Using DNS over HTTPS without a regular DNS query for cloudflare-dns.com


#1

Hi,

I am developing devices that call home. Instead of having our server DNS hardcoded, I want to use a DNS server. I want the device to rely the least on the network infrastructure, so I would like to have only https requests, without any DNS requests. The documentation suggests to use:

curl 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'

However, for this query to work there must be a successful regular DNS query to find the IP of cloudflare-dns.com.

I found out that this query works, which doesn’t require the additional regular DNS query:

curl --resolve cloudflare-dns.com:443:1.1.1.1 'https://cloudflare-dns.com/dns-query?ct=application/dns-json&name=example.com&type=AAAA'

My questions are:

  1. Is this guaranteed to work, so I can rely on this working for my devices to call home?
  2. If it is guaranteed to work, I think it’s a good idea to add this to the documentation.

Thank you very much,
Noam


#2

Why not just curl to https://1.1.1.1? I just tried it and got the same response as curl to the FQDN.

As for the guarantee, it’s as guaranteed as anything else around here. But reliability has been stellar:

Now…as you watch the message boards, you’ll see several locations where 1.1.1.1 doesn’t work, for various reasons beyond Cloudflare’s control. That’s going to the biggest failure point in this process.


#3

Thanks! I think that using curl https://1.1.1.1 is less secure, since I don’t see how it can verify that the certificate matches - the certificate is for cloudflare-dns.com.

Regarding guarantee, perhaps I should use a better term. I understand that there is no contractual obligation. My question is whether it’s a part of the public API so Cloudflare wouldn’t change it without a good reason, or whether it’s a hack that works now but may not work tomorrow.

Regarding availability, thanks for letting me know! I think that I’ll use 1.0.0.1 instead, as is suggested here.


#4

Check the certificate’s full list of SANs. The certificate is for:

  • *.cloudflare-dns.com
  • 1.1.1.1
  • 1.0.0.1
  • cloudflare-dns.com
  • 2606:4700:4700::1111
  • 2606:4700:4700::1001

https://crt.sh/?q=1.1.1.1

(Certificates for IP addresses are uncommon, and occasionally not supported by software, but valid.)


#5

Cool! Thanks!

So now the only thing that bothers me, because of stability concerns, is why doesn’t the documentation mention using curl https://1.1.1.1. Why rely on the system’s DNS lookup when you don’t have to?


#6

Yes, it works.

And this is exactly what dnscrypt-proxy does when using Cloudflare as a resolver.

As long the certificate for one of SANs can be verified, this is fine.


#7

Good question. Maybe @cscharff has an answer. I can only imagine that people freak out when they see an IP address in a URL.


#8

This is just an example. The shortest curl example to demonstrate what a query looks like.

Applications actually spawning the curl command to perform DNS resolution are not expected to be very common.


#9

Two reasons I can think of.

  1. cloudflare-dns.com uses an IP address which is more universally available than 1.1.1.1
  2. The example was meant to be illustrative, not exhaustive.