DNS over HTTPS, Internet vanity-plate IP addresses

Yesterday CloudFlare announced their open DNS recursive resolver. Many of you will have heard of Google’s free DNS (8.8.8.8), and also are aware that there are others like OpenDNS etc (but ironically would have to Google its IP!). Well, joining the fray is CloudFlare with an IP of 1.1.1.1 (and 1.0.0.1).

And CloudFlare has an interesting bent on it. You see, from the start, they are aiming for DNS privacy. They have retained an auditor to ensure they stay on message. And, they have opted to support DNS over HTTPS (DoH). So why would this matter to you?

Well, DNS leaks a lot of information. For example, if you are opening a browser to https://gmail.google.com/ vs https://meet.google.com/, both go to the same IP and are encrypted. But, DNS rats you out, sending an in-the-clear request first.

Also, DNS can be complicit in man-in-the-middle attacks. One can forge a response (assuming dnssec is not preventing) and sent a user somewhere they do not expect.

But also DNS over HTTPS could be faster. Not if you make a connection per request of course, but, if you are resolving inline with the HTTP and using HTTP/2 features, you could rapidly resolve all the sub-domains of a site as needed, on a single connection.

Now, as an end-user, this is not that easy to enable right now. You can replace your stub-resolver with e.g. stubby. Or you could muck around on your lede/openwrt/… router.

But, if you are using Mozilla, you might find that it automatically enables all of a sudden, right in the browser. This would still leave other apps that use the Internet exposed, but would reduce the attack surface for sure. And, we might find Google Chrome does the same. And between those two browsers, there is a lot of market share (most of it!).

And, I’m guessing, even though you have read this far, you can still remember the IP. 1.1.1.1. Check it out. You can even type it into your browser (https://1.1.1.1/), crazy, they have a certificate issued to an IP!.

Posted

in

by

db

Tags:

Comments

8 Responses to “DNS over HTTPS, Internet vanity-plate IP addresses”

  1. Kyle Larose

    Even better, why not have a website give you some DNS records because you might just need them? https://datatracker.ietf.org/meeting/101/materials/slides-101-doh-opportunistic-dns-00

    Reply
  2. MIchael Dundas

    I switched my laptop to their DNS over the weekend (just my Mac at this point). With Mac, both Safari and Chrome seem to ignore the DNS settings, when pointing to the local client. It will update the DNS servers etc., and you can clearly see them in your Network settings (both GUI and command line), but for me it kept defaulting to Google Servers (ran Wireshark to confirm), even after reboot etc. Removing my DNS settings and setting directly to loopback (127.0.0.1), resolves the issue.
    -mike

    Reply
    1. db

      So this is w/ the traditional UDP-based DNS. Try using the DoH mode. I plan to.

      Reply
  3. Jayme Snyder

    I thought the main thing that prevented 8.8.8.8 and 8.8.4.4 from providing TCP/DoH was that they were originally designed for anycast…

    Might still have to chose between lowest latency or privacy for the time being…

    Reply
    1. db

      the 1.1.1.1 is also anycast. Cloudflare is kind of famous for using it with tcp.

      Reply
      1. Jayme Snyder

        My brain can’t comprehend how they solved the route flapping causing TCP connection re-establishment issues. I have some ideas, none of which are simple/good:
        1. internal re-routing (using SDN / not-really-true-anycast),
        2. not having many points of presence/peers
        3. not caring about performance
        4. rely on the upstream providers to recognize their incompatible BGP configurations and add exceptions

        I wonder why we haven’t seen encrypted DNS over SCTP as an emerging thing yet?

        Reply
        1. db

          no one uses sctp.

          they use anycast to find the right CDN, and then the front end load balancers move it within the cdn. yes the odd tcp flow might get terminated mid flight if they launch a new data centre which is closer to you, but, well, in this case the dns tcp flow will re-establish. in http, well, i guess some one-pixel ad might get killed or something.

          this is for high performance. I’m not sure they disclose how many PoP they have.

          one of the things against sctp is NAT. in the consumer space, if its not TCP or UDP, its not likely to work w/ NAT well (GRE/PPTP kinda does but not well).

          Reply
  4. db

    https://www.cloudflare.com/network/

    shows their map, 151 pop.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *