We meet a service from Cloudflare at 1.1.1.1 and 1.0.0.1, or "the public DNS shelf has arrived!"

    1.1.1.1


    Cloudflare introduced public DNS at:


    • 1.1.1.1
    • 1.0.0.1
    • 2606: 4700: 4700 :: 1111
    • 2606: 4700: 4700 :: 1001

    It is alleged that the "Privacy first" policy is used, so that users can be calm about the content of their requests.


    The service is interesting in that, in addition to the usual DNS, it provides the ability to use DNS-over-TLS and DNS-over-HTTPS technologies , which will greatly prevent providers from listening to your requests along the way of requests and collecting statistics, monitoring, and managing advertising. Cloudflare claims that the announcement date (April 1, 2018, or 04/01 in US notation) was not chosen by chance: what day of the year should “four units” be presented?


    As the audience of Habr is technically savvy, the traditional section "Why do I need a DNS?" I will put it at the end of the post, and here I will outline more practically useful things:


    How to use the new service?


    The simplest is that in your DNS client (or as upstream in the settings of the local DNS server you are using), we indicate the above DNS server addresses. Does it make sense to replace the usual values ​​of Google’s DNS (8.8.8.8, etc.), or the slightly less common Yandex public DNS servers (77.88.8.8 and others) with servers from Cloudflare - they will decide for you, but the speed graph speaks for the newcomer answers, according to which Cloudflare is faster than all competitors (I’ll clarify: measurements were taken by a third-party service, and the speed to a specific client, of course, may differ).


    public DNS speed


    It is much more interesting to work with new modes in which the request flies to the server via an encrypted connection (in fact, the response is returned through it), the mentioned DNS-over-TLS and DNS-over-HTTPS. Unfortunately, they are not supported “out of the box” (the authors believe that this is “so far”), but it’s not difficult to organize their work in their software (or even on their hardware):


    DNS over HTTPs (DoH)


    As the name implies, communication goes on top of the HTTPS channel, which suggests


    1. the presence of a touchpoint (endpoint) - it is located at https://cloudflare-dns.com/dns-query , and
    2. a client who can send requests and receive responses.

    Requests can be either in DNS Wireformat format defined in RFC1035 (sent by the HTTP POST and GET methods), or in JSON format (the HTTP GET method is used). For me personally, the idea of ​​making DNS queries through HTTP requests seemed unexpected, but there is a rational point in it: such a request will go through many traffic filtering systems, parsing responses is quite simple, and making requests is even simpler. The usual libraries and protocols are responsible for security.


    Examples of requests, directly from the documentation:


    GET request in DNS Wireformat format


    $ curl -v "https://cloudflare-dns.com/dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB" | hexdump
    * Using HTTP2, server supports multi-use
    * Connection state changed (HTTP/2 confirmed)
    * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
    * Using Stream ID: 1 (easy handle 0x7f968700a400)
    GET /dns-query?ct=application/dns-udpwireformat&dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/2
    Host: cloudflare-dns.com
    User-Agent: curl/7.54.0
    Accept: */*
    * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
    HTTP/2 200
    date: Fri, 23 Mar 2018 05:14:02 GMT
    content-type: application/dns-udpwireformat
    content-length: 49
    cache-control: max-age=0
    set-cookie: \__cfduid=dd1fb65f0185fadf50bbb6cd14ecbc5b01521782042; expires=Sat, 23-Mar-19 05:14:02 GMT; path=/; domain=.cloudflare.com; HttpOnly
    server: cloudflare-nginx
    cf-ray: 3ffe69838a418c4c-SFO-DOG
    { [49 bytes data]
    100    49  100    49    0     0    493      0 --:--:-- --:--:-- --:--:--   494
    * Connection #0 to host cloudflare-dns.com left intact
    0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
    0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
    0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
    0000030 22
    0000031

    POST request in DNS Wireformat format


    $ echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -D | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | hexdump
    { [49 bytes data]
    100    49  100    49    0     0    493      0 --:--:-- --:--:-- --:--:--   494
    * Connection #0 to host cloudflare-dns.com left intact
    0000000 ab cd 81 80 00 01 00 01 00 00 00 00 03 77 77 77
    0000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00
    0000020 01 c0 0c 00 01 00 01 00 00 0a 8b 00 04 5d b8 d8
    0000030 22
    0000031
    

    Same thing using JSON


    $ curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'
    {
      "Status": 0,
      "TC": false,
      "RD": true,
      "RA": true,
      "AD": true,
      "CD": false,
      "Question": [
        {
          "name": "example.com.",
          "type": 1
        }
      ],
      "Answer": [
        {
          "name": "example.com.",
          "type": 1,
          "TTL": 1069,
          "data": "93.184.216.34"
        }
      ]
    }

    Obviously, a rare (if at least one at all) home router can work with DNS this way, but this does not mean that support will not appear tomorrow - and, interestingly, here we can fully implement work with DNS in our application (as it is already going to do) Mozilla , just on Cloudflare servers).


    DNS over TLS


    By default, DNS queries are transmitted without encryption. DNS over TLS is a way to send them over a secure connection. Cloudflare supports DNS over TLS on standard port 853, as prescribed by RFC7858 . The certificate issued for the cloudflare-dns.com host is used, TLS 1.2 and TLS 1.3 are supported.


    The establishment of communication and work on the protocol is approximately as follows:


    • Before establishing a connection with DNS, the client saves cloudflare-dns.com's TLS certificate encoded in base64 SHA256 hash (called SPKI)
    • DNS client establishes a TCP connection with cloudflare-dns.com:853
    • DNS client initiates TLS handshake
    • In the TLS handshake process, the cloudflare-dns.com host presents its TLS certificate.
    • Once a TLS connection is established, the DNS client can send DNS queries over a secure channel, which prevents eavesdropping and falsification of requests and responses.
    • All DNS queries sent over a TLS connection must comply with the specification for sending DNS over TCP .

    Example query through DNS over TLS:


    $ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com  example.com
    ;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
    ;; DEBUG: TLS, imported 170 system certificates
    ;; DEBUG: TLS, received certificate hierarchy:
    ;; DEBUG:  #1, C=US,ST=CA,L=San Francisco,O=Cloudflare\, Inc.,CN=\*.cloudflare-dns.com
    ;; DEBUG:      SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
    ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
    ;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
    ;; DEBUG: TLS, skipping certificate PIN check
    ;; DEBUG: TLS, The certificate is trusted.
    ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
    ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548
    ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
    ;; EDNS PSEUDOSECTION:
    ;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
    ;; PADDING: 408 B
    ;; QUESTION SECTION:
    ;; example.com.             IN  A
    ;; ANSWER SECTION:
    example.com.            2347    IN  A   93.184.216.34
    ;; Received 468 B
    ;; Time 2018-03-31 15:20:57 PDT
    ;; From 1.1.1.1@853(TCP) in 12.6 ms

    This option seems to be better suited for local DNS servers serving the needs of a local network or a single user. True, supporting the standard is not very good, but let's hope!


    Two words of explanation about what the conversation is about


    The DNS abbreviation stands for Domain Name Service (so saying "DNS service" is somewhat redundant, the abbreviation already has the word "service"), and is used to solve a simple task - to understand what IP address a particular host name is. Each time a person clicks on a link or enters an address in the address bar of a browser (say, something like " https://habrahabr.ru/post/346430/ "), the person’s computer tries to understand which server should send the request to to receive the contents of the page. In the case of habrahabr.ru, the response from DNS will contain an indication of the IP address of the web server: 178.248.237.68, and then the browser will already try to contact the server with the specified IP address.


    In turn, the DNS server, having received the request "what is the IP address of the host named habrahabr.ru?", Determines whether it knows anything about the specified host. If not, he makes a request to other DNS servers in the world, and, step by step, tries to find out the answer to the asked question. As a result, upon finding the final answer, the data found is sent to the client who is still waiting for them, plus they are stored in the cache of the DNS server itself, which will make it possible to answer a similar question next time much faster.


    A common problem is that, firstly, the data of DNS queries is transmitted in an open form (which allows everyone who has access to the traffic flow to isolate DNS queries and received answers, and then analyze them for their own purposes; this gives the ability to target ads with accuracy for the DNS client, and this is quite a lot!). Secondly, some Internet providers (we will not point fingers, but not the smallest ones) tend to show ads instead of one or another requested page (which is implemented very simply: instead of the specified IP address for a request by the host name habranabr.ru to a person random this returns the address of the provider's web server where the page containing the advertisement is returned). Thirdly, there are Internet access providers that implement a mechanism for fulfilling the requirements to block individual sites,


    Here, you probably need to put a picture from the site http://1.1.1.1/ , which serves to describe the connection to the service. The authors, as you can see, are absolutely confident in the quality of their DNS (however, it is difficult to expect another from Cloudflare):


    image


    You can fully understand the company Cloudflare, the creator of the service: they earn their bread by supporting and developing one of the most popular CDN networks in the world (whose functions include not only distribution of content, but also hosting of DNS zones), and, due to the desire of those , who do not know much about , to teach those whom they do not know , what, where to go in the global network, quite often suffer from blockages addresses of its servers by will not say who- so having a DNS that is not influenced by “shouts, whistles and scribbles” means less harm to their business for the company. And the technical advantages (a trifle, but nice: in particular, for customers of the free Cloudflare DNS, updating the DNS records of resources located on the company's DNS servers will be instant) make using the service described in the post even more interesting.

    Only registered users can participate in the survey. Please come in.

    Will you use the new service?

    • 52.3% Yes, just by specifying it in the OS and / or on the router 395
    • 23.8% Yes, and I will use new protocols (DNS over HTTPs and DNS over TLS) 180
    • 16.5% No, I have enough current servers (this is a public provider: Google, Yandex, etc.) 125
    • 6.2% No, I don’t even know what I’m using now 47
    • 1% I use my recursive DNS with SSL tunnel to them 8

    Also popular now: