Cloudflare announces new DNS service

Interesting. Name bench (https://code.google.com/archive/p/namebench/downloads) does indeed show that 1.1.1.1 is much faster than what I was using from my ISP. However, how come it is much faster (11 ms mean response time vs 40 ms mean response time) to use 1.1.1.1 directly in my devices, instead of dnsmasq running on 192.168.1.1 as a forwarder for 1.1.1.1. Shouldn't this last option be just as quick in the worst case scenario?

Edit: Now the response time went down for 192.168.1.1 as well, and it is matching/beating 1.1.1.1 (due to dnsmasq's caching). Nice!

You should also note that the default size of Dnsmasq cache is only 150, not that many hosts. I have increased that to 1000 in my own builds, so more addresses are remembered by the router.

I have been using Quad9 (9.9.9.9) for a while now, and just added 1.1.1.1

So far, performance has been good.

Where can this variable be configured? Or does this need to be compiled in?

Also, I have changed the DNS settings in /etc/config/network by adding a option peerdns '0' and option dns '1.1.1.1 1.0.0.1' to my WAN interface. Is that the best way to do it? Because dns forwardings can also be defined in dnsmasq and I am not entirely sure what the correct way would be.

Also, lastly, how would I configure their IPv6 DNS servers? I've added them to the same /etc/config/network file, but Luci overview page shows Cloudflare IPs for IPv4, but my ISP DNS IPs for IPv6. Usually, these options should probably be used under the wan6 pseudo-interface, however, since I am using PPPoE I don't have a seperate wan6 interface.

In dnsmasq config: option cachesize
I compile it to the default dnsmasq package config, but it can be set quite normally in the config file.

https://wiki.openwrt.org/doc/uci/dhcp

cachesize 	integer 	150 	-c 	Size of dnsmasq query cache. 

My patch for the default config file included in the build:

--- a/package/network/services/dnsmasq/files/dhcp.conf
+++ b/package/network/services/dnsmasq/files/dhcp.conf
@@ -10,6 +10,7 @@ config dnsmasq
    option domain   'lan'
    option expandhosts  1
    option nonegcache   0
+   option cachesize    1000
    option authoritative    1
    option readethers   1
    option leasefile    '/tmp/dhcp.leases'
1 Like

Edit /etc/config/dhcp to include "option cachesize 1000" and restart dnsmasq

I struggled to find the correct place to config dns for a long time. I do not consider the user guide for dns readable and think that there could be some type of simplified overview for DNS settings (for the noobs). I think if the Status => Network section shows the values you probably got it.

I found that if you go to https://1.1.1.1/ and scroll down to the setup section, you can find these values

For IPv4: 1.1.1.1 and 1.0.0.1
For IPv6: 2606:4700:4700::1111 and 2606:4700:4700::1001

This is a great tip!

Is there any guideline related to the devices memory and how large a cache a device can support?

Where do I find the list of currently cached entries?

I have been testing DNS servers using namebench and GRC Benchmark.

namebench does not appear to have been updated since 2010 (V1.3.1), but there is a GitHub branch that is more current . It appears the values in the V1.3.1 namebench.cfg entries are quite outdated. I have taken the Live Wire 2018 DNS links and added them to the file. I assume maintaining the servers list is problematic based on the original GitHub projects issues list .

GRC Benchmark appears more up to date and the latest version includes both quad9 and CloudFlare DNS, but reports CloudFlare as MEGAPATH2-US - MegaPath Networks Inc., US. I have submitted a note to Steve Gibson on this.

I ran this twice, once using the global (default) list which did show 1.1.1.1 as the fastest, but when I used the option to build a list of local DNS's, 1.1.1.1 was not on the list. Fortunately you can build and edit your own list if you like.

I am not sure where the issue, lies, but GRC Benchmark does not seem to recognize that I have additional DNS servers configured (results show only the routers primary IP as a red "dot", Conclusions are simlar)

DNS updates for namebench.cfg. Trim as desired.

1.1.1.1=CloudFlare
1.0.0.1=CloudFlare2
9.9.9.9=Quad94		
209.244.0.4=Level31
209.244.0.3=Level31
64.6.64.6=Verisign2		
64.6.65.6=Verisign2	
149.112.112.112=Quad94	
84.200.69.80=DNS.WATCH5		
84.200.70.40=DNS.WATCH5	
8.26.56.26=Comodo Secure DNS		
8.20.247.20=Comodo Secure DNS
199.85.126.10=Norton ConnectSafe7		
199.85.127.10=Norton ConnectSafe7	
81.218.119.11=GreenTeamDNS8		
209.88.198.133=GreenTeamDNS8	
195.46.39.39=SafeDNS9		
195.46.39.40=SafeDNS9	
69.195.152.204=OpenNIC10		
23.94.60.240=OpenNIC10	
208.76.50.50=SmartViper		
208.76.51.51=SmartViper	
37.235.1.174=FreeDNS11		
37.235.1.177=FreeDNS11	
198.101.242.72=Alternate DNS12		
23.253.163.53=Alternate DNS12	
77.88.8.8=Yandex.DNS13		
77.88.8.1=Yandex.DNS13	
91.239.100.100=UncensoredDNS14		
89.233.43.71=UncensoredDNS14	
74.82.42.42=Hurricane Electric15

Cannot help but think what the catch is: nothing is ever free and they have to have a plan to make money...

They already do

From this DNS service? I wonder how if they promise not to monetize the information...

No from other sources. This service is subsidized by them.

Right, I have also just realized that they could have a paid business DNS service. I am just always suspicious of claims of free, which end up having a pretty significant other costs, that are not directly monetary to the user...

They offer caching and ddos protection etc. Having a DNS network is probably something they already need in place, offering it to the public is then a form of advertising...

1 Like

The real question is whether they advertise their product to customers or if they sell their users to advertisers.

It's most likely the former.

Yes I should have been more specific, since they have an auditor in place to show that they don't record the IP addresses on disk, and wipe their in-RAM logs after 24 hours or whatever it was they say, I think this is a way to advertise their services to customers, to say to customers in essence: "Look at how good we are at doing this important thing... we also do a lot of other stuff we'd like to sell you and we do it just as well"

Be caution on using it. Cloudflare's DNS service was possible hijacked by a Chinese Company.

Beginning at 2018-05-29 08:09:45 UTC, we detected a possible BGP hijack.
Prefix 1.1.1.0/24, is normally announced by AS13335 Cloudflare Inc.

But beginning at 2018-05-29 08:09:45, the same prefix (1.1.1.0/24) was also announced by ASN 58879.

This was detected by 14 BGPMon peers.

Source: https://bgpstream.com/event/138295