So what to think about CloudFlare DNS ?

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Cozmo

Active member
Oct 8, 2020
27
3
Montreal, Canada
Hey guys. Help me out here...

Every once in a while a subject comes up on the SecurityNow Podcast where the name of CloudFlare comes up. Trying to figure out my own opinion on this, I ended up on cloudflare.com and their (own) page says "Unlike most DNS resolvers, 1.1.1.1 does not sell user data to advertisers"

I an getting older (and definitely more cynical), but Tech Giants coming out with these grand statements doesn't help me trust them. There's a little voice inside my head just adding "yet" at the end of the above statement -> "Unlike most DNS resolvers, 1.1.1.1 does not sell user data to advertisers YET". And then "not selling" doesn't mean "not gathering, potentially for selling later"

My questions, to you educated folk around here :
How do you prove NOT doing something (not selling data) ?
Have these guys been audited and has that statement been confirmed ?
Am I the only one with trust issues ?

Thanks everyone.
 
They have been audited by KPMG: https://www.cloudflare.com/resource...1.1_Public_Resolver_Report_-_03302020__2_.pdf

Personally I would suggest that you use at least 2 different DNS resolver providers simultaneously (e.g.: Cloudflare, CIRA Canadian Shield and Quad9).

When properly configured, the traffic would be split between them :)
Aaaaaaaaaaaaaaaaand how did I NOT know about Quad9 ? That's rhetorical btw :cool:. Don't answer that...

But most of the same questions and comments apply to Quad9 as well. Although, having IBM as one of the founders ins't bad...
 
You can't prove a negative. On the other hand, what makes you so exciting in your web browsing that you'd be a good target to monetize? I think at some point you have to save your "the sky is falling" energy for battles that really make a difference, and I don't think DNS providers are your biggest risk to your privacy. How do you know you can trust your OS provider or your ISP/VPN?? They're the ones doing the DNS lookups for you after all. Maybe if you pay for DNS service you'll feel better? If that's the case, what about NextDNS?
 
  • Like
Reactions: Barry Wallis
It is a good question but more worth asking about a company with no other obvious source of income.
Cloudflare and Quad9 for example are both backed by companies with healthy income so aren't as bothered selling scraped data.

I also use the same pairing for basic DNS setup, but using DNSCrypt you can have authenticated and non-spoofable DNS from a large list of resolvers including Cloudflare and Quad9.
 
You should then be happy with ODoH as mentioned by @Steve recently. I am of the opinion that an ODoH provider should front your request and forward it to random yet fast DoH providers so your DNS queries are spread around. This would also avoid aggregation of queries to avoid the chance of the big data of queries being somehow being analysed to still give clues about your habits.....
 
You can't prove a negative. On the other hand, what makes you so exciting in your web browsing that you'd be a good target to monetize? I think at some point you have to save your "the sky is falling" energy for battles that really make a difference, and I don't think DNS providers are your biggest risk to your privacy. How do you know you can trust your OS provider or your ISP/VPN?? They're the ones doing the DNS lookups for you after all. Maybe if you pay for DNS service you'll feel better? If that's the case, what about NextDNS?
I'm sorry you feel that way when I'm only trying to entice discussion here.

a) I never said this was about "my own browsing", nor did I say it was "exciting"
b) Since you seem to know so much about my situation, would you mind enlightening me about what might be "the biggest risk to my privacy"

But thanks
 
It is a good question but more worth asking about a company with no other obvious source of income.
Cloudflare and Quad9 for example are both backed by companies with healthy income so aren't as bothered selling scraped data.

I also use the same pairing for basic DNS setup, but using DNSCrypt you can have authenticated and non-spoofable DNS from a large list of resolvers including Cloudflare and Quad9.

Thanks for that - DNSCrypt does seem to have some points of interest, I will dig in !
 
the biggest risk to my privacy

Someone with trust issues (which is what you claimed), is a form of paranoia, and with your chosen avatar, I presumed you were being paranoid. (Presumably paranoid about your DNS being monitored and monetized.) I said web browsing because it's hard to imagine what else you might be doing that would be generating any significant DNS queries. Under normal circumstances the only people that would normally see your DNS traffic are your ISP and/or your DNS provider. Given that, it's hard to imagine why one cares much about their DNS privacy unless they're subject to government scrutiny or worried about being monetized. There is little point blaming me for pondering the worth of questioning the integrity of seeming reputable DNS providers when only you can tell us what you're doing that has got you so worried about this topic...

Things that are bigger risks to your privacy are using/posting on Facebook, or really posting online at all. Shopping online is also a risk. Using a credit card or bank card (or really anything but cash) to make purchases (online or offline) is a risk. If you ever go off the beaten path on the Internet that is probably a bigger risk (of getting mal-ads or worse.) Using Netflix or any other streaming platform with an account in your name is a risk. Probably being a Security Now listener is enough to get you on some NSA list because they tend to view people who care about security and privacy with more suspicion than the average and clueless user.

In the end, only you can decide how paranoid you need to be (or are willing to be) and how much of your life you're willing to trade away for that paranoia. For me, worrying about the worlds largest CDN (who sees probably 40% of ALL web traffic in some way) somehow having nefarious plans for just my DNS is just not worth it.
 
You should then be happy with ODoH as mentioned by @Steve recently. I am of the opinion that an ODoH provider should front your request and forward it to random yet fast DoH providers so your DNS queries are spread around. This would also avoid aggregation of queries to avoid the chance of the big data of queries being somehow being analysed to still give clues about your habits.....

DNSCrypt uses a similar multi resolver approach. I am currently using 71 from a possible 166 resolvers (238 if you include IPv6).
It tries to use whichever responds the fastest, so tends to hop around a bit spreading my requests.
 
  • Like
Reactions: Lob