1.1.1.1: Faster & Safer Internet

[Sushubh]

Sign up for a limited public beta for our mobile app!

 

[anubhav11]

How many of you have switched their dns servers to 1.1.1.1 from 8.8.8.8? Pings for me has always been faster on 8.8.8.8

 

[amish]

I switched to 1.0.0.1 and 1.1.1.1 because it offers DNS encryption.

But I hardly used 8.8.8.8 earlier. I was using OpenDNS (which doesnt offer DNS encrytion)

I used 8.8.8.8 / 8.8.4.4 only when OpenDNS had any issue.

 

[Sushubh]

Linux has internal support for DoT/DoH?

 

[amish]

There is no such thing as internal support in Linux because Linux is group of packages

If package is part of base group then you may call it internal.

In linux BIND name server support DNSSEC. But not DoT or DoH.

Firefox users can use DoH but it wont be system level.

However there are packages which can act as DoT or DoH proxy.

 

[Sushubh]

Was wondering if popular distro include support out of the box especially in gui. Like Ubuntu or Mint.

 

---

[popcorn]

8.8.8.8 had no issues for me but opendns was having lots of trouble.... So shifted back to google.
But even safedns is good.

 

[amish]

Was wondering if popular distro include support out of the box especially in gui. Like Ubuntu or Mint.

Most distro have GUI to change nameserver. So you can install appropriate DNS resolver and change nameserver to 127.0.0.1

The problem is that not all resolvers support all methods. One supports DNSSEC but not DoT / DoH other supports DoT/DoH but not DNSSEC

Domain name resolution - ArchWiki

Once there is proper standard for DNS encryption, I believe most softwares will have out of box support.

 

[Sushubh]

So android pie is the only major os to feature out of the box support for encrypted dns ?

 

[Sushubh]

also which package are you using for encrypted dns on your linux machine! my pi is permanently on vps so i guess encrypted dns is not really required on that.

 

[amish]

BIND ... which uses Cloudflare and also uses local caching. Encryption is using DNSSEC and not DoT or DoH

 

[Sushubh]

ah right. i have bind installed on the pi. used it for a while but dropped it later on. dot and doh are both encryptions as well right? or are they just considered secure lol?

 

[amish]

DoT and DoH are secure but not yet popular. For system level DoH - you must have DNS proxy (be it windows or Linux)

They are still upcoming standard and except few top DNS providers - most of the ISPs dont support them yet.

 

[Sushubh]

i thought the whole reason to use them was to bypass your isp lol.

 

[amish]

Currently you can not bypass the ISP even with DoT or DoH.

Because they dont trace DNS queries but HTTP or certificate domain for HTTPS.

You need to wait for TLS 1.3 along with ESNI support - thats when ISPs wont be able to track you. (except knowing IP / Port you connected to)

TLS 1.3 supports encrypted certificate and Encrypted SNI. Its extension to under testing by Cloudflare. This will completely hide the domain you are connecting to.