The need for speed (and security): Cloudflare has developed a new DNS service for PCs and phones

It depends on what you care about more, privacy or speed

Yes, that's a very thorough one. But https://grc.com/dns/ does an even better job of hammering all configured DNS servers.

 

But this can be also done at the lower lever eg Internet exchange points routers. DNS is not only mechanism for that.

 

I'm confused. In the https://grc.com/dns/ test there are 10 DNS servers, only the first one being the Cloudfare server. The rest are the same ones who are reported in the previous websites i've mentioned back in the topic.

Anyone else get similar behavior?

 

As long as you're not using DNS provided by your ISP, there's no true privacy to gain. It's an IP in a different location, isn't that the point of a VPN?

I can't say, the fact that someone had a "0" response makes me doubt it, maybe I'm wrong.

Cloudflare actually should return many servers. Are you sure they are not all cloudflare servers?

 

Yes, because on the server name i can see the resolvers being from my ISP

 

Who "had a "0" response" with https://grc.com/dns

 

Well, that's telling you that those DNS nameservers are configured somewhere for your machine.

Which of them if any, do you also see using https://www.dnsleaktest.com/

 

In https://www.dnsleaktest.com/ there is only Cloudflare servers. In https://grc.com/dns/ i see both Cloudflare and my ISP.

I can only think of my router, since it doesn't allow to change DNS on it. My PC has only Cloudflare DNS servers setup.

 

Yeah, it's probably the router. As I said, the GRC tool pushes very hard to find any DNS server that your machine could use.

Have you set your LAN interface to static DNS servers? Or is it still accepting stuff from the router?

 

So i went to my Ethernet connection properties > Internet Protocol 4 (TCP/IPv4) > Properties > Advanced > DNS and removed the internal entry (IP of the router). Leaving it as this:


and now on https://grc.com/dns/ it only shows the IP from Cloudflare.

 

Good

 

Nice, the router wouldn't affect it at all unless you had configured the router as a DNS resolver (which you did).

See #43

 

Huh? I have no clue. Maybe they had excluded 1.0.0.0/8 because it was used in some routers. And now they've fixed that, so they pick up Cloudflare DNS.

Sorry I missed that until now

 

I haven't followed this thread as closely in recent weeks and I have very little experience when it comes to DNS leaks. However, I am curious to understand and learn more at all times. I tried the GRC DNS test again and it shows 0 "No nameservers were found". Also, when I try https://www.dnsleaktest.com/, whether Standard or Extended, it goes on for 10+ minutes on either test and I just give up after that amount of time.

I don't use a VPN. The only thing potentially intercepting network activity is Adguard for Windows and therefore I have that disabled during testing. I've got CloudFlare DNS setup in my router. The router has got OpenWrt configured with a multi-instance dnsmasq setup which is essentially a different dnsmasq instance (with different DNS servers and settings) per wireless network for a total of 3 wireless networks. I am on the wireless network which has CloudFlare DNS setup, of course. The other networks serve different purposes.

I'm not blocking JavaScript or anything like that either. So I am a little bit confused as to why these DNS leak test sites are not pinpointing CloudFlare DNS on my network. If someone can give me a bit more insight on this I would greatly appreciate it.

 

Maybe something about how dnsmasq works?

What do you see about DNA in LAN adapter properties?

For what it's worth, I just checked https://dnsleaktest.com/ and https://grc.com/dns/ in a Whonix instance. And got many DNS servers, which must be from the Tor exit, because the workstation VM has no non-Tor Internet connectivity.

 

Let's say somebody takes laptop or smartphone to shopping center and connects to open Wifi network. I would not trust that network. I think these encrypted DNS services are good for that purposes to secure at least at basic level. I know the only truly good solution is VPN, but not everybody have access to them.

 

That literally has absolutely nothing to do with the point I was making, so I'm not sure why you quoted me, although your point remains relevant.

 

Unfortunately I do not know a whole lot about the specifics on how dnsmasq works. Is it possible that a firewall rule on the router could also be the cause?

For the LAN properties I've kept things simple by having it obtain an IP address automatically and also obtain DNS server address automatically. So it would be the typical 192.168.1.1 pulling from the router and having the router deal with the DNS lookup. I will try setting the DNS manually on the client and see if the results are different.

EDIT: I've got DNS setup manually instead of through the router now.

Spoiler: ipconfig /all

Code:

C:\Windows\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WIN10-ULTRABOOK
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : lan

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection I218-LM
   Physical Address. . . . . . . . . : ****** (removed)
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7260
   Physical Address. . . . . . . . . : ****** (removed)
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.248(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, May 6, 2018 7:57:44 AM
   Lease Expires . . . . . . . . . . : Sunday, May 6, 2018 8:37:31 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 1.1.1.1
                                       1.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter vEthernet (Default Switch):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
   Physical Address. . . . . . . . . : ****** (removed)
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : ****** (removed)
   Subnet Mask . . . . . . . . . . . : 255.255.255.240
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Unfortunately both DNS leak test sites still cannot determine any DNS servers on my setup. I will have to look into firewall settings next.

 

@WildByDesign
I've tried dnsleaktest yesterday and got continius running without any results (for both standard and extended test). Today I tried it with same network setup and it finished with no problems. Maybe it's not a problem only on your side.

 

Strange. If you consistently see nothing, it's probably something about your router setup.

But as long as everything works, having no findable DNS servers is perhaps a good thing.

So maybe we could all learn something here

 

I tried both tests with my kids iPads on their own wireless network (same router) but with a different instance of dnsmasq using the family protection OpenDNS. In this case, both DNS leak test sites correctly showed the OpenDNS servers.

So it seems to be just my main wireless network with CloudFlare which does not show on either site. Different subnet but same firewall rules.

But yes, I suppose maybe this is a positive thing.

EDIT: So I ended up trying with my main Ultrabook system connected to the kids wireless network which uses the OpenDNS family shield servers. Those DNS leak test sites worked correctly with the iPads connected to that same wireless network but not with my Ultrabook.

Therefore it has to be something specific with my Ultrabook system causing the DNS leak test sites to not work and show any servers. I will have to dig into this further but at least we can rule out the router now. Maybe this has something to do with Windows 10 1803 release. Not sure at the moment. But the only network related change on this freshly installed 1803 build is Adguard For Windows but that is disabled. I will try more testing later on.

 

Interesting. Could be something useful to know

 

Has anyone else been getting random NXDOMAIN results on some web sites? I've been seeing this more and more lately but seems quite random. I would then briefly switch over to OpenDNS and the sites would resolve right away.

 

https://blog.cloudflare.com/today-we-mitigated-1-1-1-1/

 

Cloudflare experiments with hidden Tor services
Matt Prince sets a daemon to work with the onions
June 6, 2018
https://www.theregister.co.uk/2018/06/06/cloudflare_experiments_with_hidden_tor_services/