Another promising DNS resolver with a security and privacy focus is the new free offer from Cloudflare called 1.1.1.1.
Olafur Gudmundsson, director of engineering at Cloudflare, said: “Our goals with the public resolver are simple: Cloudflare wants to operate the fastest public resolver on the planet while raising the standard of privacy protections for users.”
"We began talking with browser manufacturers about what they would want from a DNS resolver. One word kept coming up: privacy. Beyond just a commitment not to use browsing data to help target ads, they wanted to make sure we would wipe all transaction logs within a week. That was an easy request. In fact, we knew we could go much further. We committed to never writing the querying IP addresses to disk and [to] wiping all logs within 24 hours."
Features that interest me include;
- Query Minimization RFC7816,
- DNS-over-TLS (Transport Layer Security) RFC7858,
- DNS-over-HTTPS protocol DoH,
- Aggressive negative answers RFC8198,
"While DNSSEC ensures integrity of data between a resolver and an authoritative server, it does not protect the privacy of the “last mile” towards you. DNS resolver, 1.1.1.1, supports both emerging DNS privacy standards - DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep your DNS queries private and free from tampering."
"The DNS resolver, 1.1.1.1, is also supporting privacy-enabled TLS queries on port 853 (DNS over TLS), so we can keep queries hidden from snooping networks. Furthermore, by offering the experimental DoH (DNS over HTTPS) protocol, we improve both privacy and a number of future speedups for end users, as browsers and other applications can now mix DNS and HTTPS traffic into one single connection."
Mozilla added the core functionality in Firefox 60 and plans to run a test in Firefox Nightly to find out how good of a solution the new technology is.
Firefox users who run Firefox Nightly may configure the browser to use DNS over HTTPS right now.
I recommend you use DNS Benchmark and test the speed of the primary (1.1.1.1) and secondary (1.0.0.1) resolver first to make sure they are fast for your location.
How to configure GRC's DNS Benchmark:
1. Launch the DNS Benchmark.
2. Click on the "Nameservers" tab -and- wait for the initialization to complete.
3. Click the Add/Remove button at the left below the tabs.
4. Enter "1.1.1.1" and click "Add"
5. Enter "1.0.0.1" and click "Add"
6. Click "Run Benchmark"
7. While it's running, stretch the window to the top and bottom of your screen.
8. When completed, left click on the results and drag the mouse to show numerical timing
Instructions on how to set your DNS here; https://1.1.1.1/
UPDATE: There is now an iOS and Android app that will encrypt your DNS (Not your traffic).
Further research
Introducing DNS Resolver, 1.1.1.1 (not a joke)
Announcing 1.1.1.1: the fastest, privacy-first consumer DNS service
DNSPerf
Level Up in Cyber Security: Join Our Membership Today!
I’ve just tested the DNS’s benchmark and Google’s are still faster than others (at least here in latin America), however is good to know about this kind of information, thanks!
So you think it’s pretty good?
I switched one of my computers over to it yesterday and so far so good. Since you say it’s OK I think I’ll switch the rest.
Make sure you test it. Quad 9 has black listing which this doesn’t if you want that.
I was just about to mention that. I like 1.1.1.1 for speed and privacy.
I like 9.9.9.9 for not serving known malware sites.
I might use 1.1.1.1 on my personal machine, but for my users/domain I’ll go with 9.9.9.9.
Thanks for the great info on your mailing lists….
Great! Also if you want a tool to run natively on mac to check the resolver speeds, NameBench is an open source cross platform option: https://www.serverwatch.com/server-tutorials/two-tools-for-testing-dns-server-speeds.html
I tried it !
is this about privacy? with this my ISP still can see my sites I am visiting as I am going through their proxies, Am I right?
It can make your DNS requests private and help prevent MiTM attacks where the attack send a bogus site back to you. The ISP will still be able to see where you go because your traffic goes through their network devices (routers,firewalls). Not so much proxies. Even if traffic is sent HTTPS because of the SNI (https://en.wikipedia.org/wiki/Server_Name_Indication) they can still see where you might be going. For privacy you still want a VPN really. Anonymity you want Tor or JonDoNym.
I’ve been using since they launched , very fast indeed, at least here in brazil its nice.
DNS resolver 1.1.1.1 is a fast and private way to browse the internet it also has access to the addresses of 7M+ domain names on the same servers so it’s the fastest resolver out there.