I thought part of using cloudflare was that they didn't collect any data like Google did...guess I was wrong!!!
https://en.wiktionary.org/wiki/kiboze
Other things to do, yes, but Quad9 is a high priority for us, and heck, I'm just sitting around an airport lounge waiting for my next plane, so I might as well be useful, right?
Sure.
Relative to those two, the answer is the same: privacy and security.
A lot of people look at recursive DNS and think that performance is the thing that matters, because it's the thing that they can measure. Performance is easy to see, because anybody can run dnsperftest to see which gives the quickest average response time from their location. But of the four large ones (OpenDNS/Umbrella being the fourth) all are likely to give you very good performance if you're in North America or Western Europe. Because the other three are commercial, they focus their effort in the places where people have the most money to spend, so you're less likely to get good performance from them if you're in Africa or South America or the Caribbean or South Asia, for instance. But if you're in the US, or Canada, or France, or Germany, any of the four will give you perfectly sufficient performance, and no amount of tinkering or switching is likely to yield any user-noticeable improvement. But performance isn't the point. Google was already there when we set up Quad9, and we're not going to blow our donors' money solely to one-up somebody's commercial offering on the basis of performance.
The point was privacy and security.
Google and Cloudflare make their money by collecting and selling personal information. Whatever you may think about the morality of that, it's flat-out illegal in Europe, and Quad9 was started because European privacy regulators asked us (meaning PCH, in this case) to stand up a GDPR-compliant recursive resolver, as an existence-proof that it was possible to run this critical infrastructure without paying for it by stealing users' personal information and hawking it to data-brokers.
So, unlike the others, Quad9 does not collect personal information. Quad9 does not have a concept of a "user" to hang records off of, and does not collect any IP addresses. Quad9 is the only big anycast resolver that doesn't collect personal information, and it's the only free one that's GDPR-compliant. (Cisco's commercial Umbrella offering is GDPR-compliant and doesn't sell information.) There are people who say that it's okay to collect information if you don't do anything bad with it, but that's completely wrong, because breaches happen all the time. Any information you collect will eventually be stolen, and when it's stolen, it'll be sold. So, don't collect unnecessary information in the first place.
Relative to security, malware and phishing and so forth are a horrible problem, particularly with IoT junk. Botnets are getting very large, and the DDoS attacks they source are a vast problem. So using the recursive resolver to block contact between bot software and its C&C, as David did with OpenDNS, is an excellent way to protect users from malware, and to protect the Internet from infected devices. Whereas OpenDNS has Cisco as its sole source of "threat intelligence," Quad9, as a not-for-profit Internet industry project, has twenty, including Cisco and IBM and F-Secure and many others. So Quad9 offers malware blocking that uses the best information we can glean from all twenty threat intel providers, plus a whitelist of known-good major sites, to make sure that infected devices at your sites can't connect to C&C and start DDoSing people, and that credulous users won't be able to connect to phishing sites that will steal their information.
How we recommend you use Quad9 is to run a local caching resolver that performs QNAME minimization and DNS-over-TLS, provision it with plenty of cache, and only leak the minimum possible information out to us. Lots of folks use the combination of PiHole and Stubby for that purpose. One way you can tell whether people are monetizing your data is by seeing whether they recommend you connect your end-nodes directly to their service, or whether they recommend you put a caching resolver in front.
If you want to make this question more visible, you could post it to Quora, and I'll post the answer there as well.
From their site:
https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/
Privacy
Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email and the first thing your phone or computer does is ask its directory: where can I find this?
Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it to target you with ads. Cloudflare, in partnership with APNIC, runs 1.1.1.1, a recursive DNS service that values user privacy. Even though most Internet users have no insight into the Recursive DNS process or the entities involved in that work, there are legitimate concerns about how personal information collected through the Recursive DNS process are used or repurposed.
Cloudflare commits that 1.1.1.1 was designed for privacy first, and as a result:
Frankly, we don’t want to know what you do on the Internet — it’s none of our business — and we’ve taken the technical steps to ensure we can’t.
- Cloudflare will never sell your data or use it to target ads. Period.
- All debug logs, which we keep just long enough to ensure no one is using the service to cause harm, of are purged within 24 hours.
- Cloudflare will not retain any personal data / personally identifiable information, including information about the client IP and client port.
- Cloudflare will retain only limited transaction data for legitimate operational and research purposes, but in no case will such transaction data be retained by Cloudflare for more than 24 hours.
- Cloudflare will only retain or use what is being asked, not who is asking it. Unless otherwise notified to users, that information may be used for the following limited purposes:
- Under the terms of a cooperative agreement, APNIC will have limited access to query the transaction data for the purpose of conducting research related to the operation of the DNS system.
CF's Privacy wording very carefully written to impart a sense of comfort until you read between the lines.
"Cloudflare will never sell your data or use it to target ads. Period." > Ok they won't sell it or use it for adding me, but you can sure as hell analyze the hell out of it in 24 hours.
"Cloudflare will only retain or use what is being asked, not who is asking it." > There's a gold mine in just that information.
I tend to avoid google as much as I can, I'm adding Cloudflare to that list. This is the 2nd great thing I learned today! YMMV...
He’ll probably say it isn’t true. The Quad9 guy wants you to use his service, so he’ll say Cloudflare collects information. That Cloudflare privacy policy, that @Kingp1n posted, is pretty straightforward. You either believe they are committed to it or not.Would be interesting to see Mr Woodcock’s take on this........
If I'm understanding you "Woody.net" is what your seeing for DNS server? If thats the case then that is Quad9. See first couple of post for explanation.i'm using cloudfare and quad nine as well woody comes up on the test .
in settings do i have to check don't get dns automatically so that my isps DNS does not get used because that is the first ip that comes up on the test before i test for leaks , sorry if this is not clear , some fog on the brain
Yea, I wonder why he stated that when it to me states otherwise. Would be interesting to see Mr @Bill Woodcock 's reply. I doubt anyone from Cloudflare would reply but maybe it would help to get a little more of one side's story.He’ll probably say it isn’t true. The Quad9 guy wants you to use his service, so he’ll say Cloudflare collects information. That Cloudflare privacy policy, that @Kingp1n posted, is pretty straightforward. You either believe they are committed to it or not.
i'm using cloudfare and quad nine as well woody comes up on the test .
in settings do i have to check don't get dns automaticly so that my isps DNS does not get used because that is the first ip that comes up on the test before i test for leaks , sorry if this is not clear , some fog on the brain
You should use Quad9 or Cloudflare but not both at the same time. You could get different replies from different resolvers. My recommendation is to use the resolver that works best for you and is closer. I use Cloudflare as my ISP sends Quad9 requests across the country when I do DoT.i'm using cloudfare and quad nine as well woody comes up on the test .
in settings do i have to check don't get dns automaticly so that my isps DNS does not get used because that is the first ip that comes up on the test before i test for leaks , sorry if this is not clear , some fog on the brain
You have sold me well donehttps://en.wiktionary.org/wiki/kiboze
Other things to do, yes, but Quad9 is a high priority for us, and heck, I'm just sitting around an airport lounge waiting for my next plane, so I might as well be useful, right?
Sure.
Relative to those two, the answer is the same: privacy and security.
A lot of people look at recursive DNS and think that performance is the thing that matters, because it's the thing that they can measure. Performance is easy to see, because anybody can run dnsperftest to see which gives the quickest average response time from their location. But of the four large ones (OpenDNS/Umbrella being the fourth) all are likely to give you very good performance if you're in North America or Western Europe. Because the other three are commercial, they focus their effort in the places where people have the most money to spend, so you're less likely to get good performance from them if you're in Africa or South America or the Caribbean or South Asia, for instance. But if you're in the US, or Canada, or France, or Germany, any of the four will give you perfectly sufficient performance, and no amount of tinkering or switching is likely to yield any user-noticeable improvement. But performance isn't the point. Google was already there when we set up Quad9, and we're not going to blow our donors' money solely to one-up somebody's commercial offering on the basis of performance.
The point was privacy and security.
Google and Cloudflare make their money by collecting and selling personal information. Whatever you may think about the morality of that, it's flat-out illegal in Europe, and Quad9 was started because European privacy regulators asked us (meaning PCH, in this case) to stand up a GDPR-compliant recursive resolver, as an existence-proof that it was possible to run this critical infrastructure without paying for it by stealing users' personal information and hawking it to data-brokers.
So, unlike the others, Quad9 does not collect personal information. Quad9 does not have a concept of a "user" to hang records off of, and does not collect any IP addresses. Quad9 is the only big anycast resolver that doesn't collect personal information, and it's the only free one that's GDPR-compliant. (Cisco's commercial Umbrella offering is GDPR-compliant and doesn't sell information.) There are people who say that it's okay to collect information if you don't do anything bad with it, but that's completely wrong, because breaches happen all the time. Any information you collect will eventually be stolen, and when it's stolen, it'll be sold. So, don't collect unnecessary information in the first place.
Relative to security, malware and phishing and so forth are a horrible problem, particularly with IoT junk. Botnets are getting very large, and the DDoS attacks they source are a vast problem. So using the recursive resolver to block contact between bot software and its C&C, as David did with OpenDNS, is an excellent way to protect users from malware, and to protect the Internet from infected devices. Whereas OpenDNS has Cisco as its sole source of "threat intelligence," Quad9, as a not-for-profit Internet industry project, has twenty, including Cisco and IBM and F-Secure and many others. So Quad9 offers malware blocking that uses the best information we can glean from all twenty threat intel providers, plus a whitelist of known-good major sites, to make sure that infected devices at your sites can't connect to C&C and start DDoSing people, and that credulous users won't be able to connect to phishing sites that will steal their information.
How we recommend you use Quad9 is to run a local caching resolver that performs QNAME minimization and DNS-over-TLS, provision it with plenty of cache, and only leak the minimum possible information out to us. Lots of folks use the combination of PiHole and Stubby for that purpose. One way you can tell whether people are monetizing your data is by seeing whether they recommend you connect your end-nodes directly to their service, or whether they recommend you put a caching resolver in front.
If you want to make this question more visible, you could post it to Quora, and I'll post the answer there as well.
I appreciate that Mr. Woodcock replied here and this is just my opinion—he should have posted about the benefits of Quad9 DNS. He didn’t need to suggest Cloudflare is doing something outside their privacy policy.Yea, I wonder why he stated that when it to me states otherwise. Would be interesting to see Mr @Bill Woodcock 's reply. I doubt anyone from Cloudflare would reply but maybe it would help to get a little more of one side's story.
I thought part of using cloudflare was that they didn't collect any data like Google did...guess I was wrong!!!
Mr Prince got an unexpected phone call from the US Department of Homeland Security asking him about the information he had gathered.
"They said 'do you have any idea how valuable the data you have is? Is there any way you would sell us that data? I added up the cost of running it, multiplied it by ten, and said 'how about $20,000? It felt like a lot of money. That cheque showed up so fast. I was telling the story to Michelle Zatlyn, one of my classmates, and she said, 'if they'll pay for it, other people will pay for it'."
And so the idea for Cloudflare was born, with Ms Zatlyn as its third co-founder.
(https://www.bbc.com/news/business-37348016)
Ironically for a project predicated on privacy, Cloudflare is sharing DNS query data with APNIC Labs, a part of Asian registry APNIC, in exchange for the use of its 1.1.1.1 network address.
(https://www.theregister.co.uk/2018/04/03/cloudflare_dns_privacy)
By putting Cloudflare's DNS on these research addresses, APNIC gets to see the noise as well as the DNS traffic -- or at least "a certain factored amount" of it -- for research purposes. Huston emphasised that APNIC intends to protect users' privacy. "DNS is remarkably informative about what users do, if you inspect it closely, and none of us are interested in doing that," he said.
(https://www.zdnet.com/article/1-1-1-1-cloudflares-new-dns-attracting-gigabits-per-second-of-rubbish)
Non-personally identifiable information is automatically recorded in our databases when you are measured by our systems. Your IP address, date, time, language, and technical data about your browser and operating system (via user-agent string) are considered non-personally identifiable information, and is logged by APNIC.
(https://labs.apnic.net/privacy.shtml)
It just seems to me he’s taking opportunities to sow doubts about the other DNS service. I’m sure Quad9 is great and if so, it should stand on its own merits.
You do, because you wouldn’t be suggesting that Cloudflare is operating outside of its posted privacy policy. Your own tweet, in 2018, called Cloudflare’s privacy policy “strong” and to me—the read between the lines argument of their privacy policy is used to sow doubts of their service. This rubs me the wrong way. Sorry—but that’s my opinion, as you have your opinion. We’ll have to disagree here.Also, I don't really care one way or other about Cloudflare as a service, what I care about is privacy practices.
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
S | Is there good VPN tunnel plain DNS filtering software for Windows? | General Network Security | 2 | |
Microsoft plans to lock down Windows DNS - ZTDNS | General Network Security | 5 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!