Soldato
Everywhere! In March, Cloudflare were bringing a new DC/POP online every single day, I think they were pushing towards 150 DCs
Cloudflare launches new Public DNS
- Thread starter opethdisciple
- Start date
Everywhere! In March, Cloudflare were bringing a new DC/POP online every single day, I think they were pushing towards 150 DCs
Cloudflare is a CDN and has servers pretty much all over, with plans to massively expand the DNS side over the coming months. You'll automatically be routed to the closest/fastest server when you connect (as with many other anycast type systems such as Google).
ICMP in itself isn't the best guide. For example, is ICMP prioritised or unprioritised on the QoS in favour of other traffic (eg DNS queries)?
Run Steve Gibson's DNS bench - ideally after letting it spend half an hour making you a custom list. If you do that, remember to also add in manually any favourite servers using the button at the top, before you run the benchmark. I added the dns.watch ones and the Cloudflare ones, for example. For me, Cloudflare was significantly faster than anyone else overall apart from cached results from Virgin Media (and I'd rather type in IPs manually than use Virgin Media's DNS).
Soldato
Average ping from a virginmedia line in Scotland
Ping to VM DNS 194.168.4.100 = 13ms
Ping to Google 8.8.8.8 = 25ms
Ping to Sky DNS 90.207.238.97 = 29ms
Ping to Cloudflare DNS 1.1.1.1 = 34ms
Ping to Open DNS 208.67.222.222 = 52ms
Ping to VM DNS 194.168.4.100 = 13ms
Ping to Google 8.8.8.8 = 25ms
Ping to Sky DNS 90.207.238.97 = 29ms
Ping to Cloudflare DNS 1.1.1.1 = 34ms
Ping to Open DNS 208.67.222.222 = 52ms
As above but from JANET
Ping to VM DNS 194.168.4.100 = n/a times out
Ping to Google 8.8.8.8 = 7ms
Ping to Sky DNS 90.207.238.97 = 8ms
Ping to Cloudflare DNS 1.1.1.1 = 5ms
Ping to Open DNS 208.67.222.222 = 6ms
I think Cloudflare have a CDN in London and Edinburgh. I'll run the DNS tester thing at home (VM).
Ping to VM DNS 194.168.4.100 = n/a times out
Ping to Google 8.8.8.8 = 7ms
Ping to Sky DNS 90.207.238.97 = 8ms
Ping to Cloudflare DNS 1.1.1.1 = 5ms
Ping to Open DNS 208.67.222.222 = 6ms
I think Cloudflare have a CDN in London and Edinburgh. I'll run the DNS tester thing at home (VM).
Soldato
I'll stick with Unbound and the root servers methinks.
Deleted member 138126
D
Deleted member 138126
From the purity point of view, I agree. However, running your own is *much* much slower because you don't benefit from all the caching and pre-loading of popular domains.
I go for a best of both approach. Unbound with local caching to an SSD, and Cloudflare upstream (over TLS and with DNSSEC) for anything not cached locally yet.
I used to run strictly unbound querying root servers but my new way feels better (and benefits from encryption in addition to DNSSEC).Deleted member 138126
D
Deleted member 138126
Nice one! I have never used DNS over TLS -- is that easy to setup with Unbound? On another note, you probably want the cache to be strictly RAM (unless you are severely constrained).I go for a best of both approach. Unbound with local caching to an SSD, and Cloudflare upstream (over TLS and with DNSSEC) for anything not cached locally yet.
Permabanned
They share the data, not really privacy at all. It's just Facebook/CA all over again.
Deleted member 138126
D
Deleted member 138126
Not even remotely comparable. Comparing APNIC --a 25 year-old non-profit that administers the IP address space for all of APAC-- with Google or the UK Police (Quad9) is absurd. APNIC are 100% above reproach, and although CloudFlare could be nefarious, in reality they have proven through their track record that they are extremely serious about privacy and neutrality. And what would they use the data for, anyway? They have a very clear and successful business model, which is to charge their customers for website caching. The DNS thing just makes it even quicker to access CloudFlare-cached websites -- win-win.
Did you know that your ISP can sniff all of your DNS traffic (and probably does) anyway?
Soldato
UnBound still caches any domains that are popular within my own network though. And for anything not cached it's not really that slow that it's noticeable unless you're looking for it.
Deleted member 138126
D
Deleted member 138126
Sure, but your network is probably just you and your missus and maybe a couple of kids? CloudFlare (and the other DNS providers) have millions of people hitting them constantly, so the cache is always populated and always fresh. Your local cache only stores stuff for as long as the TTL is valid (usually only a few minutes), and then it has to retrieve it again the next time it is requested. The DNS providers are actively pre-caching all these entries for you. It makes a big difference.
Soldato
mmm, wonder if it's worth jamming UnBound into Forwarder Mode and see if I notice a difference.
Deleted member 138126
D
Deleted member 138126
Local caching is still totally worthwhile doing. It's just that forwarding to 1.1.1.1/1.0.0.1 is going to be much quicker than doing local resolution from root.
Soldato
Ok, forwarding is now enabled to CloudFlare's servers. I've also updated my Outbound VPN Rules (Forces DNS requests from VPN hosts through the tunnel) to CloudFlare's servers. I think it feels a little snappier.
Soldato
Decided to give DNS over TLS a bash while I'm in a tinkering mood. Seems that DNS over TLS with the CloudFlare servers is broken at the moment in PfSense. Using Quad9 until it's fixed.
On a related note. I currently use an outbound rule that forces any VPN hosts on my network to send their DNS requests via the VPN tunnel to CloudFlare's servers, preventing DNS leaks. Would I be correct in assuming that this is no longer required when using DNS over TLS? And that if I disable it and allow my VPN hosts to use UnBound, while my DNS requests would be leaking, the packets would be encrypted rendering them useless to any snooping ISPs? Or am I understanding it wrong?
On a related note. I currently use an outbound rule that forces any VPN hosts on my network to send their DNS requests via the VPN tunnel to CloudFlare's servers, preventing DNS leaks. Would I be correct in assuming that this is no longer required when using DNS over TLS? And that if I disable it and allow my VPN hosts to use UnBound, while my DNS requests would be leaking, the packets would be encrypted rendering them useless to any snooping ISPs? Or am I understanding it wrong?
I do believe that if it's browser traffic your referring too that this also needs to be enabled in the browser.
I don't think it's on by default in FireFox. But can be experimentally enabled.
Last edited:
To be honest.... So far I haven't been impressed. Google DNS seems faster for me (I'm in London) in the 3 days since I switched to cloudflare.
Or rather it seems quick at some things and slower at others.
My assumption is that the service is still in its infancy being only 3 days so I'm willing to give it a little more time.
Or rather it seems quick at some things and slower at others.
My assumption is that the service is still in its infancy being only 3 days so I'm willing to give it a little more time.
Last edited:
Soldato
Well, browser traffic would be going via the VPN tunnel so that wouldn't be an issue. I'm specifically talking about DNS requests. Just now I use a rule to force DNS requests from any VPN hosts on my network to use the VPN tunnel, otherwise they would just use UnBound which is set to use the normal WAN interface. This would result in a DNS leak.
I'm assuming that by using DNS over TLS my ISP wouldn't be able to do any snooping using my DNS requests. It would save me having to split DNS routing for VPN hosts.
I'm assuming that by using DNS over TLS my ISP wouldn't be able to do any snooping using my DNS requests. It would save me having to split DNS routing for VPN hosts.
They are indeed sharing the DNS traffic with APNIC but the source code for the DNS server is open source all the privacy and security promises made by cloudflare are being audited by KPMG and the data given over to APNIC is supposedly striped of anything identifiable or profilable so anonymity is promised.
Of course how can anyone be 100% sure. But that's the same with any other DNS or service io the internet.