Cloudflare DNS DNSSEC 1.1.1.1 [hide your DNS]

[nate]

Anyone else take this DNS nameserver for a spin?

DNS1= 1.1.1.1 DNS2= 1.0.0.1

https://1.1.1.1/

I set it for the DNS in my router and configured my VPN servers to push it through the DHCP request and from the little testiing I've done so far no IP addresses for DNS show up on regular leak test sites.. (except for dnsleaktest.com)

If you read what its suppose to do it does a bunch of stuff... I did a search for Cloudflare here and only pulled results regarding their other services for cache websites when they go off line. I remember when they launched this thing a month or two ago but I got the impression it was only suppose to translate your DNS results nano seconds faster.... Didnt know all the other stuff it does.

DNS over HTTPS
Even if you are visiting a site using HTTPS, your DNS query is sent over an unencrypted connection. That means that even if you are browsing https://cloudflare.com, anyone listening to packets on the network knows you are attempting to visit cloudflare.com.

The second problem with unencrypted DNS is that it is easy for a Man-In-The-Middle to change DNS answers to route unsuspecting visitors to their phishing, malware or surveillance site. DNSSEC solves this problem as well by providing a mechanism to check the validity of a DNS answer, but only a single-digit percentage of domains use DNSSEC.

To combat this problem, Cloudflare offers DNS resolution over an HTTPS endpoint. If you build a mobile application, browser, operating system, IoT device or router, you can choose for your users to use the DNS over HTTPS endpoint instead of sending DNS queries over plaintext for increased security and privacy of your users.

What do you think?

[treyallover]

Quote:

Originally Posted by nate

Anyone else take this DNS nameserver for a spin?

DNS1= 1.1.1.1 DNS2= 1.0.0.1

https://1.1.1.1/

I set it for the DNS in my router and configured my VPN servers to push it through the DHCP request and from the little testiing I've done so far no IP addresses for DNS show up on regular leak test sites.. (except for dnsleaktest.com)

If you read what its suppose to do it does a bunch of stuff... I did a search for Cloudflare here and only pulled results regarding their other services for cache websites when they go off line. I remember when they launched this thing a month or two ago but I got the impression it was only suppose to translate your DNS results nano seconds faster.... Didnt know all the other stuff it does.

DNS over HTTPS
Even if you are visiting a site using HTTPS, your DNS query is sent over an unencrypted connection. That means that even if you are browsing https://cloudflare.com, anyone listening to packets on the network knows you are attempting to visit cloudflare.com.

The second problem with unencrypted DNS is that it is easy for a Man-In-The-Middle to change DNS answers to route unsuspecting visitors to their phishing, malware or surveillance site. DNSSEC solves this problem as well by providing a mechanism to check the validity of a DNS answer, but only a single-digit percentage of domains use DNSSEC.

To combat this problem, Cloudflare offers DNS resolution over an HTTPS endpoint. If you build a mobile application, browser, operating system, IoT device or router, you can choose for your users to use the DNS over HTTPS endpoint instead of sending DNS queries over plaintext for increased security and privacy of your users.

What do you think?

I realize I am bumping an old thread but I thought I would share my knowledge on this subject.

DNS over HTTPS is an elegant solution to MITM attacks, I won't dispute that.

If you use a VPN client full time, as I do, an easier way of dealing with DNS requests, IP leaks through DNS, and MITM attacks, is to change your physical adapter settings manually. On windows machines this is fairly simple. Just static set your DNS settings to two non existent servers. This effectively accomplishes three separate things:

-Forces routing of all DNS requests through VPN only

-Removes ability for local network ARP or DNS cache poisoning

-Acts as a vpn kill switch for HTTP requests to domain names as there is no way to resolve the name to an ip address if the VPN loses its connection.

VPN KILLSWITCH
netsh interface ipv4 add dnsserver "Wi-Fi" 4.5.8.7
netsh interface ipv4 add dnsserver "Wi-Fi" 4.5.8.6

RESTORE DEFAULT DNS
netsh interface ipv4 set dnsservers name="Wi-Fi" source=dhcp

Hope this helps.

[phaz0rz]

Holy sh!t.. that's brilliant. I'll set that up once I get a VPN configured on my router.