On 1.1.1.1 and Quad9

2018-04-02

EDIT: As of a 2018-05-03, Unbound has fixed TLS authentication. You should upgrade Unbound before using DNS over TLS.

On 1.1.1.1 and Quad9

With yesterday’s announcement of Cloudflare’s 1.1.1.1 service, we have yet another alternative to Google’s 8.8.8.8 DNS service, alongside Quad9.

Connecting securely

Tradeoffs between these connection protocols can be viewed on DNSCrypt’s FAQ.

DNS over TLS

Unlike 8.8.8.8, Cloudflare and Quad9 implement RFC 7858, a proposed standard for encrypting DNS requests over TCP.

Unfortunately, widely used clients and resolvers do not fully implement this standard 1 and those that do are in alpha/beta status.

For Unbound, there is a three year old unresolved issue that means that any certificate can be used on the server and is not authenticated against a trusted root 2.

DNS over HTTPS

Both 8.8.8.8 and Cloudflare’s DNS services provide this feature. I will personally probably be using this protocol to connect to Cloudflare.

DNSCrypt

I used dnscrypt-proxy when it was written in C. No major complaints but it is now unmaintained; v2 supports DOH as well as DNSCrypt.

  1. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Implementation+Status ↩︎

  2. https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658#c5 ↩︎