Domain Name Service (DNS) is an integral part of today’s public Internet infrastructure. The purpose of DNS is to resolve names to IP addresses and the technology itself was invented in 1983 when security was an afterthought. As a result, over the years many types of DNS attacks have been seen such as DNS spoofing, cache poisoning, and many others. These attacks often consist of sending incorrect DNS responses back to clients in the hope the clients will communicate with network nodes across the internet, which are controlled by attackers instead of the originally requested legitimate nodes.
In response to the security shortcomings of DNS, additional protocols have been created to mitigate security risks such as Domain Name System Security Extensions (DNSSEC). DNSSEC essentially forms a signed chain of trust within the hierarchical infrastructure of DNS nodes so when a client queries a node’s IP address there is verification that the resolved response is legitimate. Cloudflare, a cloud-based company that is known for its content delivery network, DDOS mitigation, and security services has recently made mainstream news with its new DNS public consumer services offering. What makes Cloudflare’s public DNS so attractive is that they can compete, if not surpass, Google’s DNS services in both performance and security. In their recent blog post published this past Sunday, they boast their “fast and highly distributed network, and claim they are the fastest authoritative DNS provider on the Internet with seven million Internet properties.” Additionally, their new public DNS service supports DNS over HTTPS and DNS over TLS for added encrypted communication across the Internet.
What seems to make Cloudflare more attractive than Google is their emphasis on privacy and speed. Their goal according to their blog is to keep expanding their infrastructure until everyone is within 10 milliseconds of at least one of their DNS locations. Additionally, Cloudflare uses protocols such as DNS Query Name Minimization to minimize captured public information as it crosses DNS nodes. Furthermore, Cloudflare states they will never store any information in their logs that identifies end users. All logs collected by public resolvers will be deleted within 24 hours. Their resolvers are built from the open source DNS resolver and the modular designed Knot Resolver, which was released about two years ago and currently has a large and active user base.
To check if you are currently using DNSSEC, you can visit http://www.dnssec-ornot.com/. To try out Cloudflare’s DNS service visit https://1.1.1.1/.
Sources
https://blog.cloudflare.com/dns-resolver-1-1-11
https://github.com/hashcat/hashcat
https://threatpost.com/cloudflare-launches-publicly-dns-over-httpsservice/130900/