDNS are also going to be pretty secure" which is a good point. Okay, so let's look at privacy next, as I said, Cloudflare relies extremely heavily on trust, if there were any doubts as to what it was doing with the data that passes through their infrastructure it'd be catastrophic. It's in their interests to keep as little information as possible. They have a post about privacy that you can view here and in it, they say this:
Frankly, we don’t want to know what you do on the Internet — it’s none of our business — and we’ve taken the technical steps to ensure we can’t.
Google on the other hand, there's no telling what they do with the queries you send them. Well, there's this post but I'm still not very comfortable giving them access to a list of every site I visit. They have tons of data about me already, I don't want a single company having all that info - just look at what companies like Cambridge Analytica can do. It's a bit scary. The same goes for OpenDNS who have the primary selling point of "you can see all the requests you send us". Cloudflare is still a 3rd party who at the end of the day, could do anything with the data. But I'm much happier with them handling my DNS requests than anyone else.
Performance and Reliability
Cloudflare have an absolutely massive network that consists of (at the time of writing) datacentres in 151 cities across 74 countries. They provide DDoS protection which should handle anything that's thrown at it. To say their network is impressive is an understatement. It's built to be reliable, it's built to be fast. They provide a CDN service which caches resources around the world, they support the latest encryption standards, they provide several great services for minifying and speeding up sites. I could go on and on. The point is, they are a forward-thinking security and performance orientated business with a massive network that provides incredibly low latency from anywhere.
So, the DNS resolvers...
Right! You can find the DNS resolvers on the following incredibly memorable IP addresses. Okay, perhaps the IPv6 addresses aren't so memorable, but they're about as memorable as IPv6 can get:
- IPv4: 22.214.171.124
- IPv4: 126.96.36.199
- IPv6: 2606:4700:4700::1111
- IPv6: 2606:4700:4700::1001
I'll be honest, I discovered that they were planning to release this a few days ago, I was impressed then and it's only going to get better as more people use it. The fact that these servers are on the same network as Cloudflare's Authoritative DNS takes a big chunk out of the query time for sites using Cloudflare. It also means that authoritative DNS changes propagate near instantaneously, yay! Oh, and they also host some of the servers for the F-Root this reduces lookup time even further, double yay!
Short link: on-te.ch/1111