Cloudflare Announces 1.1.1.1: The Fastest, Privacy-First Consumer DNS Service

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Cloudflare has launched a new DNS service, 1.1.1.1, which promises both speed and privacy, allowing users to keep their website queries private. According to DNSPerf’s current rankings, 1.1.1.1 is placed first with a query speed of 14.24 ms. Users may visit https://1.1.1.1/ from any device to get started.

What many Internet users don't realize is that even if you're visiting a website that is encrypted — has the little green lock in your browser — that doesn't keep your DNS resolver from knowing the identity of all the sites you visit. That means, by default, your ISP, every wifi network you've connected to, and your mobile network provider have a list of every site you've visited while using them.
 
This only affects the first time you establish a contact to a server. So the performance parts is highly debatable.
 
I've been using the Quad 9 DNS for a while now. I might have to give this a go if it is legit.
 
It may well be legit, but the ping to 1.1.1.1 is slower than to 8.8.8.8:

Cloudflare:

$ ping -c5 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=13.3 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=57 time=14.0 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=57 time=13.1 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=57 time=13.5 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=57 time=13.1 ms

--- 1.1.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 13.169/13.489/14.097/0.349 ms

Google:

$ ping -c5 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=11.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=59 time=10.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=59 time=11.3 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=59 time=10.4 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=59 time=12.0 ms

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4008ms
rtt min/avg/max/mdev = 10.445/11.304/12.078/0.617 ms

Again, this is purely anecdotal, and from my box, YMMV.
 
Even when you encrypt DNS traffic, which I did; your ISP can still see the IP address you're connected to. That's why the internet works.
 
Impressive! When I ran this years ago goog used to come out on top. Nothing on the network but the benchmark.

25kj1oj.png
 
"Nearly every media briefing I did this week ahead of the launch the reporter made me swear that this wasn't a joke. And it's not. I swear. And the best way to prove that is go to 1.1.1.1, follow the instructions to set it up, and see for yourself. It's real. And it's awesome."​
I get "problem loading page when I try it https://1.1.1.1/
 
codeflux said:
It may well be legit, but the ping to 1.1.1.1 is slower than to 8.8.8.8:

Cloudflare:

$ ping -c5 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=13.3 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=57 time=14.0 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=57 time=13.1 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=57 time=13.5 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=57 time=13.1 ms

--- 1.1.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 13.169/13.489/14.097/0.349 ms

Google:

$ ping -c5 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=11.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=59 time=10.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=59 time=11.3 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=59 time=10.4 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=59 time=12.0 ms

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4008ms
rtt min/avg/max/mdev = 10.445/11.304/12.078/0.617 ms

Again, this is purely anecdotal, and from my box, YMMV.
Click to expand...
They're basically the same for me, though CloudFlare has two more hops to go through...so I guess in a way, they're faster....

Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
Reply from 1.1.1.1: bytes=32 time=16ms TTL=53
Reply from 1.1.1.1: bytes=32 time=17ms TTL=53
Reply from 1.1.1.1: bytes=32 time=15ms TTL=53
Ping statistics for 1.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 15ms, Maximum = 17ms, Average = 16ms

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=15ms TTL=55
Reply from 8.8.8.8: bytes=32 time=17ms TTL=55
Reply from 8.8.8.8: bytes=32 time=16ms TTL=55
Reply from 8.8.8.8: bytes=32 time=16ms TTL=55
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 15ms, Maximum = 17ms, Average = 16ms
 
Ping times are not the same as time the nameserver takes to respond. Round trip (ping) is certainly worth taking into consideration, but it is simply one part of the transaction and the performance of that.

codeflux said:
It may well be legit, but the ping to 1.1.1.1 is slower than to 8.8.8.8:

Cloudflare:

$ ping -c5 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=57 time=13.3 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=57 time=14.0 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=57 time=13.1 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=57 time=13.5 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=57 time=13.1 ms

--- 1.1.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 13.169/13.489/14.097/0.349 ms

Google:

$ ping -c5 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=11.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=59 time=10.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=59 time=11.3 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=59 time=10.4 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=59 time=12.0 ms

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4008ms
rtt min/avg/max/mdev = 10.445/11.304/12.078/0.617 ms

Again, this is purely anecdotal, and from my box, YMMV.
Click to expand...
 
This is a requirement for the packets to be routed. Otherwise how would they know where you want your packets to go exactly?

umeng2002 said:
Even when you encrypt DNS traffic, which I did; your ISP can still see the IP address you're connected to. That's why the internet works.
Click to expand...
 
Performance could be really good while it's new and no one is using it. What about under load? I bet the server response time goes up.
 
upload_2018-4-1_18-50-55.png


rdns on this one is set the same, not sure if that was intentional...

upload_2018-4-1_18-51-42.png
 
Ok, is it an April Fools annoyance, or is it real? I'm using Mediacom and wouldn't mind using a different DNS server. I'm clueless as to what a better one might be. Any ideas?
 
Wyodiver said:
Ok, is it an April Fools annoyance, or is it real? I'm using Mediacom and wouldn't mind using a different DNS server. I'm clueless as to what a better one might be. Any ideas?
Click to expand...

Looks real to me...

upload_2018-4-1_21-25-24.png


upload_2018-4-1_21-26-38.png
 
well people looking and using it, is fine. But lets ask important question why was it created?

APNIC and Cloudflare entered a research agreement,
https://labs.apnic.net/?p=1127

"The joint research project involves the operation of an open public DNS resolution service using IPv4 address prefixes that the APNIC Address Policy SIG has set aside for research purposes"

What will they use this data for? From what I've read they will keep logs and analyze them for maximum of a year for 5 years.

"unique opportunity to gain some valuable insight into the query behaviour of the DNS in today’s Internet and will allow us to further our existing research activities in looking at the DNS."

The overall lack of information on what they will do with the data, and how is the "privacy" working with them... making it pro bono "free" data mining.

Yes they say its very private, but they do not go into detail how is it private.
Where are the legal documents? I didn't find any.

While google we do know for sure they collect everything, and use it for data mining; with them its unknown.

still, 1dot1dot1dot1.cloudflare-dns.com *(if we change 1 to i, comes out similar to idiot)
NSlookup
Code: 
Default Server:  resolver1.opendns.com
Address:  208.67.222.222

> server 1.1.1.1
Default Server:  1dot1dot1dot1.cloudflare-dns.com
Address:  1.1.1.1

> google.com
Server:  1dot1dot1dot1.cloudflare-dns.com
Address:  1.1.1.1

DNS request timed out.
   timeout was 2 seconds.
DNS request timed out.
   timeout was 2 seconds.
DNS request timed out.
   timeout was 2 seconds.
DNS request timed out.
   timeout was 2 seconds.
*** Request to 1dot1dot1dot1.cloudflare-dns.com timed-out
 
Last edited:
Yeah, I think I'll wait a bit. I still think that shenanigans are afoot, and my ISP DNS isn't really that bad.
 
MikeTrike said:
Looks real to me...

View attachment 63784

View attachment 63785
Click to expand...

For reference you can check a serer easier than having to change your ip settings. If you append the server name after the entry you want to look for, it will use that server you specify. You might already know that, but maybe someone else here does not.

So instead of doing:

"nslookup www.google.com"

do

"nslookup www.google.com 1.1.1.1"

and that will use cloudflare's DNS to check for an entry, but you won't have to switch any settings around. Useful for troubleshooting if you wanted to check several DNS servers to make sure your record propagated correctly.
 
bman212121 said:
For reference you can check a serer easier than having to change your ip settings. If you append the server name after the entry you want to look for, it will use that server you specify. You might already know that, but maybe someone else here does not.

So instead of doing:

"nslookup www.google.com"

do

"nslookup www.google.com 1.1.1.1"

and that will use cloudflare's DNS to check for an entry, but you won't have to switch any settings around. Useful for troubleshooting if you wanted to check several DNS servers to make sure your record propagated correctly.
Click to expand...

Click for click, keystroke for keystroke, it sounds an awful lot like the same amount of work/effort. I'll still file that away for future use though...

It's not often I have to provide evidence for something to not be an April Fools joke... However I can envision myself using that extra command variable at sometime in the future...
 
MikeTrike said:
Click for click, keystroke for keystroke, it sounds an awful lot like the same amount of work/effort. I'll still file that away for future use though...

It's not often I have to provide evidence for something to not be an April Fools joke... However I can envision myself using that extra command variable at sometime in the future...
Click to expand...

Well it does save the 10 clicks it takes now to get into the adapter properties pane to switch the entry, and you don't have to switch it back either. You just pop open up a command prompt / powershell by right clicking on start and choosing one of those, and type out the command real quick. But I think it's a big time saver if you were trying to check several different DNS servers at the same time. If I published a new DNS record, I can type nslookup blahblah.entry.com 1.1.1.1, hit enter. hit the up arrow, hit backspace a couple of times, then type 4.2.2.1, hit enter. up arrow, backspace, 8.8.8.8, etc etc. It's definitely faster if you're making DNS changes and want to make sure they make it out on the internet.
 
bman212121 said:
Well it does save the 10 clicks it takes now to get into the adapter properties pane to switch the entry, and you don't have to switch it back either. You just pop open up a command prompt / powershell by right clicking on start and choosing one of those, and type out the command real quick. But I think it's a big time saver if you were trying to check several different DNS servers at the same time. If I published a new DNS record, I can type nslookup blahblah.entry.com 1.1.1.1, hit enter. hit the up arrow, hit backspace a couple of times, then type 4.2.2.1, hit enter. up arrow, backspace, 8.8.8.8, etc etc. It's definitely faster if you're making DNS changes and want to make sure they make it out on the internet.
Click to expand...

Kipling_If_%28Doubleday_1910%29.jpg


kBOreyn.gif


Today's lesson was brought to us by...

upload_2018-4-2_7-15-29.png
 
I tried it out. While web pages pop a lot faster, ping tells me s different story when compared to Google (8.8.8.8)


Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=14ms TTL=55
Reply from 1.1.1.1: bytes=32 time=14ms TTL=55
Reply from 1.1.1.1: bytes=32 time=14ms TTL=55
Reply from 1.1.1.1: bytes=32 time=14ms TTL=55

Ping statistics for 1.1.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 14ms, Maximum = 14ms, Average = 14ms

C:\Windows\system32>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=3ms TTL=56
Reply from 8.8.8.8: bytes=32 time=2ms TTL=56
Reply from 8.8.8.8: bytes=32 time=2ms TTL=56
Reply from 8.8.8.8: bytes=32 time=2ms TTL=56

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 3ms, Average = 2ms


For my own part while CloudFlare may (supposedly) be more secure, for me Google is WAY faster.
 
Last edited:
Run local DNS servers, add 1.1.1.1 to the list of forwarders. Nothing is faster than that.
 
Remember, when testing this stuff.

Ping is, quite literally irrelevant. Not sure why people keep testing ping. It is of no indication of how DNS responses will be.
 
actually pinging the dns servers themselves. Any numbers you get from that is added to the overall response time it takes when resolving host names. Granted a dns server can have a very fast ping but still be slow in resolving names which could offset that advantage. Regardless of the DNS service you use, it will be dependent on the speed of its list of upstream domain name resolvers to operate - which may or may not be particularly fast.
 
cyberguyz said:
actually pinging the dns servers themselves. Any numbers you get from that is added to the overall response time it takes when resolving host names. Granted a dns server can have a very fast ping but still be slow in resolving names which could offset that advantage. Regardless of the DNS service you use, it will be dependent on the speed of its list of upstream domain name resolvers to operate - which may or may not be particularly fast.
Click to expand...

Still irrelevant. Ping is low priority response among all things. It is possible to have a high ping, and packet loss, but perfect response time for DNS results.
 
Provided it is real, does it do better then Google?

Google does better then my local Charter DNS.

What is the ointment on the fly?
 
umeng2002 said:
Even when you encrypt DNS traffic, which I did; your ISP can still see the IP address you're connected to. That's why the internet works.
Click to expand...

Yes, but they can't redirect dns requests to their own DNS servers and manipulate the results with this setup. ISPs have started doing this to inject their own ads in websites.
 
Fastest DNS when it's up. Cloudflare users know what that means.
 
I use OpenDNS at the router level and I guess I'll take a look into this later after work.

I've had no issues with OpenDNS, though I suppose I could and should run several benches for DNS Inquiries and use one of the better results.
 
Changed my pihole to use this. Seems nice and responsive.
 
You must log in or register to reply here.
Back
Top