1. 22

N.B. the site is actually but Lobsters says that’s an invalid URL.

Related blog post with more technical detail: https://blog.cloudflare.com/dns-resolver-1-1-1-1/


  2. [Comment from banned user removed]

    1. 1

      @dz they committed to a pretty strict privacy policy.

      1. [Comment from banned user removed]

        1. 1

          And what actions are those?

          1. 5

            Having a bug that spewed private user data across caches around the world? Or maybe it was censoring a website because the CEO didn’t like them:


            1. 3

              That’s true, that bug was really bad. For those who don’t know, there was a bug in three of Cloudflare’s add-ons that leaked a small amount of memory. At least they disclosed the bug in an extremely detailed way. And they did a great job of handling it, getting 3rd parties to scrub their caches and so on. Not many companies own up to their mistakes with the same level of honesty as Cloudflare, they have earned my respect for that. What about other companies? Numerous AWS outages just happen and we never really learn why. Were any related to leaked data? Would they tell us if so?

              As for refusing to host certain content, Cloudflare’s blog post explaining the Daily Stormer situation is literally a quick 3 paragraph explanation, followed by 20 paragraphs about why their decision was difficult and dangerous. They discuss regulation, DDoS as vigilante justice, the danger of centralizing the internet, free speech, due process, and the impact this decision has on their warrant canaries. They leveled all the same criticism from your link against themselves, a month before your link was even published. Cloudflare’s post is your link’s second citation.

              And as your link points out, DigitalOcean, DreamHost, GoDaddy, Google, and NameCheap also refused to host that content.

              Cloudflare isn’t perfect, I’m not saying they are. No company is. But we should appreciate companies that actually care about doing good. They provide a free CDN service to small users. They’ve enabled plenty of unencrypted sites to switch to HTTPS-only with no hassle. They’ve been astoundingly transparent about their issues, and responsive to public concerns. Their tech blog is full of excellent educational material. And in a tech landscape that increasingly favors walled garden “big cloud” providers, they provide an easy way to scale up a web service in a way that lets you retain full control of your own servers.

              Do they benefit from all of this as a company? Absolutely. But turning a profit doesn’t suddenly make all of these actions sinister. We have actual evidence that other big tech companies will throw user privacy straight out the window to turn a quick buck.

              So what message would you rather send to big companies?

              1. We appreciate companies that commit to elevating user privacy, provide free services to non-profit groups or individuals, and communicate transparently with the public.
              2. Companies are de facto bad actors who can’t be trusted either way.

              A company needs to make money, that’s just how the world works. The message that companies won’t be trusted or appreciated either way has a subtext: it doesn’t matter what companies do, good or bad, the customers won’t care. Well I care. Cloudflare is way better than most providers in this space. It’s ludicrously harmful to imagine sinister plots that go against their extremely public privacy policy, when there are plenty of companies sitting comfortably out of the public eye actually doing this stuff.

              And it’s naive to think that parroting baseless conspiracy theories does no harm. The world should have learned that a year and a half ago when Führer Cheeto actually fucking won by stirring up paranoia about irrelevant nonsense like Benghazi. Y’all need to get some fucking perspective and stay focused on real issues, rather than attacking a company that’s literally on your side.

            2. [Comment from banned user removed]

              1. 1

                So your accusation is based purely on the technical detail that in order to proxy TLS, you must decrypt it. Unless, is there a way of doing something better than a TCP proxy without decrypting? What open source decentralized tool provides transparent HTTPS DDoS protection, and operates only on encrypted data?

                1. [Comment from banned user removed]

                  1. 3

                    They recommend that you have an HTTP website and let them handle HTTPS.

                    This is a blatant lie[1][2] and I’m disgusted to bother arguing with something so disingenuous.

                    My answer to that is (a) use a TCP proxy (b) don’t do it.

                    Your answer is you have no solution to the problem. I am not impressed.

                    [1]: https://www.cloudflare.com/ssl/

                    Flexible SSL encrypts traffic from Cloudflare to end users of your website, but not from Cloudflare to your origin server. This is the easiest way to enable HTTPS because it doesn’t require installing an SSL certificate on your origin. While not as secure as the other options, Flexible SSL […]

                    [2]: https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

                    Flexible SSL: secure connection between your visitor and Cloudflare, but no secure connection between Cloudflare and your web server. You don’t need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled. This option is not recommended if you have any sensitive information on your website.

                    1. [Comment from banned user removed]

                      1. 2

                        Show me one sentence from Cloudflare that recommends you run unencrypted HTTP on your server instead of HTTPS.

                        The problem you’re describing is “how to safely give your data to third parties.”

                        Oh weird, I thought I typed “HTTPS DDoS protection.” Oops, typo! The keys are like right next to each other.

                        1. [Comment from banned user removed]

                          1. 2

                            Of course it’s impossible, that’s my entire point. But you’ve presented a misleading trilemma, by applying your personal value system to everyone else. My problem is I have legitimate concerns far more pressing than paranoia about Cloudflare.

                            Mom n’ Pops’ Cupcake Shop simply does not have the resources to build a first party deployment with any amount of resiliency. They don’t care about Cloudflare transparently decrypting their menu or contact information. In fact, they prefer it. When their shared server hosted web site goes down Cloudflare serves cached pages, and they don’t lose any business. If they have an online order system, it’s third party hosted, and not proxied through Cloudflare. Unless the third party system has made a similar risk / reward trade off, and also uses Cloudflare.

                            Would you tell them Cloudflare is “leaking their data.” What data? Are their finances at risk? Is their business at risk?

                            Let’s not be misleading, and ask them to pick from this triangle:

                            • works with HTTPS
                            • handles DDoS, and ordinary load spikes
                            • third party (Cloudflare) doesn’t read website data

                            “Hmmm. My niece is a software engineer and she said HTTPS websites rank higher on Google, so we want that. And load spikes, that’s when we get more website visitors than usual? Oh we definitely want that, visitors are good for business. Doesn’t read our website data, what does that mean? Can’t everyone read our website data by going to the site? Isn’t that the point? We built our website with Squarespace, isn’t our website data already with a third party anyway?”

                            Cloudflare Pro is $20/month. Sell Mom n’ Pop on building their own end-to-end encrypted, first party, DDoS resilient deployment. Just spell out your way, it should seem obvious.

      2. 6

        Quick way to tell if you actually set it up successfully (e.g. I set mine up via my router and wasn’t confident I did it right). Run:

        dig +short whoami.akamai.net | xargs whois | grep OrgName

        If successful, you should get “OrgName: Cloudflare, Inc.”

        Explanation: whoami.akamai.net is set up so that, instead of resolving to an IP as normal, it resolves to the IP of whatever DNS server contacted it. This won’t be because that’s a multicast IP address, but it should be a Cloudflare unicast address. So the 2nd/3rd parts of the pipe look up who owns the address.

        1. 4

          Note: despite the launch date, not an April’s Fool joke.

          1. 6

            I think they launched on 1st april because 4/1 -> four ones -> 1 1 1 1

            Alternatively they could have waited for 4th January 2018.

          2. 4

            No nice IPv6 addresses though :(


            I wonder why they didn’t go for something shorter.

            1. 4

              Interesting takeaways from the APNIC Labs blog post:

              In setting up this joint research program, APNIC is acutely aware of the sensitivity of DNS query data. We are committed to treat all data with due care and attention to personal privacy and wish to minimise the potential problems of data leaks. We will be destroying all “raw” DNS data as soon as we have performed statistical analysis on the data flow. We will not be compiling any form of profiles of activity that could be used to identify individuals, and we will ensure that any retained processed data is sufficiently generic that it will not be susceptible to efforts to reconstruct individual profiles. Furthermore, the access to the primary data feed will be strictly limited to the researchers in APNIC Labs, and we will naturally abide by APNIC’s non-disclosure policies.

              This joint project has an initial period of five years and may be renewed. Upon the expiration of the initial period, or at any time thereafter, APNIC shall consider a request by Cloudflare for a permanent allocation of these IPv4 addresses to Cloudflare. APNIC undertakes to refer any such request to the regional Address Policy Special Interest Group as a matter of a change to the current research use designation of these IPv4 addresses, and APNIC shall be bound to the outcomes of this policy group.


              1. 3


                1. 2

                  Unpopular opinion time!

                  These types of services can not work as marketed. If you don’t use their DNS-over-TLS service, then you’re still sending DNS queries and getting the responses back over plaintext. US ISPs, Comcast being the biggest offender, are known to hijack those requests.

                  Even with DNS-over-TLS, it’s possible for a passive attacker to infer queries based on packet metadata. The size of packets aren’t going to change for when I do an A record lookup for google.com yesterday versus today. A passive attacker could pre-compute the packet data length for the most common domains (Alexa top million, for example).

                  The only real solution is to mix different kinds of traffic in to a network specially crafted for privacy/anonymization, like Tor, which supports tunneling DNS queries.

                  1. 3

                    If you don’t use their DNS-over-TLS service, then you’re still sending DNS queries and getting the responses back over plaintext.

                    Well… yeah. Of course you don’t get any security benefits if you don’t use TLS. (Well, even without it you do get some, but it really buys you very little.)

                    Even with DNS-over-TLS, it’s possible for a passive attacker to infer queries based on packet metadata. The size of packets aren’t going to change for when I do an A record lookup for google.com yesterday versus today.

                    You can pad an HTTPS query URL with random data. Google even documents it.

                    1. 3

                      Cloudflare actually addresses that in their blog post:

                      While DNSSEC ensures integrity of data between a resolver and an authoritative server, it does not protect the privacy of the “last mile” towards you. DNS resolver,, supports both emerging DNS privacy standards - DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep your DNS queries private and free from tampering.

                      An attacker can also observe server name indication in your TLS connections to see who you’re contacting anyway. Preventing hijacking is much more significant in my opinion.

                      1. 2

                        Not all resolvers support DNSSEC. Not all people even like or trust DNSSEC.

                        Either way, I don’t buy that Cloudflare’s solution, especially when using plaintext DNS, enhances security. It simply allows more entities to snoop and/or modify your data en-route.

                        1. 2

                          That’s true, your ISP can still snoop the DNS traffic going to Cloudflare. But it does make it harder for them to send you bogus records than if you were querying them directly. Assuming Comcast isn’t modifying my traffic in flight, which I agree is sadly a big assumption, I trust Cloudflare more. Right now I use Google DNS, which has all the same problems you’re describing. At minimum, I’m happy Cloudflare is championing a more secure version of DNS (over HTTP / TLS), even if it isn’t perfect.

                          I have considered setting up a recursive DNS resolver on a $2.50/mo VPS and tunneling DNS from my home network to there. The IANA of course provides the root information for the root DNS servers, so it wouldn’t be that hard.

                          So I guess I don’t disagree with you. DNS is a complete shitshow one way or another, there’s no way to deny that. Unpopular or not, your opinion is objectively correct. It’s more of an uncomfortable fact than an opinion.

                          1. 1

                            It’s trivial for an ISP to anycast announce and wholly within their own network, capturing all of your DNS requests anyway. They can configure (or not, who would even notice?) all the same features available on CloudFlare or Google. I would be very surprised if people are already not doing it. If you wanted to be sneaky about it you can even set up a reverse proxy for the web content.

                            1. 1

                              Some Linux nerd might run traceroute and blog about it.

                              In any case, if you’re using Cloudflare DNS over HTTPS, they can’t forge Cloudflare’s certificate.

                    2. 0