Does Cloudflare have any plans for website filtering feature like openDNS has. Will be great to see that.
Though I’m not a Cloudflare employee, I personally doubt it. The point of this project is to be simple, private, and fast. Even more importantly, website filtering would involve the service looking at and blocking the domains you (and everyone else) looks at which is almost certainly not going to happen. As of the time of writing the following relevant phrases are on the site:
We will never log your IP address
Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t.
I know this was addressed upon launch, but I can’t find reference to it. Their response was not strongly in favor of this feature. They would have to set up a separate resolver for this. It can’t/shouldn’t be done with 220.127.116.11 because it would require them knowing your preferences, which wouldn’t be very private.
They could also go the Quad9 route, offer both a filtered and unfiltered view. I love that Cloudflare made the first choice the raw, unfiltered view of the internet.
Quad9 annoys me that they only enforce DNSSEC if you also accept their filtered view of the internet, I would personally prefer the best of both worlds, DNS integrity and validation without arbitrary filtering.
Each to their own.
Why do you believe Quad9 doesn’t enforce DNSSEC? I thought they do and
dig @18.104.22.168 dnssec-failed.org returns SERVFAIL to me.
Yeah, but that is the filtered IP, just like @thedaveCA said.
Well, correcting myself and @thedaveCA: Quad9’s
22.214.171.124 unfiltered DNS validates DNSSEC.
To me it’s also local, much closer than
126.96.36.199! Will try benchmarking it…
$ dig @188.8.131.52 dnssec-failed.org ; <<>> DiG 9.10.6 <<>> @184.108.40.206 dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21451 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; Query time: 3 msec ;; SERVER: 220.127.116.11#53(18.104.22.168) ;; WHEN: Tue Jun 12 14:13:54 CEST 2018 ;; MSG SIZE rcvd: 46
Right, my bad, but I was lucky. Their FAQ claims they do DNSSEC validation on both: https://quad9.net/faq/#Is_there_a_service_that_Quad9_offers_that_does_not_have_the_blocklist_or_other_security
They must have changed it recently. Here’s the FAQ six months ago:
Secure IP: 22.214.171.124 Blocklist, DNSSEC, No EDNS Client-Subnet
Unsecure IP: 126.96.36.199 No blocklist, no DNSSEC, send EDNS Client-Subnet
Apparently they did… I tried, but they were slower than 188.8.131.52 despite being a couple of milliseconds closer (we are talking half the latency here). Still better than 184.108.40.206 though, a good third choice (after 220.127.116.11 and 18.104.22.168)?
Ah ha! Thanks for the find. Glad to know my memory hasn’t failed me completely.
Just to add my two cents to the filtering questions:
This can easily be achieved with a small setup using pi-hole. https://pi-hole.net/
Even though it was designed to be used on a Raspberry PI it’s easily installed on Debian or Ubuntu in your local network or on a server.
Intention was to block ads and trackers via public available blacklists. However, you can easily add more domains or block block lists manually.
Host based or with a wildcard.
Even though It’s not that handy as OpenDNS since the’ve predefined categories (also based on user requests, openvpn.net is blocked for being a proxy service ) But a nice alternative - self hosted using 22.214.171.124 as upstream.
That’s really cool! I have Raspberry Pi somewhere, will try it someday!
Just to update this thread, there are a couple of options for this available now although I’m not sure if they are exactly what you were looking for:
Simple setup but less customisable (choose between blocking malware or blocking malware and adult content) :
More complex to set up but configurable (can choose to block by category):