Cloudflare has expanded the range of secure DNS services available. As well as Cisco’s OpenDNS, Google’s DNS service, Oracle’s Dyn, and the recent Quad 9 service, Cloudflare now adds 126.96.36.199 to the mix.
According to their blog yesterday (Announcing 188.8.131.52: the fastest, privacy-first consumer DNS service), this is not an April Fool’s joke, but a way of making the Internet faster for all. Cloudflare also released a technical blog entry (Introducing DNS Resolver, 184.108.40.206 (not a joke)) explaining their DNS resolver architecture. The blog covers the use of the Knot resolver, which is a fast, scalable and secure base supporting the latest DNS Security standards. DNSperf is reporting that 220.127.116.11 is currently the fastest DNS resolver, with a reponse time of ~13ms.
But every generous gesture typically has a benefit for the other side too. So Cloudflare have worked with APNIC Labs, to provide details of the traffic hitting their 18.104.22.168 and 22.214.171.124 IP addresses. (In turn, APNIC has granted the address space for these hosts to Cloudflare.) APNIC Labs blogged in (APNIC Labs enters into a Research Agreement with Cloudflare) about the nature of the research they will undertake.
So why are APNIC Labs interested in traffic to 126.96.36.199 and 188.8.131.52? These IP addresses can be used as addresses in tests until correct corporate IP addresses can be applied. These systems may retain this information, even after being readdressed and connected to the Internet. And they then spew this traffic out onto the internet once connected.
Correctly configured corporate firewalls should only allow traffic from their registered IP addresses out. If you have a home or SMB grade device, it may let traffic let out from any address into the Internet alongside all the other legitimate traffic. So these addresses can reveal a lot about systems inside the network. But APNIC seems only to be interested in the DNS data. They want to use the captured information to determine if DNS could be structured or architectured in a more secure, less chatty way. Specifically one of the tasks that they are looking at is the value of DNS caching.
So now that IP addresses are being routed, check your firewalling at your bastion hosts as a minimum. And avoid using 184.108.40.206 and 220.127.116.11 in future for test systems. (In fact, the entire 18.104.22.168/24 and 22.214.171.124/24 subnets according to APNIC’s blog).
Lastly, the date of the launch was chosen to reflect the IP address of 126.96.36.199, where the DNS resolvers are available. (Four 1’s, or April 1st in the American date notation).