Matthew Prince, writing on Cloudflare’s blog:
Cloudflare’s mission is to help build a better Internet. We’re excited today to take another step toward that mission with the launch of 1.1.1.1 — the Internet’s fastest, privacy-first consumer DNS service.
This is amazing news! An ISP’s DNS service allows them to collect a huge amount of data about your internet habits. This is where Cloudflare comes in, not analysing user data and wiping logs after 24 hours — they’re only kept for that long to prevent abuse and to debug any issues they might be having.
The problem is that these DNS services are often slow and not privacy respecting. What many Internet users don’t realize is that even if you’re visiting a website that is encrypted — has the little green lock in your browser — that doesn’t keep your DNS resolver from knowing the identity of all the sites you visit. That means, by default, your ISP, every wifi network you’ve connected to, and your mobile network provider have a list of every site you’ve visited while using them.
DNS can also be used as a censorship tool…
In March 2014, for instance, the government of Turkey blocked Twitter after recordings showing a government corruption scandal leaked online. The Internet was censored by the country’s ISP’s DNS resolvers blocking DNS requests for twitter.com. People literally spray painted 8.8.8.8, the IP of Google’s DNS resolver service, on walls to help fellow Turks get back online. Google’s DNS resolver is great, but diversity is good and we thought we could do even better.
When I first saw this on on Twitter last night, I was certain it was an April Fool’s joke. No sane person would launch something ilke this on that day, right?
[…] This is the first consumer product Cloudflare has ever launched, so we wanted to reach a wider audience. At the same time, we’re geeks at heart. 1.1.1.1 has 4 1s. So it seemed clear that 4/1 (April 1st) was the date we needed to launch it.
Never mind that it was a Sunday. Never mind that it was on Easter and during Passover. Never mind that it was April Fools Day — a day where tech companies often trot out fictional services they think are cute while the media and the rest of the non-tech world collectively roll their eyes.
We justified it to ourselves that Gmail, another great, non-fictional consumer service, also launched on April 1, 2004. Of course, as Cloudflare’s PR team has repeatedly pointed out to me in the run up to launch, the Gmail launch day was a Thursday and not on Easter. Nearly every media briefing I did this week ahead of the launch the reporter made me swear that this wasn’t a joke. And it’s not. I swear. And the best way to prove that is go to 1.1.1.1, follow the instructions to set it up, and see for yourself. It’s real. And it’s awesome.
In the meantime, since DNS isn’t secure and can still be monitored, Cloudflare has spoken with a few of the people behind the biggest browser and operating systems manufacturers and asked their opinion on the matter.
What’s needed is a move to a new, modern protocol. There are a couple of different approaches. One is DNS-over-TLS. That takes the existing DNS protocol and adds transport layer encryption. Another is DNS-over-HTTPS. It includes security but also all the modern enhancements like supporting other transport layers (e.g., QUIC) and new technologies like server HTTP/2 Server Push. Both DNS-over-TLS and DNS-over-HTTPS are open standards. And, at launch, we’ve ensured 1.1.1.1 supports both.
We think DNS-over-HTTPS is particularly promising — fast, easier to parse, and encrypted. To date, Google was the only scale provider supporting DNS-over-HTTPS. For obvious reasons, however, non-Chrome browsers and non-Android operating systems have been reluctant to build a service that sends data to a competitor. We’re hoping that with an independent DNS-over-HTTPS service now available, we’ll see more experiments from browsers, operating systems, routers, and apps to support the protocol.
If you want to start using 1.1.1.1 (and 1.0.0.1) as your main (and alternative) DNS, just open 1.1.1.1 in your browser and follow the instructions. You will also find more precise setup instructions, for Android, various gaming consoles, Linux, routers, Windows, Macs and iOS devices on their developer site.
Finally, these are addresses you will need to use and/or remember (IPv4 and IPv6):
1.1.1.11.0.0.12606:4700:4700::11112606:4700:4700::1001
I just checked 1.1.1.1’s performance and it appears to be the fastest DNS out there, avergaing 14.01 ms worldwide and 11.34 ms in Europe over the last 30 days. Google’s 8.8.8.8 and 8.8.4.4 are significantly slower, clocking in at 34.51 ms and 24.43 ms respectively.
I’m in.
