How Verizon and a BGP Optimizer Knocked Large Parts of the Internet Offline Today →

June 25, 2019 · 12:02

Tom Strickx on Cloudflare’s blog:

Today at 10:30UTC, the Internet had a small heart attack. A small company in Northern Pennsylvania became a preferred path of many Internet routes through Verizon (AS701), a major Internet transit provider. This was the equivalent of Waze routing an entire freeway down a neighborhood street — resulting in many websites on Cloudflare, and many other providers, to be unavailable from large parts of the Internet. This should never have happened because Verizon should never have forwarded those routes to the rest of the Internet. To understand why, read on.

There have been smaller and larger outages over the past few years, with AWS failures triggering the biggest problems for users. These lasted for mere hours at worst and I’m sure darker scenarios is still to come. What will the fallout of a serious (week- or month-long) internet outage entail?


Cloudflare Introduces Warp — A VPN for Their 1.1.1.1 DNS Service →

April 3, 2019 · 14:33

Matthew Prince:

We built Warp because we’ve had those conversations with our loved ones too and they’ve not gone well. So we knew that we had to start with turning the weaknesses of other VPN solutions into strengths. Under the covers, Warp acts as a VPN. But now in the 1.1.1.1 App, if users decide to enable Warp, instead of just DNS queries being secured and optimized, all Internet traffic is secured and optimized. In other words, Warp is the VPN for people who don’t know what V.P.N. stands for.

There will be both a free tier and a paid subscription for Warp. I’m in the queue, waiting to get in, and really hoping Cloudflare lives up to their promises of privacy. Since I have been using their 1.1.1.1 DNS service for the past year, it’s been rock solid, and I haven’t read about any scandals on the subject, so keeping my fingers crossed on this one.


1.1.1.1 — The Fastest, Privacy-First Consumer DNS Service →

April 2, 2018 · 11:44

Matthew Prince, writing on Cloudflare’s blog:

Cloudflare’s mission is to help build a better Internet. We’re excited today to take another step toward that mission with the launch of 1.1.1.1 — the Internet’s fastest, privacy-first consumer DNS service.

This is amazing news! An ISP’s DNS service allows them to collect a huge amount of data about your internet habits. This is where Cloudflare comes in, not analysing user data and wiping logs after 24 hours — they’re only kept for that long to prevent abuse and to debug any issues they might be having.

The problem is that these DNS services are often slow and not privacy respecting. What many Internet users don’t realize is that even if you’re visiting a website that is encrypted — has the little green lock in your browser — that doesn’t keep your DNS resolver from knowing the identity of all the sites you visit. That means, by default, your ISP, every wifi network you’ve connected to, and your mobile network provider have a list of every site you’ve visited while using them.

DNS can also be used as a censorship tool…

In March 2014, for instance, the government of Turkey blocked Twitter after recordings showing a government corruption scandal leaked online. The Internet was censored by the country’s ISP’s DNS resolvers blocking DNS requests for twitter.com. People literally spray painted 8.8.8.8, the IP of Google’s DNS resolver service, on walls to help fellow Turks get back online. Google’s DNS resolver is great, but diversity is good and we thought we could do even better.

When I first saw this on on Twitter last night, I was certain it was an April Fool’s joke. No sane person would launch something ilke this on that day, right?

[…] This is the first consumer product Cloudflare has ever launched, so we wanted to reach a wider audience. At the same time, we’re geeks at heart. 1.1.1.1 has 4 1s. So it seemed clear that 4/1 (April 1st) was the date we needed to launch it.

Never mind that it was a Sunday. Never mind that it was on Easter and during Passover. Never mind that it was April Fools Day — a day where tech companies often trot out fictional services they think are cute while the media and the rest of the non-tech world collectively roll their eyes.

We justified it to ourselves that Gmail, another great, non-fictional consumer service, also launched on April 1, 2004. Of course, as Cloudflare’s PR team has repeatedly pointed out to me in the run up to launch, the Gmail launch day was a Thursday and not on Easter. Nearly every media briefing I did this week ahead of the launch the reporter made me swear that this wasn’t a joke. And it’s not. I swear. And the best way to prove that is go to 1.1.1.1, follow the instructions to set it up, and see for yourself. It’s real. And it’s awesome.

In the meantime, since DNS isn’t secure and can still be monitored, Cloudflare has spoken with a few of the people behind the biggest browser and operating systems manufacturers and asked their opinion on the matter.

What’s needed is a move to a new, modern protocol. There are a couple of different approaches. One is DNS-over-TLS. That takes the existing DNS protocol and adds transport layer encryption. Another is DNS-over-HTTPS. It includes security but also all the modern enhancements like supporting other transport layers (e.g., QUIC) and new technologies like server HTTP/2 Server Push. Both DNS-over-TLS and DNS-over-HTTPS are open standards. And, at launch, we’ve ensured 1.1.1.1 supports both.

We think DNS-over-HTTPS is particularly promising — fast, easier to parse, and encrypted. To date, Google was the only scale provider supporting DNS-over-HTTPS. For obvious reasons, however, non-Chrome browsers and non-Android operating systems have been reluctant to build a service that sends data to a competitor. We’re hoping that with an independent DNS-over-HTTPS service now available, we’ll see more experiments from browsers, operating systems, routers, and apps to support the protocol.


If you want to start using 1.1.1.1 (and 1.0.0.1) as your main (and alternative) DNS, just open 1.1.1.1 in your browser and follow the instructions. You will also find more precise setup instructions, for Android, various gaming consoles, Linux, routers, Windows, Macs and iOS devices on their developer site.

Finally, these are addresses you will need to use and/or remember (IPv4 and IPv6):

  • 1.1.1.1
  • 1.0.0.1
  • 2606:4700:4700::1111
  • 2606:4700:4700::1001

I just checked 1.1.1.1’s performance and it appears to be the fastest DNS out there, avergaing 14.01 ms worldwide and 11.34 ms in Europe over the last 30 days. Google’s 8.8.8.8 and 8.8.4.4 are significantly slower, clocking in at 34.51 ms and 24.43 ms respectively.

I’m in.