Does cloudflare have any plans for website filtering feature like openDNS has. Will be great to see that.
Though I’m not a cloudflare employee, I personally doubt it. The point of this project is to be simple, private, and fast. Even more importantly, website filtering would involve the service looking at and blocking the domains you (and everyone else) looks at which is almost certainly not going to happen. As of the time of writing the following relevant phrases are on the site:
We will never log your IP address
Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t.
I know this was addressed upon launch, but I can’t find reference to it. Their response was not strongly in favor of this feature. They would have to set up a separate resolver for this. It can’t/shouldn’t be done with 188.8.131.52 because it would require them knowing your preferences, which wouldn’t be very private.
They could also go the Quad9 route, offer both a filtered and unfiltered view. I love that Cloudflare made the first choice the raw, unfiltered view of the internet.
Quad9 annoys me that they only enforce DNSSEC if you also accept their filtered view of the internet, I would personally prefer the best of both worlds, DNS integrity and validation without arbitrary filtering.
Each to their own.
Why do you believe Quad9 doesn’t enforce DNSSEC? I thought they do and
dig @184.108.40.206 dnssec-failed.org returns SERVFAIL to me.
Well, correcting myself and @thedaveCA: Quad9’s
220.127.116.11 unfiltered DNS validates DNSSEC.
To me it’s also local, much closer than
18.104.22.168! Will try benchmarking it…
$ dig @22.214.171.124 dnssec-failed.org ; <<>> DiG 9.10.6 <<>> @126.96.36.199 dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21451 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; Query time: 3 msec ;; SERVER: 188.8.131.52#53(184.108.40.206) ;; WHEN: Tue Jun 12 14:13:54 CEST 2018 ;; MSG SIZE rcvd: 46
Right, my bad, but I was lucky. Their FAQ claims they do DNSSEC validation on both: https://quad9.net/faq/#Is_there_a_service_that_Quad9_offers_that_does_not_have_the_blocklist_or_other_security
They must have changed it recently. Here’s the FAQ six months ago:
Secure IP: 220.127.116.11 Blocklist, DNSSEC, No EDNS Client-Subnet
Unsecure IP: 18.104.22.168 No blocklist, no DNSSEC, send EDNS Client-Subnet
Apparently they did… I tried, but they were slower than 22.214.171.124 despite being a couple of milliseconds closer (we are talking half the latency here). Still better than 126.96.36.199 though, a good third choice (after 188.8.131.52 and 184.108.40.206)?
Ah ha! Thanks for the find. Glad to know my memory hasn’t failed me completely.
Just to add my two cents to the filtering questions:
This can easily be achieved with a small setup using pi-hole. https://pi-hole.net/
Even though it was designed to be used on a Raspberry PI it’s easily installed on Debian or Ubuntu in your local network or on a server.
Intention was to block ads and trackers via public available blacklists. However, you can easily add more domains or block block lists manually.
Host based or with a wildcard.
Even though It’s not that handy as OpenDNS since the’ve predefined categories (also based on user requests, openvpn.net is blocked for being a proxy service ) But a nice alternative - self hosted using 220.127.116.11 as upstream.
That’s really cool! I have Raspberry Pi somewhere, will try it someday!