Our portfolio company Cloudflare announced a consumer DNS service (a resolver) yesterday.
It was not an April Fools stunt.
If you want to use the Internet’s fastest, privacy-first consumer DNS service, then head over to 184.108.40.206 and click the install button.
What you will do is adjust your computer’s settings to change the DNS servers your computer uses to resolve DNS queries (what server address is google.com?).
Here are some mantras from the 220.127.116.11 web page:
Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.
We think that’s gross. If you do too, now there’s an alternative: 18.104.22.168
We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we’re doing what we say.
Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t.
We’ve built 22.214.171.124 to be the Internet’s fastest DNS directory. Don’t take our word for it. The independent DNS monitor DNSPerf ranks 126.96.36.199 the fastest DNS service in the world.
Since nearly everything you do on the Internet starts with a DNS request, choosing the fastest DNS directory across all your devices will accelerate almost everything you do online.
So if you want speed and privacy, install 188.8.131.52 and you will get both.
The IP address 184.108.40.206 is actually ownable / obtainable?!My geek cool meter is going through the roof!
No not what happened. It is more de facto control not ‘own’ in the literal sense. And although ip address blocks are bought and sold this wasn’t a case of that. And even in that case it’s a similar concept. Money might change hands but the rights of ownership and control are not absolute. More you are able to keep it by not doing the wrong thing and having enough money and lawyers if needed to secure your rights. Not like real estate no title no title searches no guarantees on what it is you control other than the way you are in a practical sense able to protect those rights (money, knowledge, consultants, lawyers if needed)Here is the back story:https://www.theverge.com/20…Cloudflare is doing this with the cooperation of APNIC which more or less controls the ip block which contains this ip address (for lack of a better and non technical way to put this).Great and clever move on their part.The speed improvement is YMMV. In one test I just did it’s roughly the same as google 220.127.116.11 (notice the one outlier though ..)64 bytes from google-public-dns-a.google.com (18.104.22.168): icmp_seq=0. time=3.87 ms64 bytes from google-public-dns-a.google.com (22.214.171.124): icmp_seq=1. time=4.59 ms64 bytes from google-public-dns-a.google.com (126.96.36.199): icmp_seq=2. time=3.73 ms64 bytes from google-public-dns-a.google.com (188.8.131.52): icmp_seq=3. time=3.77 ms64 bytes from 1dot1dot1dot1.cloudflare-dn… (184.108.40.206): icmp_seq=0. time=3.47 ms64 bytes from 1dot1dot1dot1.cloudflare-dn… (220.127.116.11): icmp_seq=1. time=35.5 ms64 bytes from 1dot1dot1dot1.cloudflare-dn… (18.104.22.168): icmp_seq=2. time=3.35 ms64 bytes from 1dot1dot1dot1.cloudflare-dn… (22.214.171.124): icmp_seq=3. time=3.47 msFinally note this:On this point, it can be noted that any kind of selling of IP addressspace is illegal, or at the very least, a violation of contracts thatthe owner of the IP space involved has signed with the RIR. All RIRshave very specific policies that say that IP address space isallocated/assigned specifically for use by a company that requestedit or its clients (with the exception that if one company buys anotherone, IP address space can be transferred to company that bought theoriginal one). http://www.sorbs.net/delist…Of course in true Bill Clinton “depends on what the meaning of ‘it’ is” it all depends on what the definition of ‘illegal’ is. There really aren’t specific ‘laws’ controlling this obviously.
Sounds like a great answer to me. I was pretty sure that I was demonstrating a misunderstanding of the technical situation, in my other comment on this page.
ping -c 10 on some DNS servers126.96.36.199 is quad nine DNS which blacklists IP addressesgoogle-public-dns-a.google.com resolves to 188.8.131.52— 184.108.40.206 ping statistics —10 packets transmitted, 10 packets received, 0.0% packet lossround-trip min/avg/max/stddev = 27.401/29.999/30.919/0.910 ms— 220.127.116.11 ping statistics —10 packets transmitted, 10 packets received, 0.0% packet lossround-trip min/avg/max/stddev = 3.504/5.953/7.292/1.158 ms— google-public-dns-a.google.com ping statistics —10 packets transmitted, 10 packets received, 0.0% packet lossround-trip min/avg/max/stddev = 3.123/4.706/5.227/0.577 ms
Link can’t be reached? Getting a timeout error. Hard to believe but I’ve tried to click through several times. Weird. Will try again later. Anyone else experiencing this?
Click the link in Fred’s post to the announcement. In the comments section, Cloudflare is responding to isssues. It looks like there are several known issues. For example, Comcast blocks the IP.
I guess my ISP (netblazr) is blocking it too. I can ping them later and see if they can unblock it. If lots of people can’t access it though the promotion won’t be fun for everyone.
It looks like one report from Nashville. I would think there would be a ton if it was a nationwide block, so you I am not sure.However, there is no better argument for Net Neutrality than this. I don’t think anybody thinks they underpay their ISP.
And I tell my conservative gun owning friends it is not a liberal conservative issue. Do you want your liberal owned ISP knowing and logging you are going to http://www.midwayusa.com ?? Huhh…they don’t know that!!!! Oh yes they do. Gets them right on board.
Why is cloud flare doing this? What do they get out of it?
it’s a nice promo. Everyone is talking about it.Nicely done, Cloudflare.
Would love to see Fred’s response to this one.
They go into detail on that here:https://blog.cloudflare.com…
Extends the brand. Great move.
Does 18.104.22.168 + Duckduckgo + TorGuard VPN + Firefox Beta mean my Android tablet is as fast, safe, and secure as it can be?
Fantastic! At least I’m on a roll.
what else would you recommend?
CONTRIBUTORS:It appears the majority of influencers are one upping each other in the #usalso movement on now not wanting to use a user’s data when all the companies in the last ten years monetized off a user’s data for free.The home run plays in companies that used your data in part or all. Do we need to audit all portfolio companies that did or do this?Apple’s Tim Cook with slam on Facebook. The new trend in tech. We don’t want your info anymore even though we made Billions on it. Gheezhttps://www.google.com/amp/…The “Your F’n wrong, stop spreading bs” flame to follow.Captain Obvious!#UnequivocallyUnapologeticallyIndependent
In! Thank you.
Ouch on the KPMG choice. Surely a blockchain solution could have been found and used.
All they are saying is they are going to have an auditor, affirm that they are following their stated practices.Tell me exactly how blockchain is going to be able to tell if they keep their logs for 24 hours?????You can have a trusted party confirm and that is great. As much as I hate auditors (we get SOC audits and financial audits)You are not and cannot open your logs to the world. And even if you did there would be no guarantee that you weren’t keeping a separate log file.You can’t just open the Kimono to everyone.So I would say ouch to saying ouch to KPMG.
Agree. KPMG is good so we can even assume that not only will they do this but they will publish the results of the audit and methodology as well. But honestly if it did matter to me I’d dig a bit deeper into exactly how they will audit this and the frequency methodology whatever. I can think of all sorts of ways around an audit like this. And this is not to say in any way that anyone shouldn’t trust KPMG/Cloudflare. But nobody to be naive enough to think that it’s iron clad like FDIC insurance or a bank account or a Geico policy etc.
Agree totally. If you want to dupe KPMG you can, but they are not some no-name firm with nothing to lose.Now the issue is what happens when you get caught.If you just say trust me? No real issues, other than public shame, and possible government action.I put my name on an audit report, and KPMG does the same….well now the bar has gone up.I know for a fact that companies that say they don’t sell your email address do. I keep multiple suffixes to track this. Then I can burn that email address.Disgusting. Very prevalent from very big name companies.Shows why government is so stupid. They should do this and then fine the shit out of those companies. My conspiracy theory is they want them to do this so they can audit all the info.So many terms of service are so long. Yes Apple, Facebook, Google, this is you. That it is hard to tell.Tell me you burn logs after 24hrs, and get audited.
Reminds me of Johnny Carson – “these answers have been kept secure in a mason jar sitting on Funk and Wagnonals front porch.”
CONTRIBUTORS:Zuckerberg’s response to those attempting the #usalso shift:”The reality here is that if you want to build a service that helps connect everyone in the world, then there are a lot of people who can’t afford to pay. And therefore, as with a lot of media, having an advertising-supported model is the only rational model that can support building this service to reach people …”I don’t at all think that means that we don’t care about people. To the contrary, I think it’s important that we don’t all get Stockholm Syndrome, and let the companies that work hard to charge you more, convince you that they actually care more about you. Because that sounds ridiculous to me.”Note: Disqus is the only social media access we ever embraced for this blog. (Periscope for pay per view one time)Captain Obvious!
Which PR firm does FB use?
Ha! What a nonsense statement by Mr Zuckerberg. I read the whole thing elsewhere. He is being tricky because he is pretending to care about charging his customers less like a amazon, but the users of Facebook are not his customers.
scottythebody:At the level that FAANG is on they all are monetizing on your information. When you are required to sign-up or use proprietary software & hardware it speaks for itself.Captain Obvious!#UnequivocallyUnapologeticallyIndependent
What if some level of personalised targeting is welcome? A layer above the one suggested which allows for a controlled level of information exchange is what is even more desirable than speed.
One of Cloudflare’s founders is from my hometown and the daughter of one of my father’s law practise partners.So, best startup ever.This has her fingerprints all over it, btw.
From what I can tell, this seems to be another attempt to encrypt data transmissions, this time, during the DNS interactions. Its not clear to me what they are actually doing technically from their writeup. They spend a lot of time telling me about their “discussions” The real question is, are they doing DNS over something other than straight UDP, perhaps D/TLS or TCP with SSL? If they are, this is a major difference from vanilla DNS and everyone should be aware of that. If they’ve changed the transport, your DNS lookups will only go through 22.214.171.124 and no other servers unless those servers too are using the same transport which is definitely NOT the case right now.I’m wondering about their performance claims as well. All things being equal, using an encrypted transport should slow down the overall interactions a little bit, i.e. DNS lookups. If its faster now, it might be just because its not that loaded?
What you are getting is essentially the same as if you put in google’s 126.96.36.199 and 188.8.131.52 or if you put in the ip address of any dns server that I gave you in your system. Nothing more. The privacy is simply cloudflare saying they are audited to make sure they aren’t doing anything with the data that they need to collect (to prevent abuse etc.) and the fact that they are deleting that data after 24 hours.So for example if I give you the dns numbers to use for dns servers that I operate then I can track things that you are doing and log those things and keep around for future reference. So it doesn’t matter even if you connect to me securely or not. I still can log things. Well that is what your ISP can do if they want (or some provider somewhere else that you connect to). So cloudflare is saying not only won’t they do that but they will delete things and have an auditor to confirm they do this. (Which by the way is a point that I often make in many of my comments here about promises which is doesn’t matter really if no way to verify as true).
+1,000In some sense much of this is wild west as I said. Even for the huge companies.
You’d think they’d make sure the site works, no? https://blog.cloudflare.com… .https://184.108.40.206/ fails
Just did it. Where do I get my ‘220.127.116.11’ sticker for my laptop? ;-PAs a Fios customer, I’m pretty excited about this.
Already switched, I actually notice a difference when loading pages and playing online games so anecdotally at least I can recommend the service 🙂
On the linked-to page, their tech lead admits that this doesn’t work “for a fraction of the internet”. I’m wondering the following (which I just asked on that page):- I travel worldwide with my laptop A TON. Should I expect issues, and what can I do about them if so?- Even if this is the world’s fastest DNS, is there any performance tradeoff for using this instead of the ISP’s DNS? in other words: I’d expect round-trip DNS *trips* (apart from making and receiving the actual *requests*) to my local ISP to be obviously quicker and more reliable than to any other “outside” location. I wonder about the potential response time (to query DNS), particularly over a flakey ISP.
You can add google’s dns 18.104.22.168 and 22.214.171.124 as well. Of course in that case part of your queries will be done by those dns servers. I don’t believe though that there are any known snooping or things that google is doing with that that actually matter. I actually have used google dns for a long long time rather than the ISP’s. I also operate some dns servers myself and have forever. Matt’s marketing appears to be trying to compare to google and others on speed and not on privacy but comparing to your ISP on privacy. It’s kind of mashed together (quick read of this not courtroom testimony).You could also use the cloudflare and if you run into problems add the google dns on the fly. You should test and play with it now not when you are in the field. No big deal to do this btw.So… put in 126.96.36.199 and 188.8.131.52. Problems? Add or change to 184.108.40.206 and 220.127.116.11. See cloudflare notes on adding to your system and just change numbers.- Even if this is the world’s fastest DNS, is there any performance tradeoff for using this instead of the ISP’s DNS? in other words: I’d expect round-trip DNS *trips* (apart from making and receiving the actual *requests*) to my local ISP’Local’:Assumes that the dns server for the isp is where you think it is. And it might not be. Just because you are connecting to comcast or verizon doesn’t mean the dns server is where your connection point is or close to it. It isn’t (most l likely). It’s some central dns setup that is used for many centralized (most likely haven’t specifically checked).
Nailed it, @LE!As I mentioned in another comment, I was pretty sure I was demonstrating a misunderstanding of some of this; in this case I now see it’s the part about the DNS not necessarily sitting there locally. An obvious point. Thank you.
These really seem like awesome services!, and I love this post today!
Coincidentally, I had created a small utility in Python just a few days ago, that lets you check if some sites or web pages are online or not:Checking if web sites are online with Python:https://jugad2.blogspot.in/…The blog post above has the details on how to use it. Here is a sample run of it, checking if the two main sites of mine host are online or not:————————————————————————————————————————$ python is_site_online.py http://avc.com http://usv.comChecking if these sites are online or not:http://avc.com http://usv.com————————————————————Site: http://avc.comCheck with allow_redirects = FalseResults:r.ok: Truer.status_code: 301request time: 1.16 secs————————————————————Site: http://avc.comCheck with allow_redirects = TrueResults:r.ok: Truer.status_code: 200request time: 3.092 secs————————————————————Site: http://usv.comCheck with allow_redirects = FalseResults:r.ok: Truer.status_code: 302request time: 0.22 secs————————————————————Site: http://usv.comCheck with allow_redirects = TrueResults:r.ok: Truer.status_code: 200request time: 1.531 secs————————————————————Note that those times can vary a lot on different runs, due to multiple reasons, including the nature of the Internet, and varying levels of network congestion on the route (with many hops a.k.a. routers) between you and the site you are requesting.You need to have both Python and the requests library for HTTP installed in order to run it.http://python.orghttp://docs.python-requests…
Pingdom does this from tons of sites. That is the issue. You never know when a butterfly flaps it’s wings.
Not sure what you mean by the butterfly point in this context, but I’ve used Pingdom on one of my sites. Site24x7 is another similar system monitoring service I’ve used. It’s from the Zoho group, you may know of it/them.
Yes I know of Zoho. The issues is when you have a SaaS application a customer might say: “You are down!!” You say no, Pingdom says I am up. They say: “I could not get to you!” Well you could have an internet issue, you could have a routing issue, your ISP could have lost connection with it’s main pipe into our data center and not rerouted via BGIP..Well I want an RCA (Root Cause Analysis)! I don’t know…maybe a butterfly flapped it’s wings somewhere.Famous quote: This led Lorenz to realize that long-term weather forecasting was doomed. His simple model exhibits the phenomenon known as “sensitive dependence on initial conditions.” This is sometimes referred to as the butterfly effect, e.g. a butterfly flapping its wings in South America can affect the weather in Central Park.
>This is sometimes referred to as the butterfly effect,Got it now. I had googled Butterfly effect before asking you, but still did not get the connection (pun intended).>Well I want an RCA (Root Cause Analysis)!Ha ha, I’ve been known to ask team members to investigate the root cause , instead of just fiddling around with the symptoms of an issue. Corp. envs. sometimes make it difficult to get action on that, though. You need the backing, and the will to act, by higher management. More common tendency is to go on endlessly fire-fighting. as in, temporarily curing or ameliorating without investing in prevention – “doing what is expedient”, is the term sometimes used.I’ve actually worked earlier in a company where that was the term used, for any issue: “there’s a fire” – at so-and-so-customer’s place. Or sometimes they called it a monkey – maybe because monkeys are mischievous and create trouble. Five Why’s is relevant here.https://en.wikipedia.org/wi…
Here is my point. Look some of the posters here. “”You’d think they’d make sure the site works, no? https://blog.cloudflare.com… .https://18.104.22.168/ fails”Ummm not for me and you post a link to their blog??? Which you can’t get to??? I can’t figure out stupid.
Yes, saw that one …
This is why computer literacy for all is pretty much a must, IMO, although I don’t agree with Fred’s view (in a post here some months or years ago) that computer programming is a must for all. I would say that if anything, teaching logical and critical thinking and the ability to dispassionately and calmly evaluate of pros and cons and possible outcomes of situations (real world too, not just software ones), is more of a must than “just” programming. In fact that is borne out by the fact that I have seen on many forums, people who are supposedly programmers do always not argue from facts, but resort to emotions, or rather, let their emotions sway and overcome them. Not to say that emotions are wrong, of course. they sure have their place – half of our brains, in fact, ha ha, which leads me to my next point, which is that holistic thinking (using both sides of the grey matter as well as the gut) is the larger / real goal.IOW, not head over heart or vice versa (an argument I have heard from both sides many times, among friends and colleagues), but consciousness over both head and heart.
It to me is like saying why I need to learn history or literature. Just need to know.If it was up to me it would be shop (plumbing, electrical, wood working, and automotive) and what we called home-ec (cooking, sewing, gardening, and typing) I was required to take both.
Good stuff. I have done some things like that in my childhood and teens too – not all the same, some in common and some different. Mostly as hobbies, not professionally: carpentry, organic gardening, some easier repairs of my motorbikes, typing class, etc. All voluntary in my case though, because the schools that I went to did not require such vocational courses. Good fun.
Is Cloudflare’s CEO still waking up and unhosting content on a personal whim, or has he shifted his position to one of universal freedom of speech?
If people had memory.
+1(or should that be, +22.214.171.124 ?)
UDP53 is blocked in China, so I can’t really use it without a VPN. I don’t know why the Turkish government couldn’t block the Google DNS service. I love this Personal DNS idea, but I don’t think it can help people get around government access control. Or maybe it is not intended for that purpose, in which case telling the Turkish story is a bit misleading.