Is 1.1.1.1 servive secure?

As announces here about 1.1.1.1 service is secure or not. Is it really worth it?

Announced? This is not a new service. It's been around for years.

When you say secure, what are you getting at here? Private? Name resolution by default is not encrypted. Your ISP probably offers their own DNS services to you. Your ISP can see all your name lookups which means they'll know what services you're connecting to.

1.1.1.1 offers that too but also offers an encrypted version, DNS over HTTPS and DNS over TLS. When using DoH or DoT, your ISP can't see your name lookup queries any more, but Cloudflare still can. Do you trust your CloudFlare more than your ISP? That's a personal choice.

1.1.1.1 is probably faster than many other DNS services and they'll offer filtering to prevent access to undesirable Domains (Adult, Gambling, Malware etc) too.

Is it worth it?....that's for you to decide. Nothing is truly private when talking about public Internet services. If you want your DNS to be more 'secure', I'd be looking at running a local DNS service in recursive mode like Unbound. It's not secure, but it's more secure.

Edited by nofappingway (Mon 11-Mar-24 14:15:38)

I wouldn't pay too much attention to that article. Carry on doing what you're doing.

In reply to a post by nofappingway:

If you want your DNS to be more 'secure', I'd be looking at running a local DNS service in recursive mode like Unbound. It's not secure, but it's more secure.

Arguably no more secure, since all the queries from Unbound to the outside world are still in cleartext and could be sniffed by your ISP if they were so inclined.

You can either trust your ISP, or you can trust a third-party provider like Cloudflare, Google, Quad9 etc. (Quad9 is at least based in Switzerland and subject to Swiss privacy law)

ISPs mining lookups on their own name servers is trivial. Easy to capture and resell that information.

Sniffing the network constantly for port 53 traffic is a far more considered affair and I would argue you'd have to be specifically targeted for that to happen.

I would enable encrypted dns (dns over https) to be secure, cloudflare's 1.1.1.1 currently supports this.

Do you have a specific objective you're looking to achieve?

It depends on what you mean by secure and worth it. DNS isn't really a security service. But as others have mentioned, there are things you can do to make using DNS more secure. Those being DoH (DNS over HTTPS) or DoT (DNS over TLS) and DNSSEC (adds authentication to DNS queries). These cut down on the possibility of your DNS queries being intercepted and altered. I can understand why it's confusing as Cloudflare's marketing is a bit misleading, describing their service as safer. Yet out of the box their service does nothing to increase your safety. If you want that, by means of Malware blocking, then you need to use their 1.1.1.2 and 1.0.0.2 IPs. Which you have to go digging to find. You'd still need up-to-date anti-virus software as, with most things IT, a multi-layered approach is best.

If security with privacy are being conflated, then again as others have stated, it's rather trivial for your ISP to spy on your traffic to see what you're accessing. If privacy from your ISP is a concern, then you should be looking at a VPN service. I'd recommend something WireGuard based. But even then you're essentially just swapping one ISP for another.

Personally I use quad9.net's offering via DoT with DNSSEC for that extra peace of mind. It does Malware blocking as standard. Plus, even if it's slower to resolve than Cloudflare DNS, the 1, 2 or even a few hundredths of a second make no difference in real world applications.

Edited by Noolah (Tue 12-Mar-24 09:52:08)

...and because Quad9 is based in Switzerland, and subject to Swiss privacy law, anyone anywhere in the world who finds that we've violated our privacy policy (and Swiss law) can report it, and I go to jail. Which was why we chose Switzerland.

https://www.quad9.net/privacy/compliance-and-applica...

Also, if anyone has any questions about how Quad9 operates, I'm always happy to answer.

-Bill Woodcock
Chair of the Quad9 Foundation Council

Are you audited by a suitable 3rd party to ensure your infrastructure configuration matches your published policies?