SQL Server with Mr. Denny

Apr 5 2018   3:00PM GMT

5 reasons Cloudflare’s roll-out of 1.1.1.1 has been a disaster

Denny Cherry Denny Cherry Profile: Denny Cherry

Tags:
CloudFlare

I get where Cloudflare was going with their 1.1.1.1 DNS server, but the rollout, in my opinion, has been a disaster.

Cloudflare being the cloud

1. Caching

For starters, most people are running DNS servers at home. They may not know it, but they are.  Odds are your router is running DNS for you, and it’s probably pretty quick.  Even if your router in 40ms, CloudFlare’s DNS is boasting 15ms response times.  This first lookup is a little faster, after that, it’s all cached.  After the first lookup your computer caches the DNS entry locally, so you’re saving 25ms or so (in this example) once.

2. Profit?

Cloudflare also claims that their service stops your ISP from seeing where you are surfing on the web. It doesn’t. I spent years working for an ISP.  We were moving the packets to your website, and we knew what websites you were going to even without tracking your DNS lookups.

Cloudflare claims that they’ll be deleting the logs, and not selling any data collected by this service.  Now I don’t have an MBA, but where’s the profit? Running a global DNS service isn’t free, or even cheap. Companies don’t do this out of the goodness of their heart. They have to make a profit on services, or they pull the plug on them.  So something has to be making money, or the board of Cloudflare will get sick of funding this real quick.

3. ISPs

Several ISPs are blocking access to 1.1.1.1.  I know that my ISP at home does. I get a lovely “Unable to connect” error in Firefox when I try and browse to the website running on 1.1.1.1. And yes I know it isn’t my machine as it works fine when I VPN into our CoLo which has a different network provider.   There are several other ISPs that are blocking this access as well.  Years ago I worked for an ISP, and we knew where every customer went, not because of DNS, but because we were capturing the headers of the network packets so that we could find response problems on sites. It really wouldn’t be hard to tie this data back to a user. Knowing what IP you got from DNS really wouldn’t stop us from tracking you on the Internet if we wanted to.

And they do this, I assume, for reasons which are talked about in the blog post from Cloudflare.  There’s a lot of junk data being sent to these IPs, so a lot of ISPs are just blocking access to these IPs to make their life easier and safe themselves some network costs for sending that data.

The blog post that CloudFlare released tasks about how Twitter was used during the Turkish uprising and people got around the countries blocks by using Google DNS instead of the in-country DNS.

Swift Does Security on Twitter talking about CloudFlareThis shows that the blocking done by the country was lazy, not that DNS from Google fixed this.  If Turkey (or another country) wanted to block access to Twitter no matter what DNS you’re using, blocking access to 104.244.42.0/24 (or whatever IP range comes up for the public IPs for the country that wants to block the service).

4. Login Pages

On top of that, several hotels, hospitals, convention centers, etc. use 1.1.1.1 as the login page for their portal, so they block external requests for that IP.  One of the reasons that everyone uses that IP for their login page in right there in the Cloudflare blog post. That IP wasn’t publically used into this service from Cloudflare since so much junk was being sent to it. So because of that lots of people use it, or block it.   You can see this right on Twitter where SwiftOnSecurity shared a DM from a network engineer.  Should they be using this? Maybe.

We can’t expect to have every company that’s using 1.1.1.1 to reconfigure their network because Cloudflare decided to start offering this service.  This is even the default for some Cisco models that are deployed around the world. I know that in a variety of hotels (and the hospital I was in last year) 1.1.1.1 was their login portal for their Wi-Fi.  If I set my DNS to 1.1.1.1 on my laptop and went to any of these sites, I wouldn’t be able to browse.  Stopping people from using their computer without a configuration change is a problem.

I get that the 1.1.1.1 IP isn’t a reserved private IP, but there are RFCs, and there is the real world. And in the real world that IP is in use in private networks all over the world, and it’s known that it is in use.

5. Ownership

Would you be surprised to see that Cloudflare doesn’t own the IP space used by their DNS service?  I sure was.  The two public addresses that have been published are 1.1.1.1 and 1.0.0.1.   Those are both owned by
APNIC Research and Development, which means that APNIC could decide that Cloudflare is done and APNIC could simply shut down the service with no notice to Cloudflare or the users.  And since Cloudflare doesn’t own the IP addresses, there’s nothing that Cloudflare could do if this happens besides having a PR disaster.

Should we block?

Now I’m not saying that places should be blocking access here. But if I was a dictator looking to keep my people from getting online, there are much easier ways than blocking DNS (I’m assuming details like this are left up to some systems team somewhere).

Will all this get better? Cloudflare says that it will. I don’t see this getting much better. We’re talking about reconfiguring a large number of hotel, convention centers, hospitals, etc. with little to no benefit to them.  We as a technology community have been trying to get IPv6 in place for 20 years, that still isn’t even close to happening, and that’s a much smaller number of companies that have to reconfigure things.

Denny

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: