←back to thread

1.1.1.1: Fast, privacy-first consumer DNS service

(blog.cloudflare.com)
1895 points _l4jh | 7 comments | 01 Apr 18 12:14 UTC | HN request time: 0.202s | source | bottom
1. jason_slack ◴[01 Apr 18 20:09 UTC] No.16730166[source]
From someone that takes DNS for granted every day, can someone shed some light on why the current state of DNS has been called archaic and needs to be replaced with something better?
replies(2): >>16730197 #>>16730206 #
2. patrickmcmanus ◴[01 Apr 18 20:14 UTC] No.16730197[source]
one reason: https://www.ietf.org/proceedings/99/slides/slides-99-maprg-f...
3. jlgaddis ◴[01 Apr 18 20:15 UTC] No.16730206[source]
It basically comes down to being insecure.

It's all plain-text over UDP. This is easily exploited for various purposes: spoofing (DDoS attacks), surveillance (such as by ISPs), hijacking/tampering, censorship, privacy concerns, and so on.

As everything else relies on DNS, the DNS must also be secure.

replies(1): >>16730272 #
4. jason_slack ◴[01 Apr 18 20:28 UTC] No.16730272[source]
Are there replacement options being worked on? What about wrapping each request and unwrapping on the other end. Something like how Tor wraps requests in many layers?
replies(3): >>16730985 #>>16731578 #>>16732818 #
5. written ◴[01 Apr 18 22:52 UTC] No.16730985{3}[source]
https://en.wikipedia.org/wiki/Domain_Name_System_Security_Ex...

+ DNS-over-TLS for privacy

6. jlgaddis ◴[02 Apr 18 01:20 UTC] No.16731578{3}[source]
Yes, several: DNS-over-TLS, DNS-over-HTTPS, DNSSEC, DNSCrypt, DNSCurve, and probably a few others I'm forgetting at the moment.
7. jedisct1 ◴[02 Apr 18 06:55 UTC] No.16732818{3}[source]
https://dnscrypt.info/faq/