Cloudflare 1.1.1.1 for Families

dave14305 · Apr 1, 2020

https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

A new filtered Cloudflare DNS service. Any OpenDNS users interested?

Setup guide: https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/router/

Note: Does not yet support DoT, only normal port 53/udp and DoH at this time. (EDIT: I tested it with Stubby anyway and it works, but filtering doesn't seem to work)
https://community.cloudflare.com/t/community-tip-best-practices-for-1-1-1-1-for-families/160496

L&LD · Apr 1, 2020

Not unless we can use it with Unbound?

dave14305 · Apr 1, 2020

Interesting that it returns REFUSED instead of NXDOMAIN for blocked names.

RMerlin · Apr 1, 2020

dave14305 said:
Interesting that it returns REFUSED instead of NXDOMAIN for blocked names.

REFUSED is expected to be returned if a query is denied due to policy, for example. This is usually expected in cases where you are rejecting the client itself however, not the query. I fear that a REFUSED response might lead the resolver to try again with another nameserver, if that's truly what they did.

dave14305 · Apr 1, 2020

RMerlin said:
REFUSED is expected to be returned if a query is denied due to policy, for example. This is usually expected in cases where you are rejecting the client itself however, not the query. I fear that a REFUSED response might lead the resolver to try again with another nameserver, if that's truly what they did.

Maybe so. 2 queries for 54199.

Code:

Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 validation result is INSECURE
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 reply error is REFUSED
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 validation result is INSECURE
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 reply error is REFUSED

RMerlin · Apr 1, 2020

dave14305 said:

Maybe so. 2 queries for 54199.

Code:

Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 validation result is INSECURE
Apr  1 15:52:17 dnsmasq[4375]: 486 192.168.1.245/54199 reply error is REFUSED
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 query[A] phishing.testcategory.com from 192.168.1.245
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.1.1.2
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 forwarded phishing.testcategory.com to 1.0.0.2
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 validation result is INSECURE
Apr  1 15:52:17 dnsmasq[4375]: 487 192.168.1.245/54199 reply error is REFUSED

That might just indicate that the response wasn't cached (I don't think REFUSED gets cached, as opposed to a NXDOMAIN which is considered a valid response, and does get typically a 15 mins TTL).

heysoundude · Apr 1, 2020

Maybe an April Fool, maybe for realsies:
https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

Sent from my iPhone using Tapatalk

Val D. · Apr 1, 2020

L&LD said:
Not unless we can use it with Unbound?

I don't understand this question. Unbound is a resolver.
In case it is used as forwarder, any external DNS resolver should work the way it works with any other forwarder.

roscoe211 · Apr 1, 2020

Cool. Thanks. I just switched over to 1.1.1.2 for my DoT server.

RMerlin · Apr 2, 2020

heysoundude said:
Maybe an April Fool, maybe for realsies:
https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

Every year, Cloudflare got into the habit of announcing new, real services on April 1st.

And with the current world situation, any April 1st prank would be considered to be of poor taste.

heysoundude · Apr 2, 2020

I’m suspicious of pretty much EVERYTHING I read in the past decade or so, because of the internet.

Sent from my iPhone using Tapatalk

john9527 · Apr 2, 2020

roscoe211 said:
Cool. Thanks. I just switched over to 1.1.1.2 for my DoT server.

According to the Q's following the blog entry, DoT isn't ready yet.

Code:

Will you be providing DNS over TLS for these services like you do with 1.1.1.1 e.g. 1dot1dot1dot2.cloudflare-dn... and 1dot1dot1dot3.cloudflare-dn...
Reply
Mohd Irtefa  danhorst • 7 hours ago
Yes. Our team is working on it and we will share the update with our community when DoT for 1.1.1.2 and 1.1.1.3 are available.

bbunge · Apr 2, 2020

Well, DoT to 1.1.1.2, 1.0.0.2 works. Good switch after Quad9 crapped out overnight.

^Tripper^ · Apr 2, 2020

Glad to finally see this option with CF.

dave14305 · Apr 2, 2020

bbunge said:
Well, DoT to 1.1.1.2, 1.0.0.2 works. Good switch after Quad9 crapped out overnight.

I found yesterday that DoT worked, but the filtering wasn’t active (using their test phishing.testcategory.com wasn’t blocked).

thiggins · Apr 2, 2020

It's not an AF joke. Note the follow on posts in the CF blog.

bbunge · Apr 2, 2020

dave14305 said:
I found yesterday that DoT worked, but the filtering wasn’t active (using their test phishing.testcategory.com wasn’t blocked).

Yup, 1.1.1.2/1.0.0.2 does block the malware with DoT turned off. Will run without DoT for a while I guess.

Zastoff · Apr 2, 2020

Did a test with DoH (Skynet & Diversion disabled during test)
Apr 2 17:14:14 dnscrypt-proxy[25044]: [cloudflare-security] OK (DoH) - rtt: 14ms
Successfully blocks: http://phishing.testcategory.com/

RMerlin · Apr 2, 2020

With so many DNS-based blocking services now available, the question has to be asked:

how do they compare in terms of:

- Number of sites blocked
- How long it takes them to add more sites to their blocklists
- Accuracy of their blocklists

At some point, these services will need to be reviewed the same way antivirus products are being reviewed, by testing a bunch of zero-days malicious (or adult) sites, looking for false positives or missed cases.

Any quarantined security specialist want to get on it?

peepsnet · Apr 2, 2020

@RMerlin Can we get this added to the Code for the Dropdowns.

I took a look but I am not versed enough with the code to do a PR
I did a search for the code and found a few places but I am not sure of it
https://github.com/RMerl/asuswrt-me...Browsing+Adult&unscoped_q=CleanBrowsing+Adult

I think it is just
https://github.com/RMerl/asuswrt-me...e28eda004f8/release/src/router/rc/dnsfilter.c
and
https://github.com/RMerl/asuswrt-me...59f02498/release/src/router/www/DNSFilter.asp

but the other pages I am not sure of

Cloudflare 1.1.1.1 for Families

Part of the Furniture

Part of the Furniture

Part of the Furniture

Asuswrt-Merlin dev

Part of the Furniture

Asuswrt-Merlin dev

Part of the Furniture

Very Senior Member

Occasional Visitor

Asuswrt-Merlin dev

Part of the Furniture

Part of the Furniture

Part of the Furniture

Senior Member

Part of the Furniture

Mr. Easy

Part of the Furniture

Very Senior Member

Asuswrt-Merlin dev

Regular Contributor

Similar threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest