Doubts about 1.1.1.1

I second the myriad problems of Cloudflare.

I started very enthusiastically believing the hype: Cloudflare was the greatest thing since sliced bread.
I can’t count the endless hours and days I’ve spent troubleshooting OS, data provider, each site in question because I’d actually forgot I switched to Cloudflare.

  1. It may very well be that many sites use insecure web practices- then again, absolutely nothing is bulletproof on the web, like in real life. But what do we want, when our own government leaders handle classified info on unsecured phones and home computers. Everyone knows everything about everyone else while pretending they don’t do as to not risk losing access.

  2. Far too many apps, even those specifically created for security just don’t work on Cloudflare to varying degrees from mild to complete, to name a few: Privacy.com, Stripe (and gosh, they supposedly securely validate & interface between Banks, fintechs, and customers), some bank apps, some vpn’s, food apps (some are the world’s largest to boot), survey apps, government sites like some of NYC’s, etc.
    It’s not confined to small or just emerging companies. Ditto for security texts and two factor authentication- TMobile, Microsoft…Google was a past example but looks like they found a workaround.
    Signing up for various forums is not possible either.

  3. All these problems immediately go away by disabling Cloudflare to the default. Nor they occur when using Google DNS.

  4. Everybody has to eat, but the individual customer paid subscription model and the individual business paid prioritization model trigger the suspicious and conspiracy theorists.
    Just the fact that you have MVP’s, that you felt this need, is telling and a self-admissive… Just like at Microsoft, which I happen to belong to.
    And btw, NONE of the MSMVP’s ever are rude, sarcastic or condescending.

  5. I just spent a half hour on another of your roadblocks just by trying to sign up to post this. It seems you don’t like when we stumble onto your site / an interesting thread, sign up, but validate on another peripheral so as not to lose the exact place mark.
    And can you please add the feature of returning to original placeholder upon verification and signup? That feature has only existed for two decades.
    Validation link immediately throws a link expired message with a prompt to resend another one- how about a more truthful prompt like not allowed to validate on different hardware? In order to avoid an endless validation loop, because most those messages end up in Spam.
    AND because the site keeps one logged in and allows accessing Dashboard, this leads one to believe validation worked, delays finishing the validation. BTW There is one popup that disappears almost instantaneously- who knows what that message says.
    Can you make trusted agreements with the big email providers so as not to wind up in Spam?
    And why validate and sign up only thru email instead of using the large social portals? That is so 1989, today’s web surfer will not have the patience, will just not post.
    If you wish to validate, secure code to phone is much easier on people- ahh, but that may never arrive for many… Back to the drawing board.

One more I forgot:
6. Cloudflare on Android doesn’t persist thru phone restart. Even worse, it restarts quite a bit later- evades monitoring the restart.

This definitely isn’t a 1.1.1.1 issue. I use a large number of the sites and services you’ve mentioned and have never encountered any issues with 1.1.1.1 for those. I have encountered an issue with archive.is, but that has been established to be deliberate on archive.is’ part; they block 1.1.1.1.

Edit: Actually, are you using Warp? Try disabling Warp and just leaving DNS only enabled. Even with Warp, though, many of the services you’ve mentioned work for me, but I’d expect others not to work—never access a bank from a VPN; they freak out.

1 Like

It’s gonna be a yeoman’s work getting all other sites to adopt best practices. Being right while the mob is wrong equals being wrong while the mob is right.

Best practices aren’t needed for compatibility with 1.1.1.1. Warp is a little different—some companies block all VPNs. You don’t need to use Warp to use 1.1.1.1, though.

1.1.1.1’s main perk—talking about DNS only here—is that it’s fast. It also lets you use stuff like DoH if you do choose. Other than that, it’s the same as any other resolver, and most sites can’t even tell you’re using it.

Thanks for your reply. I don’t use VPN on phone. I don’t use Warp.
I haven’t had a single issue that didn’t go away immediately upon disabling CF. None, zip.
It could be CF use while on METROPCS… Even the phone being unupdated over a year now. Because the same occurs on Windows tablet hotspotted from the phone. I haven’t experimented on the other lines and carriers in order to not introduce logging in from a different phone / provider as a possible cause.
I’m switching main line to Visible(Verizon) and new phone without tweaking or rooting it, see if all this replicates.

Zenexer, it looks like many companies are not utilizing correct / best/ latest / secure practices, thus leading to issues on CF?
Which is trying to stay on the straight and narrow?

From a technical standpoint, that doesn’t make any sense. 1.1.1.1 isn’t dependent on websites following best practices–it works regardless. If you’re using DNS exclusively, rather than DNS + Warp, pretty much every website has absolutely no way of even knowing that you’re using 1.1.1.1 for DNS–to them, everything looks identical.

The widespread issues you’re experiencing can’t be a result of 1.1.1.1 itself. One possibility is that you’re using 1.1.1.1 on a network that blocks it for censorship or security reasons. Some ISPs and corporate networks do that. For example, if I try to use 1.1.1.1 via https://cloudflare-dns.com/ on an Amazon retail store Wi-Fi network, it’s blocked by Cisco Umbrella. If that’s my only DNS server, I won’t be able to access anything while on that Wi-Fi network.

1 Like

Here’s another one. Google Maps latest version everything works except the actual map screen. Even walking directions work, except the line is on a blank screen.
Disable CF and the map clearly appears.

  1. Are you attempting this on a phone?
  2. If it’s a phone, is it iOS or Android?
  3. If it’s a phone, are you using the 1.1.1.1 app, or have you manually configured 1.1.1.1 as your DNS server?
  4. If you’re using the app, is Warp enabled, or do you have it set to DNS-only?
  5. Who is your carrier/ISP?
  6. Do these problems occur when you’re connected to Wi-Fi, 4G, or both?
  7. In which country is this occurring?
  8. With 1.1.1.1 enabled, go to https://1.1.1.1/help, copy the URL it gives you in the box, and paste it here.
  9. With 1.1.1.1 disabled, repeat the process in step 8. You should now have two links.

I’m unable to reproduce the Google Maps issue you described on both iOS and Android, regardless of how I’m using 1.1.1.1 and whether Warp is enabled. There is a strong chance this is an issue with your phone, ISP, or network.

1 Like

A quick Google search didn’t lead to any issues I could fine with 1.1.1.1 and privacy.com, but I’m sure it’s possible. privacy.com appears to no use DNSSEC so not sure what issues would occur when using 1.1.1.1, but if you have a reproducible issue you can post details and I’ll happily pass it along to the resolver team.

Yep… some banks have horribly configured DNSSEC that a validating resolver won’t resolve unless an exception is put in place to allow/ignore the problem. One can argue that to make things easier on an end user . 1.1.1.1 should add those exceptions (and in some cases we do) but one can also argue that a user who has opted to use 1.1.1.1 wants DNSSEC validation to actually validate. Fortunately there’s lots of choice for resolvers out there and 1.1.1.1 may not be the right choice for everyone.

1.1.1.1 is free for everyone. Outside of certain enterprise agreements where larger organizations want to use 1.1.1.1 as their resolver there is no option for paid support for the service.

Microsoft’s MVP program provides recognition for individuals who contribute to the broader community with their time and expertise. The MVPs provide a huge service to the community and through their expertise improve the adoption of products by the broader community and provide valuable feedback to the product teams on ways to make their product better. I appreciate the comparison and think Cloudflare’s MVPs provide a similar value to our customers and product teams. I sincerely believe the broader ecosystem is greatly enhanced by their insights and efforts. The level of experience that folks utilizing Cloudflare have varies widely and the tutorials, troubleshooting and opinions the Cloudflare MVPs offer blows me away on a daily basis.

As a former Microsoft Exchange MVP (10+ years) I will have to respectfully disagree.

We’ll also have to respectfully disagree on this point as well.

To be fair we’ve certainly found a number of really broken DNS providers since we launched the service. Some can’t handle things like query minimization or other privacy related features from our resolver. We’ve made a number of improvements to the software to detect/deal with some of those issues, but the internet is a big place and the number of new and exciting ways that %software provider X% can find to not be RFC complaint or just plain broken is pretty large. And some… like Cisco having decided to use 1.1.1.1 in their own app/portal/hardware are pretty much out of our control. Others… like the decision of a certain archive site to return intentionally poisoned results to our resolver when users query for their DNS are similarly out of our control.

We’re continually improving the service (and recently launched a test set of IPs for tech savvy users who are open to potential instability in order to beta test new code). We hope that over time the service will become even better for our customers… and in some cases we can be a forcing function for insecure/broken resolvers to actually fix their issues rather than compromising the security of the consumers of their service.

Appreciate the feedback and thanks to @Zenexer for the great troubleshooting questions. :slight_smile:

4 Likes

In this particular case, however, I use most of the providers in question on 1.1.1.1 without issue. While it’s reasonable to expect that there might be some variations between regions, such widespread problems with common services don’t really make sense to blame on 1.1.1.1–there’s almost certainly another factor at play here.

1 Like
  1. Are you attempting this on a phone?
  2. If it’s a phone, is it iOS or Android?
  3. If it’s a phone, are you using the 1.1.1.1 app, or have you manually configured 1.1.1.1 as your DNS server?
  4. If you’re using the app, is Warp enabled, or do you have it set to DNS-only?
  5. Who is your carrier/ISP?
  6. Do these problems occur when you’re connected to Wi-Fi, 4G, or both?
  7. In which country is this occurring?
  8. With 1.1.1.1 enabled, go to https://1.1.1.1/help , copy the URL it gives you in the box, and paste it here.
  9. With 1.1.1.1 disabled, repeat the process in step 8. You should now have two links.

I’m unable to reproduce the Google Maps issue you described on both iOS and Android, regardless of how I’m using 1.1.1.1 and whether Warp is enabled. There is a strong chance this is an issue with your phone, ISP, or network.
1 lg phone
2 Android 7
3 1111 app only
4 never Warp
5 metro by TMobile
6 only 4g
7 USA
8 , 9 later…no cell service in here, replying w business desktop

Yeah, maybe phone or carrier. Awhile ago another line’s TMO phone on T-Mobile itself, no Cloudflare on it, would not receive TMo’s own security codes. Level 3 cs troubleshooted and fixed it, extending a free month’s credit for the trouble.

To be clear, my initial post was split off from a thread where the poster could not access two Banks, but could with different DNS provider, and things got a bit chippy.

To be fair, I agree with cscharff though.

Although, Privacy.com issue, like others’, is not of simple initial access, it’s rather when other sites / modules interface. So Privacy calls on Stripe who calls on Cap1 for example, and the process just hangs forever until finally failing.

McDonalds app glitch, to cite other examples: you place mobile order for pickup, payment goes through, but then their system does not see you arriving and store does not receive order.
CVS app works except when accessing pharmacy section for rx pickup: makes you relogin and then says your credentials are erroneous. (That was a mess of resetting pw thru email, new PW not accepted, getting locked out for too many tries, calling CS, them troubleshooting, then escalating higher… to no avail)

Every single issue frequently reoccurs when phone has restarted and I’ve missed reclosing CF app.
And yes, a simple shutdown of it fixes everything I’ve mentioned every time.
Default carrier dns, OpenDNS, Google DNS don’t replicate these issues.

I endured this over a year, blaming the individual sites. One day I wanted to compare speedtest results with CF off, and on a whim thought to check if stupids Stripe / Privacy.com / Cap1 had fixed their issues. And that lit a light bulb. And all other sites now worked.
Then after a phone restart none would work. And that took a while to refigure out because I had clicked the don’t restart CF until I restart it.
And this replayed because I watched the next reboot notification screen and CF icon didn’t appear- it does quite a bit later.

Next month I’ll have this particular line on a different brand phone and different Network(Verizon instead of TMobile) and check out of curiosity.

Can you try manually setting your Android DNS server to 1.1.1.1 instead of using the app? That works a little differently from using the app. There’s not too much point to using the app on Android if you’re not also using Warp.

If that fixes it, do you have a stock ROM, or something custom?

I’ve been using 1.1.1.1 with T-Mobile and wired internet for a long time now, but I haven’t experienced anything like what you described. The company for which I work has been using 1.1.1.1 for the office’s DNS since around the time it came out; we haven’t had any issues reported accessing banks, Stripe, Privacy.com, etc. We accept payments through Stripe, so that’s definitely something that would’ve been noticed. We did at one point have a very small list of hostnames that we’d pass to 8.8.8.8 instead of 1.1.1.1, but the only major one on the list was archive.is.

1 Like

Hi Z.
LG phone, Android 7 w/ security updates provided until this past February, stock-except for unlocked bootloader in Dev. Options.

BTW in Android apps settings for CF, I’ve just enabled location and storage Permissions, nothing else listed there, and app not listed in Special Permissions area. Just in case.

Aaannndddd… Bingo!!! Great idea on your part!

First I enabled CF and fired up a survey app that usually fails (it interacts with third party surveys and PayPal), which failed as usual. Disabled CF and it immediately worked.
Then manually changed 1pv4&6 DNS to CF and the app still worked fine.

This intrigued me to check at whatsmydnsserver:

When CF is enabled website shows CF then TMobile, when I disable CF it lists TMobile twice, when I manually change it lists CF twice.

So I assume CF app only changes ipv4?

FWIW my apn settings have always been ipv4 and ipv6(I originally changed this from default ipv6 at purchase time), roaming ipv4(never changed this default).

Just to reiterate that the previous issues were on the apps, fintech and or geared for phone over computer- most functions available on the app only. After logging in nothing else worked. Surfing to website would not help testing or even verifying anything was wrong.