Cloud9 DNS

[dave14305]

https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy/

This explains the APNIC sharing arrangement, but maybe not to the degree of scrutiny required for this interesting discussion.

 

[Bill Woodcock]

I just wish that where I live (South Australia), Quad9 was a tad closer/quicker. When I specify Quad9 as my chosen dns, I’m sure my resolution requests route via the dark side of the moon!

Can you post a traceroute, and say what origin AS you're in? Or send them to Quad9 support? It sounds like your ISP probably isn't peering with us in Melbourne.

There are seven Quad9 locations in Australia, albeit three of them are in and around Sydney.

 

[Bill Woodcock]

Would be interesting to see Mr Woodcock’s take on this........

I'd already cited and linked to that same page in my earlier reply. I think it's a detailed privacy policy, which provides good detail about what data they're collecting, but understandably skirts the issues of why the data is being collected and what APNIC does with it. Which is completely outside of Cloudflare's control. So they can't make or enforce policy around it while the have the 1.1.1.1 address. They could point out to Geoff that it's no longer reasonable, in this day and age, to collect personal information just because you might want to do something interesting with it in the future, and try to get him to relax the terms that require them to collect and provide it. That might be a reasonable path toward a better practice.

They also have the opportunity to craft a new and more privacy-protecting practice around the DoH service for Mozilla, since that won't be on 1.1.1.1.

Also, to be clear, the privacy policy on Quad9's web page is garbage, and doesn't reflect our actual practice, so that desperately needs to be cleaned up. It was written by a volunteer lawyer early on, and he tried to provide way more latitude that we actually needed or wanted, but deployment and support have been higher priorities than re-writing the policy document more tightly. I guess I could more usefully be doing that rather than answering questions online.

 

[Bill Woodcock]

He also said, in August 2018 via tweet, that Cloudflare has a strong privacy policy. So which Bill Woodcock should we believe? How do you go from saying that, to quoting material from 2016 and 2018 to make a point that Cloudflare isn’t adhering to their privacy policy? You either believe the Cloudflare privacy policy or you don’t.

Ok, so, to be clear, I'm super jet-lagged, and I don't claim to make a lot of sense or be entirely consistent over time.

That said, I think I'm trying to convey something more nuanced than you're reading.

I think you're trying to figure out whether I believe that Cloudflare is adhering to their stated privacy policy, or not adhering to their stated privacy policy.

What I'm saying is that I don't have any relevant knowledge that would allow me to make a determination on that, and that as someone without any special knowledge, it doesn't behoove me to have an opinion, because the opinion wouldn't be one of any particular value.

I do have a few strong opinions, that I'm willing to stand behind and operationalize:

First, that people are entitled to understand and control the use of their personal information. That's what the GDPR says, and if Europeans get that benefit enshrined in law, I think everyone else should get that benefit as well. Because it's the right thing to do.

Second, that collecting data because it's there and disk is cheap is a bad idea. Because eventually it will make its way into the hands of someone who will put it to uses you cannot anticipate, and some of those uses will be bad. I can enumerate dozens of ways that thoughtless data collection can become problematic, and each of you probably can as well, if you think about it. There's just no good reason to go down that path in the first place.

So, again, from my point of view this isn't about Cloudflare, that's just what you guys asked about. And Google, but Google is less interesting, because their situation is a lot less complex. From my point of view, the interesting thing here is how users can achieve the greatest degree of security and privacy. That's both an engineering puzzle and a policy one, and it's endlessly fascinating to me.

I think running one's own caching resolver is a necessary piece. I think QNAME minimization is a necessary piece. I think link encryption is a necessary piece. I wish we didn't have to take for granted that DNSSEC validation doesn't happen locally on the client, but for now, we pretty much do. Which is unfortunate. That puts DNSSEC validation out at the resolver. Cloudflare and Google have both now added DNSSEC validation, which is great. So now you need to make sure that you're actually talking to a validating resolver, which turns out to be more difficult that you might assume... DANE authentication of the resolver isn't quite there yet, which means you're dependent on a self-signed or a CA cert. Self-signed without DANE causes problems in the form of pesky interruptive questions for the user, which brings us down to a CA cert. Which we can't trust, because of "domain validation." So there's a serious unsolved problem. Also, we can't restrict what certs the client will accept, for most client OSes. And it turns out that we can't even restrict what DNS server the client will use, for the publicly-distributed versions of iOS and Android. iOS is a lot safer than Android, but it still doesn't compartmentalize DNS queries during captive portal traversal, which is a huge, huge security fail, which I've been bugging Apple product security about for eleven years, now. I'd hoped that MDM would let me lock down some of these things, but no, it turns out that it doesn't. Which brings us back to moving the DNSSEC validation back into the client. Anything else has way too many externalities.

So, lots of interesting problems to solve in there. That's a lot of what I spend my time on.

 

[Bill Woodcock]

The Quad9 guy wants you to use his service.

No, actually, I want you to roll your own, because you can protect your privacy better that way, and that's the point. More users piling on to Quad9 doesn't help me in any way.

What we recommend you do is to run a local caching resolver that performs QNAME minimization and DNS-over-TLS, provision it with plenty of cache, and only leak the minimum possible information out to a recursive resolver, and make sure that you agree with the privacy policy of the recursive resolver. Lots of folks use the combination of PiHole and Stubby for that purpose.

 

[Bill Woodcock]

My ISP sends Quad9 requests across the country when I do DoT.

If you can post a traceroute and your origin AS, or send them to support@quad9.net, we can try to get them to route to a nearer server. Likewise, if you want to use Google or Cloudflare or Umbrella, and you're not getting a path you like, that's the same information they'd need to get their peers to resolve the problem.

 

[Bill Woodcock]

I simply have a different opinion here and disagree. I’m sure or at least hope Mr. Woodcock respects that.

Yep, no worries. I don't claim to be omniscient, or even consistent. I do try to find and stay on the right side of issues.

I'm also not trying to convince anyone to use, or not use, any particular recursive resolver. I am trying to convince people that if they care about their privacy, they should minimize the amount of data they leak to any resolver, and they should be aware of the policies and practices of anyone external who they have to trust. And outsourcing your DNSSEC validation is a big, big externality. That's a lot of trust to place in anyone. Minimize the amount you have to trust anyone else.

 

[Bill Woodcock]

months ago I installed Cloud Fare's free iOS DNS app to get on the waiting list for the new free/paid VPN service. Now I am unsure if there is some kind of profile of me.

Well, from a marketing point of view, sure, if they're trying to sell a service, it stands to reason that their salespeople would be tracking leads. Of longer-term interest would be what excess data the app collects about you. And Cloudflare have an app, so you can sandbox it and see what it's doing.

Again, there's no need to be collecting data here. It's just become an unexamined default behavior for people who've grown up in the post 9/11 no-privacy Internet. So it sometimes takes explicit reminders to people that they can do better.

 

[QuikSilver]

Thank you both Ryan (Cloudflare) and Bill (Quad9) for giving us all something to think about when it comes to our data. I as well as everyone else are glad y’all chose to discuss the differences and concerns you have regarding different DNS resolvers and the need for security as well as minimizing our data footprint.


Sent from my iPhone using Tapatalk

 

[Ryan K (Cloudflare)]

Glad I was able to chime in. I completely understand the privacy concerns and being suspicious of the legalese. Hopefully most people can believe me when I say that we have no interest in selling data (anonymous or otherwise) for profiling or targeting purposes, and what data we do collect we want to purge as quickly as possible.

 

[L&LD]

Glad I was able to chime in. I completely understand the privacy concerns and being suspicious of the legalese. Hopefully most people can believe me when I say that we have no interest in selling data (anonymous or otherwise) for profiling or targeting purposes, and what data we do collect we want to purge as quickly as possible.

I do not have a problem at all believing what you state is something you truly believe yourself. The issues for me are the unknowns that may be defined as needed (in some future 'clarification' of the stated policies as they stand today).

Totally understand having suspicions. And I'm happy to try and help clarify. If I don't have all the info I can reach out to the Resolver team and see what else I can find out.

While the 1.1.1.1 app uses the VPN function on your phone, it is not a VPN (in the traditional sense). It secures and speeds up your DNS requests, but doesn't completely anonymize you on the web. Many network providers would like to sell your browsing habits for advertising purposes. Cloudflare doesn't do that and frankly doesn't want any part of that kind of activity.

I'm not sure I can speak to the nuts and bolts of the APNIC arrangement, but it's not about sharing any information that can be used to identify anyone. I think it's more for understanding the garbage traffic that gets directed at an IP address that people have historically used as a placeholder. I'm sure there are other aspects to evaluate, but none are about tracking activity back to a user.

I will be looking forward to any new information on the APNIC arrangement as I feel it directly impacts me and anyone else using Cloudflare.

This is the unknown. This is the third party. This is where it falls apart for me.

What is also most disconcerting is this quote from the Resolver Privacy FAQ.

Cloudflare will not retain or sell or transfer to any third party (except as described in the section below and as may be required by law.

Whose law? Local laws? External laws? Some future APNIC's newly written corporate policies?

I am not afraid of the law for myself, but I do support the GDPR and agree that the protection should be available to everyone, not just EU members.

Greatly appreciate the open discussion and I will be looking for your reply eagerly. Thank you.

 

[L&LD]

@Bill Woodcock, @Ryan K (Cloudflare), @RMerlin, @john9527 (take care, only when you're able to reply, of course), @sfx2000, @ColinTaylor, @thelonelycoder, @Jack Yaz and all others who may be able to contribute, referring to post 64 above,

1) Is a caching resolver the same as the 'Wan: Use local caching DNS server as system resolver (default: No)' in the Tools/Other Settings page in the Advanced Tweaks and Hacks section of RMerlin powered routers?

2) What is QNAME minimization? How can this be implemented, if possible, on our routers today?

3) Link encryption. I think this is DoT? Am I close?

4) How important is it to 'compartmentalize DNS queries' and, do our routers do that for our devices now?

5) I think all of the above points to the goal of post 67 which states exactly as I hope I'm operating my network; "Minimize the amount you have to trust anyone else.".


These may be basic steps and concepts to some here. But I want to start on the bottom and thoroughly understand each step I am taking forward towards real online security.

 

[Butterfly Bones]

2) What is QNAME minimization? How can this be implemented, if possible, on our routers today?

I'm sure you searched. This is the best article (for me at least). I found that is clear and yet technical enough to satisfy my curiosity. From the BIND9 OSS group.

https://www.isc.org/blogs/qname-minimization-and-privacy/

 

[RMerlin]

Dnsmasq is a local caching resolver, yes. So all your LAN clients will use it provided your LAN clients use the router as their DNS. However, it does not do RECURSIVE resolution, which is the more important point there if privacy is what you're after. What he was referring to was running a recursive resolver, where you directly contact all the authoritative servers at all levels (TLD, second level, third level, etc...) rather than just send the query at a defined server, and let it do the recursion for you.

Also, the setting you mentioned in my firmware doesn't have much to do with this, all it does is determine how the router itself will do its own resolutions: either through the local caching resolver, or directly with the WAN-defined servers.

This also applies to any other router that supports the use of the router's IP as DNS - it generally means the router is running dnsmasq.

 

[L&LD]

Dnsmasq is a local caching resolver, yes. So all your LAN clients will use it provided your LAN clients use the router as their DNS. However, it does not do RECURSIVE resolution, which is the more important point there if privacy is what you're after. What he was referring to was running a recursive resolver, where you directly contact all the authoritative servers at all levels (TLD, second level, third level, etc...) rather than just send the query at a defined server, and let it do the recursion for you.

Also, the setting you mentioned in my firmware doesn't have much to do with this, all it does is determine how the router itself will do its own resolutions: either through the local caching resolver, or directly with the WAN-defined servers.

This also applies to any other router that supports the use of the router's IP as DNS - it generally means the router is running dnsmasq.

I've tried searching for the last few minutes, but I guess there is no way to make our routers do those recursive resolutions for us on an RMerlin powered Asus router?

 

[dave14305]

I've tried searching for the last few minutes, but I guess there is no way to make our routers do those recursive resolutions for us on an RMerlin powered Asus router?

If you're truly willing to go the distance, you can try Unbound.
Installing and configuring authoritative, recursive, and DoT/DNSSEC DNS server with Unbound
I wouldn't recommend it except for the uber-dorky.

 

[Ryan K (Cloudflare)]

Greatly appreciate the open discussion and I will be looking for your reply eagerly. Thank you.

I don't think there's really much more I can add. I'm not really qualified to get into a deep discussion over the specific wording that legal came up with. I would just encourage you to take Matthew's words to heart about what we, as a company, want to do. Which is that we don't think it's our place to be the content or behavior police. He's described it as creepy and invasive. We've also repeatedly stated publicly that we aren't in the business of selling customer data and will use external auditors to make sure that we are sticking to our promises of purging data in a timely manner.

I completely understand if that's not good enough for some people, and totally respect whatever choice you make. I'll also be taking the feedback back to the Resolver team and Legal so that they know that the wording has some folks uncomfortable.

 

[RMerlin]

I've tried searching for the last few minutes, but I guess there is no way to make our routers do those recursive resolutions for us on an RMerlin powered Asus router?

Not with dnsmasq, it doesn't support recursive resolution. You'd have to setup a different server with bind or unbound, and point the router at that server.

 

[unclebuk]

Hello.

I started experimenting with some DNS providers after reading this post, inputed Norton DNS (199.85.126.10), and Quad9, did a few checks on www.dnsleaktest.com and both test results show the DNS is resolved by Level 3 Communications and NTT Singapore Pte (see attached).

I am lost, confused, beaten, etc for a simple, plausible explantion for this anomaly, especially why Level3 has made its way into the equation. I'm located in Thailand, use an AC86U, and configured manual DNS.

Can anybody weigh in on this and what may account for this DNS behaviour?

Thanks in advance,
buk

 

[gattaca]

Without seeing the router's settings, this is difficult. Why? Because there's interplay across 4-5 different setup pages and changes between 2 firmware versions of defaults. See this thread where we hashed this earlier for what think everyone agreed worked properly for most cases. Or maybe I do not understand your question.

https://www.snbforums.com/threads/dns-security.56784/page-2#post-494165

When I run DNSLeakTest using the above, I see exactly what I expect. However, the last recommendation I have is we should pick a single DNS provider and stick with that one so I'd removed all but QUAD9 earlier. I added the others back in to recreate this screen cap for you.