| ▲ | Kwpolska 5 hours ago |
| 1.1.1.2 is their malware-blocking DNS, and 1.1.1.3 is their parental-controls DNS. If you want an unfiltered DNS, use 1.1.1.1 - which resolves archive.today just fine, although archive.today itself refuses to work on Cloudlfare DNS. |
|
| ▲ | sgbeal 5 hours ago | parent | next [-] |
| > 1.1.1.2 is their malware-blocking DNS, and 1.1.1.3 is their parental-controls DNS. ... TIL, thank you. Time to go tweak my pi-hole server... |
| |
| ▲ | arvid-lind 5 hours ago | parent | next [-] | | I'm just curious, given all the other options that respect your privacy and don't put data collection at the center of their business model, why do you use Cloudflare on your pi-hole? | | |
| ▲ | UqWBcuFx6NV4r 16 minutes ago | parent | next [-] | | Privacy nuts are almost uniquely unable to comprehend that someone else on earth may possible have priorities that differ from theirs. | |
| ▲ | sgbeal 4 hours ago | parent | prev | next [-] | | > why do you use Cloudflare on your pi-hole? Because "if it ain't broke, don't fix it." i'm not one of those users who want to endlessly tweak their ad blocker. i want to set it up, clicking as few checkboxes as necessary to get it going, and then leave it. However, (now) knowing that Cloudflare filters different only each of their servers, i'm incentivized to go tweak a number in the config (as opposed to researching the pros and cons of every possible provider, a detail i truly have no interest in pursuing). | |
| ▲ | daymanstep 5 hours ago | parent | prev | next [-] | | Which options respect your privacy? | | |
| ▲ | diarrhea 3 hours ago | parent | next [-] | | I use unbound (recursive resolver), and AdGuard Home as well (just forwards to unbound). Unbound could do ad-blocking itself as well, but it's more cumbersome than in AGH. So I use two tools for the time being. The upside is there's no single entity receiving all your queries. The downside is there's no encryption (IIRC root servers do not support it), so your ISP sees your queries (but they don't receive them). | |
| ▲ | dannyfritz07 2 hours ago | parent | prev | next [-] | | I'll throw https://nextdns.io into the mix. Been very happy with it. Supports DOH, block lists, among a plethora of other features. | |
| ▲ | ranger_danger an hour ago | parent | prev | next [-] | | The ones where you don't send a single company all of your queries | |
| ▲ | travoc 4 hours ago | parent | prev | next [-] | | AdGuard DNS servers are excellent. | |
| ▲ | nom 4 hours ago | parent | prev [-] | | quad9 |
| |
| ▲ | TZubiri 4 hours ago | parent | prev [-] | | what is the vector here? dns traffic is practically anonymous, there would have to be some very specific and purposeful trickery going on to link dns traffic to an identity. It sounds like something more hypothetical than a tangible threat model | | |
| ▲ | arvid-lind 2 hours ago | parent | next [-] | | > A Cloudflare Ray ID is an identifier given to every request that goes through Cloudflare. https://developers.cloudflare.com/fundamentals/reference/clo... if you think a little creatively about how this information could be used by an organization that was created at the insistence of the United States Department of Homeland Security, then you're on the right track. | |
| ▲ | hirako2000 3 hours ago | parent | prev [-] | | It isn't anonymous. DNS server resolve, IP addresses by hostnames. It cannot then inspect further traffic but it certainly can log your IP address and all URL's a given IP ever hit. Since ISP know your identity, and all it takes is to (request and get) the DNS logs and ISP servitude for all sort of questionable information, you as an identity are giving away all sites domains you visit. | | |
| ▲ | UqWBcuFx6NV4r 8 minutes ago | parent | next [-] | | Hi. If your response involves explaining the very very basics of DNS to someone that clearly knows what DNS is, please consider the possibility that you may have misunderstood them instead of lecturing them on the basics of ubiquitous internet technologies. | |
| ▲ | sgbeal 2 hours ago | parent | prev [-] | | > It cannot then inspect further traffic but it certainly can log your IP address and all URL's a given IP ever hit. Correction: they can log host names/IPs, not URLs. The path of any given URL is part of the HTTP header, invisible to onlookers (assuming HTTP and assuming HTTPS is uncracked). |
|
|
| |
| ▲ | TZubiri 4 hours ago | parent | prev [-] | | Today we are one of the lucky 10k |
|
|
| ▲ | Hamuko 5 hours ago | parent | prev | next [-] |
| The "censored" part of archive.today seems unrelated to the filtering itself. 1.1.1.3 flags Pornhub.com as "EDE(17): Filtered" but archive.today is "EDE(16): Censored". Supposedly it should be an external party that's requiring Cloudflare not to publish the DNS record. https://www.rfc-editor.org/rfc/rfc8914.html#name-extended-dn... |
|
| ▲ | surgical_fire 5 hours ago | parent | prev [-] |
| I have no idea why anyone would use Cloudflare DNS, much less trust their more filtered versions. |
| |
| ▲ | saaaaaam 4 hours ago | parent | next [-] | | I use cloudflare DNS because it’s faster. But should I worry, having read your comment? What is the downside to using it? What would you recommend instead? | | |
| ▲ | surgical_fire 4 hours ago | parent [-] | | Quad9. Many years ago I used Cloudflare, and more than once I had issues with them blocking websites I wanted to access. I absolutely despise that. I want my DNS to resolve domain names, nothing else. For blocking things I have Pi-Hole, which is under my control for that reason. I can blacklist or whitelist addresses to my needs, not to the whims of a corporation that wants to play gatekeeper to what I can browse. | | |
| ▲ | akerl_ 3 hours ago | parent [-] | | So… why not use 1.1.1.1, cloudflare’s resolver that does not block resolution? 1.1.1.2 and .3 are explicitly offered with filtered responses. | | |
| ▲ | hirako2000 3 hours ago | parent | next [-] | | Because that would be subject to the whim of the provider, who subject to court orders would have to oblige to continue operating as US entity. | | |
| ▲ | akerl_ 3 hours ago | parent [-] | | How does that differ from Quad9? You’re subject to Swiss laws, so there’s still a government involved? And you’re now hosted in an area where the US government has far fewer limitations on what they can attempt. | | |
| ▲ | Kwpolska 2 hours ago | parent [-] | | Quad9 is based in Switzerland, but the three founders-sponsors are US-based [0], so I’m not sure if it can be considered 100% safe from US government intervention. [0] https://quad9.net/about/sponsors/ | | |
| ▲ | KomoD 2 hours ago | parent | next [-] | | The ASN and stuff is also operated by a US entity it seems like: ASHandle: AS19281
Street: CleanerDNS Inc. dba Quad9
Street: 1442A Walnut Street, Suite 501
City: Berkeley
State/Prov: CA
Country: US
They also have servers in the US, so that's yet another reason not to consider them "100% safe from US government intervention" | |
| ▲ | akerl_ 2 hours ago | parent | prev [-] | | Also a quick search suggests that Switzerland has made Internet providers in-country block DNS results in the past. |
|
|
| |
| ▲ | surgical_fire 3 hours ago | parent | prev [-] | | I used to use 1.1.1.1. I still had issues. Quad9 behaves exactly as I expect a DNS to work, in the sense that I only remember I use it when the topic of DNS pops up. | | |
| ▲ | akerl_ 3 hours ago | parent [-] | | Your claim was that 1.1.1.1 was blocking sites. Are you saying now you just had issues with the quality of service? Or do you want to provide more details to substantiate the claim that they were blocking sites? | | |
| ▲ | surgical_fire 3 hours ago | parent [-] | | No, I do not keep any logs from domain name resolution from the DNS service I used from 7+ years ago. If you do, I commend you. I used the term "blocking" in a loose sense. I have no idea if Cloudflare was failing to resolve certain domains because it is a shitty service, or if it was ordered to block those domain names by its government, or if it was actively not resolving domain names because it thought a good idea to be a sort of arbiter and gatekeeper. I suspect the last option, but it is just speculation. What I can affirm is that I had issues more than once with domain name resolution when I used 1.1.1.1. After it annoyed me enough I switched to Quad9, and it has been great ever since, which is why I recommend it as a user of their service. | | |
| ▲ | akerl_ 3 hours ago | parent [-] | | I don’t keep DNS logs at all. But I also don’t show up 7 years later trash talking a company or product based on guesswork and fear. | | |
| ▲ | surgical_fire 3 hours ago | parent [-] | | It's not based in "guesswork and fear". It is a first-person account of someone that used their service. A user review, if you will. There's this thing - when you offer a service to the public, the users of your service, can, will, and should review your service. So, yes, I am free to "trash talk" a service that was, frankly, terrible at its job in providing domain name resolution. That works as any other user review, a data point so other users may switch away from a bad provider to a better one. I imagine if someone goes to a restaurant and they their hot dish is served cold, if your response to the user review is a silly request for proof that the food was indeed served cold, and whining that their review is "trash talking based on fear and guesswork". | | |
| ▲ | akerl_ 2 hours ago | parent [-] | | If you said that they served you cold food because the US government made them do it, yea, I’d think you were nuts. | | |
| ▲ | surgical_fire 18 minutes ago | parent [-] | | And that's not what I said? I offered some possibilities of why they did a shitty job in providing naming resolution. I even speculated what was the most likely one (not the one you mentioned). But it's okay, at this point I have very little optimism regarding your reading ability. |
|
|
|
|
|
|
|
|
| |
| ▲ | ranger_danger 22 minutes ago | parent | prev | next [-] | | I have no idea why anyone would drink water from a faucet, much less trust their more filtered versions. | | |
| ▲ | surgical_fire 19 minutes ago | parent [-] | | I have no idea why people make idiotic analogies, but I imagine they feel very smart when they do so. | | |
| ▲ | UqWBcuFx6NV4r 6 minutes ago | parent [-] | | You sufficiently devolved the conversation by feeling it worth voicing “I don’t know why different people willingly use different things”. What are we supposed to do with that? Next you’re going to chastise us for not using ThinkPads. | | |
| ▲ | surgical_fire 4 minutes ago | parent [-] | | > What are we supposed to do with that? Apparently, respond to me with inane thoughts, to which I patiently reply to. > You sufficiently devolved the conversation by feeling it worth voicing “I don’t know why different people willingly use different things”. Also, let's appreciate the irony of your message here: https://news.ycombinator.com/item?id=47464134#47477847 |
|
|
| |
| ▲ | 8cvor6j844qw_d6 3 hours ago | parent | prev [-] | | Same thoughts. Cloudflare DNS is noticeably slow to resolve on some of my devices. Switching to literally any other DNS and the same domains resolve instantly. Could be a issue specific to my location or devices, but its been consistent enough that I stopped bothering. | | |
| ▲ | Bender 3 hours ago | parent [-] | | I don't use the public resolvers but here [1] is a script that will show which of those public resolvers is fastest from your location. Add or remove resolvers as you desire. Be sure to scroll down to see a few of the sorting examples. Not my script or repo. Just as a side note: Something I have done with this in the past as a fun experiment was to set up an Unbound DoT server on assorted VPS nodes in assorted locations around the country, run this script and configure each Unbound to use the 5 to 10 fastest servers on each node and cache results longer. Then I used Tinc (open source VPN) to connect to these VPS nodes from my home's Unbound and distribute the requests among all of them. I save query logs from all of them and use cron to look up all my queries hourly to keep the cache fresh and mess up any analytic patterns for my queries. Just a fun experiment. 99.99% of the time I just query the root DNS servers for what NS servers are authoritative for a given domain or what I call bare-backing the internet. [1] - https://github.com/cleanbrowsing/dnsperftest |
|
|
