"Cloudflare claims it will be “the Internet’s fastest, privacy-first consumer DNS service.” While OpenDNS and Google DNS both exist, #Cloudflare is focusing heavily on the privacy aspect of its own DNS service with a promise to wipe all logs of #DNS queries within 24 hours."
Thoughts?
https://www.theverge.com/2018/4/1/17185732/cloudflare-dns-service-1-1-1-1
@RunningInCircles @Antanicus I wouldn't trust a company (probably) earning money by data mining that they care about my privacy.
@pskosinski
That *is* my instinctive reaction.
However, I am aware my default position is now "do not trust" and therefore may be unduly dismissive on the basis of bias.
@Antanicus
@Antanicus
This is the same company that requires Tor and other proxy users to do re-CAPTCHA's CAPCHA's, and re-CAPTCHA is owned by Google, so i'm very cynical about anything Cloudflare does.
@Antanicus I'd rather trust Clownflare than Verizon.
@starbreaker @Antanicus that’s what I’m thinking too, someone has to run dns servers, I don’t think Google or law enforcement or your isp is more trustworthy than CloudFlare. Least worst option atm.
@Antanicus April Fools?
@thufir not sure... That's why I'm asking :D
@Antanicus I'm glad there are more options available. My own ISP has a broken DNS, so I can't even use it. (It returns an IP address of their own "helpful" landing page instead of NXDOMAIN, which causes no end of problems for me.)
I do wish we weren't so dependent on corporations doing the right thing with regards to providing DNS services. I guess until we establish an alternative solution to DNS, it's better than no options?
@cstanhope
> I guess until we establish an alternative solution to DNS, it's better than no options?
- cooperatively owned DNS servers could be an option...
@Antanicus I was thinking that too. It's such an esoteric topic and service... I'm trying to think of the structure. It doesn't necessarily seem like something individuals would want to join and contribute to (certainly I would, but I don't know about generally), but perhaps other co-ops would? Like platform co-ops or others? Or perhaps co-op or municipal ISPs?
@cstanhope there are many ways to do this, including a "meta-cooperative" founded and ran by other web-related coops (including social.coop)
@Antanicus cloudflare > google > ISP
for more threat models
but cloudflare is not trustworthy either, just closer to trustworthy
@Antanicus It's fast. Much faster than Quad9. Sorry Quad9. I switched.
@Antanicus we need a Blockchain based DNS which is censorship resistant and decentral (Namecoin?) - Cloudflare is the last DNS on earth i would use
The new Cloudflare DNS resolver looks really good!
Is definitely fast, for me at least it outperforms Google's 8.8.8.8 by a factor of 2-4 for a cached query, and is also noticeably faster for un-cached ones, whether I test from Italy or Iceland.
The DNS-over-TLS and DNS-over-HTTP options are also awesome.
Whether people should trust CloudFlare over Google or OpenDNS or their ISP I cannot say. Different people, different needs... more choice is always good though!
Cloudflare :clap: is :clap: a :clap: man :clap: in :clap: the :clap: middle
I don't care how fast it is. Performance is kinda moot if a large section of the interwebs are being MiTM'd
@bob @Antanicus For most people, in the case of DNS, so is your ISP.
Statistically, your ISP is closer to you and your community and MORE LIKELY to be interested in attacking you than Big G or CF. Consider the UK censorship rules.
Being able to choose is a valuable thing. If CloudFlare isn't your adversary, the encrypted DNS lookups are a HUGE benefit.
For certain threat models, this is a big, big win. For others, not so much. The world isn't black/white on this.
@zash That is also a fine choice!
Assuming you have the skills, the time, and anonymity (or just blending in with other "normal" traffic on the network) is not one of your security requirements. 🤓
@zash Weeeelll... I'd settle for routers that get security updates as a start. And prerequisite.
@HerraBRE I'm trying out #quad9 (9.9.9.9) and so far it seems good. So you also have the option to trust a nonprofit partnering with IBM and some infosec firms and cops to block malware domains. No ip-level logging.
@Antanicus
Doesn't mean they aren't directly or indirectly feeding everything in real time to No Such Agency on the back end.
@Antanicus This is a necessary next step. I think I'll be moving my services over.
they don't need to retain DNS query logs because they just forward them directly to intelligence over something like MQTT, most likely
@Antanicus They log queries?
Seriously WTF? What possible non-evil purpose is there to logging individual DNS queries?
If I was them I would log queries for analysis of DDOS attacks. Which is a thing for DNS. But I would not look at the data unless I needed to and would not use it for evil purposes or sell the data. Because I do my best to follow the System Administrator's Code of Ethics.
@Antanicus why are they keeping logs in the first place ?
@Antanicus there's always the bait-and-switch option where it all looks right at first, and then they quietly change the TOS and begin to spy on us for profit.
As a great philosopher once said: "I have altered the deal".
Will have to solve an impossible captcha for every query?
@webmind @Antanicus I think I just found a better alternative: 9.9.9.9 https://www.quad9.net
@NerdResa @webmind @Antanicus Eeh, do we trust IBM?
@webmind @Antanicus @webmind @NerdResa With privacy. I mean, they are an incredibly shape-shifting company.
@mareklach @webmind @Antanicus Well, IBM is just one partner and I'll trust a nonprofit open source thing with multiple partners more to keep each other in check and to actually not store any user data.
But of course, with a growing number of partners, it becomes more likely that there's one you don't like...
@NerdResa @webmind @Antanicus Yeah, I get your point...
@Antanicus at least a group of regular users will learn about DNS privacy issues for the first time while another group of users will realise that their ISP or Google aren't the only options.
@Antanicus
Hmmm.
Watching to see if anyone has good information about this, either positive or negative. Seems interesting.