CloudFlare DNS 1.1.1.1 introduces malware and adult website blocking DNS service

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › CloudFlare DNS 1.1.1.1 introduces malware and adult website blocking DNS service

timmmay

20857 posts

Uber Geek
+1 received by user: 5349

Trusted

Lifetime subscriber

#269698 2-Apr-2020 21:04

CloudFlare has introduced "1.1.1.1 for families". This provides additional DNS servers as follows

Malware Blocking Only
Primary DNS: 1.1.1.2
Secondary DNS: 1.0.0.2

Malware and Adult Content
Primary DNS: 1.1.1.3
Secondary DNS: 1.0.0.3

These seem like useful features for families. They also offer secure DNS, DNS over TLS and DNS over HTTPS.

Question

I currently use ISP DNS servers (2degrees in my case), to make sure I use ISP caches. If you switch to one of the CloudFlare DNS servers is it still true that you miss out on using the ISP caches and get lower performance for things like Netflix, or is there some system in place to mitigate that?

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#2453378 2-Apr-2020 22:05

I wonder if they will block the revenge p.rn sites they protect?

https://www.vice.com/en_us/article/pke3j7/someone-is-trying-to-revive-the-infamous-revenge-porn-site-anon-ib

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41025

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2453384 2-Apr-2020 22:10

Possibly, as they use the same providers of lists as Google SafeSearch.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

hio77

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#2453414 3-Apr-2020 00:02

BarTender:

I wonder if they will block the revenge p.rn sites they protect?

https://www.vice.com/en_us/article/pke3j7/someone-is-trying-to-revive-the-infamous-revenge-porn-site-anon-ib

Just those? not the chans too?

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

myfullflavour

896 posts

Ultimate Geek
+1 received by user: 382

Trusted

Full Flavour

#2453415 3-Apr-2020 00:03

On Full Flavour - confirmed using Cloudflare DNS screws up Akamai with traffic being served off a congested Vocus path rather than uncongested AKL-IX.

hio77

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#2453416 3-Apr-2020 00:03

timmmay:

I currently use ISP DNS servers (2degrees in my case), to make sure I use ISP caches. If you switch to one of the CloudFlare DNS servers is it still true that you miss out on using the ISP caches and get lower performance for things like Netflix, or is there some system in place to mitigate that?

Most CDN providers have moved to options that it doesnt matter too much, there are a few out there still though so yes, you possibly could get a worse experience on some services.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41025

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2453485 3-Apr-2020 08:09

I have personally moved to a different service than my ISP (no, not a DNS unblocked) for our network and have had no problems with the services we use here.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

AliExpress

Shop now on AliExpress (affiliate link).

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#2453501 3-Apr-2020 08:37

myfullflavour: On Full Flavour - confirmed using Cloudflare DNS screws up Akamai with traffic being served off a congested Vocus path rather than uncongested AKL-IX.

That is because Cloudflare doesn't use EDNS0 and send through the source IP address for privacy reasons. So Akamai returns the default Akamai CDN cluster based on the source IP address of the DNS Server, which in your case is the Vocus Akamai CDN. Unfortunately that is the way the Akamai works (DNS Based CDN resolution) and the fact that very few DNS providers will forward on the client IP address using EDNS0 for privacy reasons.

Kiwifruta

1423 posts

Uber Geek
+1 received by user: 336

ID Verified

#2453511 3-Apr-2020 08:59

I’ve used OpenDNS Family Shield, now Cisco Umbrella, for years. Had no problems with streaming.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41025

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2453518 3-Apr-2020 09:12

OpenDNS is a good service and it is easily configurable - more so than 1.1.1.1 for Families and Cloudflare Gateway. It allows you to turn on/off different categories.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Aaroona

3204 posts

Uber Geek
+1 received by user: 169

#2456702 7-Apr-2020 19:53

Is there really much a reason to use an alternative DNS service these days, aside from some home-filtering?

I'm trying to understand if there is really a net positive to using Google, Cloudflare or any other DNS service. It seems to be it was marketed as a more "reliable" DNS service. In the US I could see this being true, because generally speaking, their ISP's over there suck from what I hear.

The only other benefit I could potentially see, which may be off-set by not being able to use cache content for some requests, is the ability to get around some geo-blocking rules.

tanivula

998 posts

Ultimate Geek
+1 received by user: 158

Lifetime subscriber

#2456753 7-Apr-2020 22:54

@timmmay - did i read on another thread you're running a piHole? in which case you can use that to filter malware/adult stuff and still reap the benefits of ISP dns?

Dyson

Shop now for Dyson appliances (affiliate link).

timmmay

20857 posts

Uber Geek
+1 received by user: 5349

Trusted

Lifetime subscriber

#2456774 8-Apr-2020 06:48

Yes I'm running PiHole. If you can find a list, Pi Hole can block based on it. I just use the default lists, the key thing I'm trying to achieve with Pi Hole is blocking advertising. If there was an easy way to block malware and adult sites I'd do that, but it's not a problem for me so no need right now. I'll need parental control software eventually though.

hio77

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#2456894 8-Apr-2020 09:09

tanivula:

@timmmay - did i read on another thread you're running a piHole? in which case you can use that to filter malware/adult stuff and still reap the benefits of ISP dns?

Quite a few providers actually silently filter the worst of the malware traffic, possibly not every little gem of it like you get via pihole though.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41025

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2456895 8-Apr-2020 09:14

I am using OpenDNS as it offers a more granular selection of categories to block.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

mdf

3566 posts

Uber Geek
+1 received by user: 1519

Trusted

#2457001 8-Apr-2020 12:04

timmmay:

Yes I'm running PiHole. If you can find a list, Pi Hole can block based on it. I just use the default lists, the key thing I'm trying to achieve with Pi Hole is blocking advertising. If there was an easy way to block malware and adult sites I'd do that, but it's not a problem for me so no need right now. I'll need parental control software eventually though.

We use PiHole for the kids. Easiest way is to add the appropriate DNS servers to the upstream DNS servers (we use cleanbrowsing.org, but no reason why Cloudflare wouldn't work as well). I had one issue with block lists where www.p***hub.com was filtered but p***hub.com was not (or vice versa?) and it took longer than two minutes to resolve so I didn't bother. Cleanbrowsing also has the option of forcing safe search on Google + Youtube.

We've got the home network segmented into VLANs. The kids VLAN goes via the PiHole + Cleanbrowsing, but other devices can go to ISP DNS servers, Cloudflare, Quad9, Google etc. as appropriate. Depending on your router/WAP, some offer assigning DNS servers on the basis of WLAN SSID without needing VLANs.