Cloudflare to have website filtering like OpenDNS


#1

Does cloudflare have any plans for website filtering feature like openDNS has. Will be great to see that.


#2

Though I’m not a cloudflare employee, I personally doubt it. The point of this project is to be simple, private, and fast. Even more importantly, website filtering would involve the service looking at and blocking the domains you (and everyone else) looks at which is almost certainly not going to happen. As of the time of writing the following relevant phrases are on the site:

We will never log your IP address

Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t.


#3

I know this was addressed upon launch, but I can’t find reference to it. Their response was not strongly in favor of this feature. They would have to set up a separate resolver for this. It can’t/shouldn’t be done with 1.1.1.1 because it would require them knowing your preferences, which wouldn’t be very private.


#4

They could also go the Quad9 route, offer both a filtered and unfiltered view. I love that Cloudflare made the first choice the raw, unfiltered view of the internet.

Quad9 annoys me that they only enforce DNSSEC if you also accept their filtered view of the internet, I would personally prefer the best of both worlds, DNS integrity and validation without arbitrary filtering.

Each to their own.


#5

Why do you believe Quad9 doesn’t enforce DNSSEC? I thought they do and dig @9.9.9.9 dnssec-failed.org returns SERVFAIL to me.


#6

Yeah, but that is the filtered IP, just like @thedaveCA said.


#7

Well, correcting myself and @thedaveCA: Quad9’s 9.9.9.10 unfiltered DNS validates DNSSEC.

To me it’s also local, much closer than 1.1.1.1! Will try benchmarking it…

$ dig @9.9.9.10 dnssec-failed.org

; <<>> DiG 9.10.6 <<>> @9.9.9.10 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21451
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org.		IN	A

;; Query time: 3 msec
;; SERVER: 9.9.9.10#53(9.9.9.10)
;; WHEN: Tue Jun 12 14:13:54 CEST 2018
;; MSG SIZE  rcvd: 46

#8

Right, my bad, but I was lucky. Their FAQ claims they do DNSSEC validation on both: https://quad9.net/faq/#Is_there_a_service_that_Quad9_offers_that_does_not_have_the_blocklist_or_other_security


#9

They must have changed it recently. Here’s the FAQ six months ago:

https://web.archive.org/web/20180101195130/https://www.quad9.net/#/faq#is-there-a-service-that-quad9-offers-that-does-not-have-the-blocklist-or-other-security

Secure IP: 9.9.9.9 Blocklist, DNSSEC, No EDNS Client-Subnet

Unsecure IP: 9.9.9.10 No blocklist, no DNSSEC, send EDNS Client-Subnet


#10

Apparently they did… I tried, but they were slower than 1.1.1.1 despite being a couple of milliseconds closer (we are talking half the latency here). Still better than 8.8.8.8 though, a good third choice (after 1.1.1.1 and 1.0.0.1)?


#11

Ah ha! Thanks for the find. Glad to know my memory hasn’t failed me completely.


#12

Just to add my two cents to the filtering questions:

This can easily be achieved with a small setup using pi-hole. https://pi-hole.net/

Even though it was designed to be used on a Raspberry PI it’s easily installed on Debian or Ubuntu in your local network or on a server.
Intention was to block ads and trackers via public available blacklists. However, you can easily add more domains or block block lists manually.
Host based or with a wildcard.

Even though It’s not that handy as OpenDNS since the’ve predefined categories (also based on user requests, openvpn.net is blocked for being a proxy service :thinking:) But a nice alternative - self hosted using 1.1.1.1 as upstream.


#13

That’s really cool! I have Raspberry Pi somewhere, will try it someday!