Using DNS over HTTPS without a regular DNS query for cloudflare-dns.com

Hi,

I am developing devices that call home. Instead of having our server DNS hardcoded, I want to use a DNS server. I want the device to rely the least on the network infrastructure, so I would like to have only https requests, without any DNS requests. The documentation suggests to use:

curl 'https://Cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'

However, for this query to work there must be a successful regular DNS query to find the IP of Cloudflare-dns.com.

I found out that this query works, which doesn’t require the additional regular DNS query:

curl --resolve Cloudflare-dns.com:443:1.1.1.1 'https://Cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'

My questions are:

  1. Is this guaranteed to work, so I can rely on this working for my devices to call home?
  2. If it is guaranteed to work, I think it’s a good idea to add this to the documentation.

Thank you very much,
Noam

Why not just curl to https://1.1.1.1? I just tried it and got the same response as curl to the FQDN.

As for the guarantee, it’s as guaranteed as anything else around here. But reliability has been stellar:

Now…as you watch the message boards, you’ll see several locations where 1.1.1.1 doesn’t work, for various reasons beyond Cloudflare’s control. That’s going to the biggest failure point in this process.

Thanks! I think that using curl https://1.1.1.1 is less secure, since I don’t see how it can verify that the certificate matches - the certificate is for Cloudflare-dns.com.

Regarding guarantee, perhaps I should use a better term. I understand that there is no contractual obligation. My question is whether it’s a part of the public API so Cloudflare wouldn’t change it without a good reason, or whether it’s a hack that works now but may not work tomorrow.

Regarding availability, thanks for letting me know! I think that I’ll use 1.0.0.1 instead, as is suggested here.

Check the certificate’s full list of SANs. The certificate is for:

  • *.Cloudflare-dns.com
  • 1.1.1.1
  • 1.0.0.1
  • Cloudflare-dns.com
  • 2606:4700:4700::1111
  • 2606:4700:4700::1001

(Certificates for IP addresses are uncommon, and occasionally not supported by software, but valid.)

Cool! Thanks!

So now the only thing that bothers me, because of stability concerns, is why doesn’t the documentation mention using curl https://1.1.1.1. Why rely on the system’s DNS lookup when you don’t have to?

Yes, it works.

And this is exactly what dnscrypt-proxy does when using Cloudflare as a resolver.

As long the certificate for one of SANs can be verified, this is fine.

Good question. Maybe @cs-cf has an answer. I can only imagine that people freak out when they see an IP address in a URL.

This is just an example. The shortest curl example to demonstrate what a query looks like.

Applications actually spawning the curl command to perform DNS resolution are not expected to be very common.

Two reasons I can think of.

  1. Cloudflare-dns.com uses an IP address which is more universally available than 1.1.1.1
  2. The example was meant to be illustrative, not exhaustive.
1 Like