Coffee Space


Listen:

Bye Cloudflare DNS

Preview Image

Preview Image

Due to my crappy and broken Ubuntu install on my main machine, I am forced to always set my /etc/resolv.conf on boot 1. I remember 8.8.8.8 from the top of my head, but I don't like the idea of giving Google even more of my data. The other one I can remember is 1.1.1.1, which is the Cloudlfare DNS server.

It has been mostly fine, but I have noticed a few issues with it:

  1. Throttling - They appear to be throttling my DNS requests. The default behaviour of my applications - on detecting a DNS failure, is to make another DNS request. This creates infinite request loops that just grind the entire process down to a halt. Ideally I would be caching these DNS requests locally, but given how broken this system is, I don't dare prod it any more than I have to.
  2. Random censorship - Occasionally I like to browser websites like Bloomberg, but these are pay-walled. I therefore use a workaround such as achive.today, but Cloudflare blocks this by default. It turns out that the website owner and Cloudflare had a disagreement and Archive.today poisons their DNS results. This is a well documented issue. Technically Cloudflare could just query a fellow DNS server, but they too have taken a stance on the issue.
  3. Privacy - Cloudflare claim to be for privacy, yet they collect a lot of data about your internet usage. On top of this, they essentially run the entire web and 'protect' everybody against DDoS attacks. I believe it to be no exaggeration when I suggest they are quickly becoming a single point of failure.
  4. Access - Despite using a Cloudflare DNS server, I still get hit by their "checking" a lot. I really don't want to feed into this bad practice any more than I have to.

Workaround

After a quick stop at alternativeto.net to job my memory on what options exist, I found Quad9 which I quite like. I went with the "least secure" configuration, I'll take my chances on the gunslinging crazy web like the cowboy I am.

I was finally motivated enough to fix this with a quick hack:

0001 echo "Copying over DNS configuration"
0002 echo "# Configuration from ~/dns-setup.sh" > /etc/resolv.conf
0003 echo "nameserver 9.9.9.10"       >> /etc/resolv.conf
0004 echo "nameserver 149.112.112.10" >> /etc/resolv.conf
0005 echo "nameserver 2620:fe::10"    >> /etc/resolv.conf
0006 echo "nameserver 2620:fe::fe:10" >> /etc/resolv.conf
0007 echo "Replaced DNS configuration"
0008 exit

This is in the script setup-dns.sh, and you need sudo (or root) to run it. Every time I boot, I will likely do something like:

0009 $ ping 8.8.8.8
0010 # Some message about failure to ping
0011 $ sudo bash setup-dns.sh
0012 Copying over DNS configuration
0013 Replaced DNS configuration
0014 $ ping 8.8.8.8
0015 # Some message back from Google DNS servers

Why ping Google DNS? They are exceptionally strong servers I would expect to always be up. I don't much admire their privacy, but I cannot fault their reliability 2.


  1. I would have reinstalled by now, but at the end of my PhD seems like awful timing. I also need a new laptop anyway, so will do both at the same time.

  2. Until Google randomly one day decide they will kill the product with little to no warning at all.