1.1.1.1: Fast, privacy-first consumer DNS service

(blog.cloudflare.com)

1895 points _l4jh | 3 comments | 01 Apr 18 12:14 UTC | HN request time: 0.613s | source

Show context

antoncohen ◴[01 Apr 18 13:15 UTC] No.16728105[source]▶

When I've seen DNS-over-HTTPS in the past I've always thought it odd that it's setup with a DNS name for the HTTPS address, requiring a plain DNS lookup before it starts using HTTPS. I assumed this was done because they didn't have a valid TLS cert for the IP address. But 1.1.1.1 actually has a valid TLS cert, yet their setup instructions say to use the DNS name cloudflare-dns.com instead of the IP.

https://developers.cloudflare.com/1.1.1.1/dns-over-https/

Is there a technical reason the DNS-over-HTTPS resolvers need their upstream resolvers to be looked up by name and not IP?

replies(1): >>16728241 #

1. Someone1234 ◴[01 Apr 18 13:50 UTC] No.16728241[source]▶

>>16728105 #

I suppose I see your point, but since DNS-over-HTTPS only supports HTTPS (not HTTP) and therefore requires a valid certificate for the requested resolver, there's no risk of the protocol being downgraded to HTTP or easily spoofed.

So what do you see as the threat profile?

replies(1): >>16728340 #

2. antoncohen ◴[01 Apr 18 14:10 UTC] No.16728340[source]▶

>>16728241 (TP) #

That is a good point, though I wasn't thinking about it from a security perspective. I was more imagining an ISP or nation that is trying to control content by blocking/faking DNS queries. They could block the first DNS query if DNS-over-HTTPS doesn't use an IP for the resolver.

Of course an ISP or nation could block/reroute the IP 1.1.1.1 too, so maybe it doesn't matter. Neither way would allow MITM, I was just thinking about ways oppressive ISPs/nations could stop DNS-over-HTTPS from working.

replies(1): >>16728525 #

3. zackbloom ◴[01 Apr 18 14:45 UTC] No.16728525[source]▶

>>16728340 #

You can also query 1.1.1.1 using the DNS-over-HTTPS URL schema if you like, you don't have to use cloudflare-dns.com.

↑