Cloudflare Launches Free Secure DNS Service
Cloudflare Launches Globally Available Secure Free DNS Resolver
Cloudflare launched a new free service, designed to improve both the speed and the security of the internet, on April Fool’s Day (4/1/2018). But this is no joke. The idea is that 4/1 is geekery four ones, or 220.127.116.11 — the name and heart of the new service.
18.104.22.168 (and 22.214.171.124) is the address of Cloudflare’s new, globally available, free DNS resolver service. It is similar to — but according to Cloudflare — faster and more secure than, Google’s 126.96.36.199 service. Both address speed and security issues in the standard internet DNS look-up process. The biggest problem is security because DNS lookups are primarily controlled by ISPs; and ISPs are commercial organizations seeking to monetize data; and are often heavily controlled or influenced by governments.
In the U.S., ISPs are allowed to sell customer data — including website visits — to marketing firms. In the UK, ISPs are required by law to record and hand over such customer data to law enforcement, intelligence and other government agencies. In Turkey, in 2014, the Turkish government censored Twitter by getting ISPs to block DNS requests for twitter.com — and activists took to the streets to spray paint Google’s 188.8.131.52 DNS service as a workaround. Turkey has a history of using the DNS system for censorship, including a block on Wikipedia in April 2017.
Google’s service is good and fast, and bypasses ISP instigated blocks, but user data is still available to Google. Cloudflare wants to provide an even faster service, but one where no commercial entity can easily monetize the user data, nor government gain access without a court order. Since the firm is committed to never writing that data to disk, and to wiping all log records within 24 hours (to be independently audited by KPMG with a published public report) there will be little historical data available anyway.
“Cloudflare’s business has never been built around tracking users or selling advertising,” blogged Matthew Prince, co-founder and CEO of Cloudflare, on Sunday. “We don’t see personal data as an asset; we see it as a toxic asset.” Cloudflare retains the log data for a maximum of 24 hours for abuse prevention and debugging issues.
“We think it’s creepy that user data is sold to advertisers and used to target consumers without their knowledge or consent,” said Prince. “Frankly, we don’t want to know what people do on the Internet — it’s none of our business — and we’ve designed 184.108.40.206 to ensure that we, along with ISPs around the world, can’t.”
The insecurity of the DNS infrastructure struck the team at Cloudflare, he says, as a bug at the core of the Internet, “so we set out to do something about it.” The firm decided to combine a DNS Resolver with its existing Authoritative DNS service across its worldwide network, but still needed some memorable IP addresses.
Little could be more memorable than 220.127.116.11. This address was held by the APNIC research group, which agreed to provide it to the new service. “We began testing and found that a resolver, running across our global network, outperformed any of the other consumer DNS services available (including Google’s 18.104.22.168),” says Prince.
22.214.171.124 is primarily a consumer service (the IPv6 numbers are 2602:4700:4700::1111 and 2602:4700:4700::1001). Technical details are provided in a separate blog written by director of engineering, Olafur Gudmundsson. The service uses DNS Query Name Minimization defined in RFC7816 to minimize the data sent, and supports privacy-enabled TLS queries on port 853 (DNS over TLS), “so,” he writes, “we can keep queries hidden from snooping networks.”
Furthermore, he adds, “by offering the experimental DoH (DNS over HTTPS) protocol, we improve both privacy and a number of future speedups for end users, as browsers and other applications can now mix DNS and HTTPS traffic into one single connection.”
Cloudflare is working with major browsers, operating systems, app manufacturers, cloud platforms, and router manufacturers to enable DNS over HTTPS. Mozilla is already working to integrate the standard into its Firefox browser:
“Like Cloudflare, Mozilla cares about making the Internet faster and more privacy-conscious so people have a better experience on the web,” says Selena Deckelmann, senior director of engineering, Firefox Runtime at Mozilla. “We are always looking for new technologies like DNS over HTTPS to ensure Firefox is at the cutting edge of speed, privacy and improving life online.”
The resolver is built on the fairly new open source Knot Resolver from CZ NIC — whose original main developer has been working with Cloudflare for more than two years.
The service uses Cloudflare’s 149 data centers distributed around the world. “In March alone, we enabled thirty-one new data centers globally,” as far apart as Pittsburgh and Houston, Reykjavik and Tallinn, and Edinburgh and Bogota, notes Gudmundsson; “and just like every other city in our network, new sites run DNS Resolver, 126.96.36.199 on day-one!”
San Francisco, CA-based Cloudflare was founded in 2009. It has raised a total funding amount of $182,050,000 — the most recent being $110 million Series D funding led by Fidelity Investments in September 2015. It routes traffic through its own global network, blocking DoS attacks, reducing spam and improving performance.
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.