Cloudflare has expanded the range of secure DNS services available. As well as Cisco’s OpenDNS, Google’s DNS service, Oracle’s Dyn, and the recent Quad 9 service, Cloudflare now adds 1.1.1.1 to the mix.
According to their blog yesterday (Announcing 1.1.1.1: the fastest, privacy-first consumer DNS service), this is not an April Fool’s joke, but a way of making the Internet faster for all. Cloudflare also released a technical blog entry (Introducing DNS Resolver, 1.1.1.1 (not a joke)) explaining their DNS resolver architecture. The blog covers the use of the Knot resolver, which is a fast, scalable and secure base supporting the latest DNS Security standards. DNSperf is reporting that 1.1.1.1 is currently the fastest DNS resolver, with a reponse time of ~13ms.
It also supports IPv6 on both 2606:4700:4700::1111 and 2606:4700:4700::1001. This at least indicate elements of the IPv4 addresses in the IPv6 space, unlike the Quad 9 service launched last November.
But every generous gesture typically has a benefit for the other side too. So Cloudflare have worked with APNIC Labs, to provide details of the traffic hitting their 1.1.1.1 and 1.0.0.1 IP addresses. (In turn, APNIC has granted the address space for these hosts to Cloudflare.) APNIC Labs blogged in (APNIC Labs enters into a Research Agreement with Cloudflare) about the nature of the research they will undertake.
So why are APNIC Labs interested in traffic to 1.1.1.1 and 1.0.0.1? These IP addresses can be used as addresses in tests until correct corporate IP addresses can be applied. These systems may retain this information, even after being readdressed and connected to the Internet. And they then spew this traffic out onto the internet once connected.
Correctly configured corporate firewalls should only allow traffic from their registered IP addresses out. If you have a home or SMB grade device, it may let traffic let out from any address into the Internet alongside all the other legitimate traffic. So these addresses can reveal a lot about systems inside the network. But APNIC seems only to be interested in the DNS data. They want to use the captured information to determine if DNS could be structured or architectured in a more secure, less chatty way. Specifically one of the tasks that they are looking at is the value of DNS caching.
So now that IP addresses are being routed, check your firewalling at your bastion hosts as a minimum. And avoid using 1.1.1.1 and 1.0.0.1 in future for test systems. (In fact, the entire 1.1.0.0/24 and 1.0.0.0/24 subnets according to APNIC’s blog).
Lastly, the date of the launch was chosen to reflect the IP address of 1.1.1.1, where the DNS resolvers are available. (Four 1’s, or April 1st in the American date notation).
