Cloudflare and Quad9 Aim to Improve DNS


(Glenn Fleishman) #1

Originally published at: https://tidbits.com/2018/04/20/cloudflare-and-quad9-aim-to-improve-dns/

The domain name system is largely insecure, leaking information and subject to compromise. New services from Cloudflare and Quad9 could provide greater security and integrity than Google Public DNS, currently the best known public DNS service.


(Stephen Ferris) #3

If I change DNS on my iMac or iPhone, do I need to change it on my wi-fi router as well? In other words, does the DNS setting on my iMac or iPhone override the setting on my router? If not, I’m thinking I can just change the router DNS and not worry about changing it on individual devices.


(Glenn Fleishman) #4

Yes, router is easiest. Some proviso:

You can’t change it easily on an iOS device, as you have to change it network by network. So you could change it for your home and routine networks, but Adam Engst has seen these changes not stick, and revert to automatic DNS server assignment as provided by the network gateway.

If you set it on a router, you don’t need to do anything with the devices that connect to the network. However, you might choose to set DNS servers manually on a Mac laptop, as you might want to use those DNS settings when you’re off a network you have control over.


(Al Varnell) #5

The DNS setting on my iMac or iPhone override the setting on your router. Changing it on your router, can make it less time consuming for those with multiple devices.


(jweil) #6

Some missing information that may solve some issues:

The IPv6 addresses should also be entered for Cloudflare in case your ISP uses them;
2606:4700:4700::1111
2606:4700:4700::1001

Some browser extensions that are linked to actual apps may fail to function properly after using the Cloudflare DNS. An example of this is the password manager, “SafeInCloud”. This is a browser issue, not the App as in Chrome the issue does not occur.

The simple fix is to add “localhost” into the “Search Domains” the same way you entered IP addresses into the “DNS Server” box after noting the current search domain and adding back in after you entered “localhost” into the search domain.

I personally would appreciate it if you did not add the ‘localhost’ fix into the Cloudflare knowledge base but instead refer them back to this Tidbits article or Apple support or Sonic ISP for assistance who have received this information. This are organizations that offer real support. Cloudflare’s only support is to refer users of the 1.1.1.1 to a community knowledge base which is essentially no company support, depending on users to fix issue by themselves. As such I prefer to direct users for support to organizations that offer real support and value their users time, effort, and contributions by offering actual support from the organization employees when it is needed and the information does not exist in self-service support tools.


(Mark Smith) #7

Cloudflare looks interesting, but how does it compare with DNSCrypt?
I suspect that using both would be counterproductive, so is Cloudflare a better option than DNSCrypt, or are they just alternatives offering the same solution?


(Jolin Warren) #8

I think that DNSCrypt is a protocol that enables the provision of secure DNS. It is an alternative to DNS over HTTPS (DoH), which is what I believe Cloudflare uses. I don’t know how the two compare in practice, but DoH is a standard, I believe.


(Jolin Warren) #9

Do you have an opinion on DNSCloak? It seems like the easiest way to change the DNS on iOS, and the only way to use an alternate DNS for mobile data.


(marc) #10

Some routers can over-ride the DNS servers that are set on your device. For more see

https://www.michaelhorowitz.com/DNS.and.Routers.March.2018.php

So, even a Mac with hard coded DNS for Cloudflare, may well use other DNS servers when at a public WiFi network. The good news is that you can test for this. A list of websites that tell you the DNS servers actually being used are here

https://www.routersecurity.org/testrouter.php#DNSserverTests


(Glenn Fleishman) #11

If you override DNS settings on a Mac, my recollection is that it doesn’t apply any fo the DHCP-provided values. IPv6 responses are returned from IPv4 DNS servers, so that shouldn’t cause any issues to just use IPv4 addresses.


(Glenn Fleishman) #12

DNSCrypt was a proposal that never got folded into standards.


(Glenn Fleishman) #13

Interesting option, because from what I can see is it uses a profile, which allows it to do this override. I haven’t tested it. I’d rather see Cloudflare and Quad9 develop an iOS profile that you could just install, or a third-party developed a 99¢ or $1.99 app, the sole function of which was to let you switch between DNS providers.


(Jolin Warren) #14

Having tested DNSCloak, this seems to be what it is (except it’s free). It lets you choose (a) DNS provider(s) and then you can connect and override the DNS your phone was using. As you say, it does this via a (VPN) profile. I don’t know enough about networks to verify it’s behaving properly, but it looks like it’s working!


(Al Varnell) #15

DNSCrypt provides secure DNS today, whereas neither of the secure services offered by Cloudflare have been implemented by Apple in macOS or Safari yet. As far as I know, the same is true for all 3rd party Mac browsers.

-Al-


(Stephen Ferris) #16

To use DoT encryption your link to the instructions for installing stubby include this snippet:

  • address_data: 9.9.9.9
    tls_auth_name: “dns.quad9.net
    tls_pubkey_pinset:
    - digest: “sha256”
    value: MujBQ+U0p2eZLTnQ2KGEqs+fPLYV/1DnpZDjBDPwUqQ=

If I’m using CloudFlare, do I need to change the 9.9.9.9 to 1.1.1.1 and “dns.quad9.net” to some thing else?


(David Ross) #17

Of course this all gets interesting if you set your DNS on the local device (laptop, phone, …) then try and connect via a WiFi that wants you to agree to some terms. Some (many) of them black hole all of your traffic until you ask for a web page. Then they put up their “check this box” or “log in with your credentials” page. They do this by re-directing all your DNS requests to the device they give you via DHCP to their internal authentication whatever. So email and web browsing just hang or gives odd errors until you turn off your custom DNS settings and then get the authorization page to load or reload. (If you browser fired up with those 3 windows and 40 tabs have fun finding the web page you need.) More and more authentication setups are getting better about making this all work without the hassles but the annoying ones are still plentiful.

And my wife is asking, “why can’t it just work” as we are in some airport concourse for the first and maybe only time in our lives.

David


(Stephen Ferris) #18

I’m trying to test Cloudflare DoT encryption over Google Fiber using “stubby”. I keep getting the message “Could not bind on given addresses: Address already in use”. Any idea what I might be doing wrong? Thanks

Stephen


(Stephen Ferris) #19

Found my problem.
If the stubby daemon is running before I run a test, I have to kill it in Activity Monitor each time before I run it.
I also found that it will work with or without the tls_pubkey_pinset parameter.


(Adam Engst) #20

Researchers have found some Chrome VPN extensions leaking DNS info…