this post was submitted on 29 Mar 2022
25 points (100.0% liked)

Technology

1085 readers
5 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.


Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.


Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
25
Stay away from Cloudflare (www.unixsheikh.com)
submitted 2 years ago* (last edited 2 years ago) by Amicchan@lemmy.ml to c/technology@lemmy.ml
 

What DNS provider do I use now?

top 29 comments
sorted by: hot top controversial new old
[–] cypherpunks@lemmy.ml 11 points 2 years ago
[–] jokeyrhyme@lemmy.ml 9 points 2 years ago (2 children)

I think this rant greatly exaggerates the alleged "risk" that CloudFlare poses, and also makes unsubstantiated claims about the inadequate protection provided by CloudFlare

I do think it's a good thing for more people to consider self-hosted options, but we should do this on the merits and not in an artificial climate of fear

[–] blank_sl8@lemmy.ml 9 points 2 years ago (1 children)

There's no way to know what cloudflare is doing with your data. It is therefore a true risk. We have the technology (end-to-end HTTPS) to allow DDOS protection without allowing man in the middle. If Cloudflare is doing something else, we have full reason to be skeptical.

[–] jokeyrhyme@lemmy.ml 2 points 2 years ago (2 children)

Sure, and it'd be nice for CloudFlare to offer a service that was compatible with end-to-end HTTPS

But this would be incompatible with the CAPTCHA insertion, right?

And instead of being able to use signal from the content of requests to identify an attack, they'd only be able to use the signal from the unencrypted part of the TCP exchange

This seems like inferior protection to me, but for some this might be the better compromise, and we have every right to seek such a compromise

[–] nutomic@lemmy.ml 6 points 2 years ago (1 children)

Using captchas is another problem with cloudflare, no other hoster/provider needs that. So for users there are just downsides with cloudflare. Unfortunately a lot of websites decide to use it, and there is nothing we can do.

[–] blank_sl8@lemmy.ml 3 points 2 years ago (1 children)

True, there are some attacks that cloudflare may be better positioned to mitigate...but a well-designed application won't be susceptible to attacks unless they involve a huge amount of traffic, and in those cases the amount of traffic is so huge that it can be detected easily without needing to see the http content.

[–] jokeyrhyme@lemmy.ml 1 points 2 years ago

For some sites, both the content publisher and the consumer may prioritise availability over perfect secrecy (e.g. distributing life-saving information in a natural disaster or war)

There might not be a single product on the planet that is more suitable for this use case than Cloudflare

Many sites and many consumers will not share this priority of values, however, so I agree that Cloudflare is inappropriate for these cases

[–] isleofmist@lemmy.ml 6 points 2 years ago* (last edited 2 years ago) (1 children)

The biggest point against cloudflare is that it is a US-based company and is vulnerable to US government spying.

[–] jokeyrhyme@lemmy.ml 3 points 2 years ago (1 children)

I'm sure for many people it is true that the USA government is a major threat, but neither "USA" nor "government" appear in the article/rant, and ideally an article written for these people wouldn't single CloudFlare out, but would list major companies that this applies to equally

I'd even take this further and say that we shouldn't trust software (or hardware) vendors that are beholden to laws in any of the Five Eyes countries ( https://en.wikipedia.org/wiki/Five_Eyes )

Australia's Assistance and Access Bill 2018 surely damages the credibility of Australian vendors, possibly even more than USA vendors: https://www.techtarget.com/searchsecurity/definition/Australian-Assistance-and-Access-Bill

[–] tardigrada@lemmy.ml 1 points 2 years ago

Just read the BBC article, see the link I postex above. The US government was directly involved when they started Cloudflare. Cloudflare's CEO leaves no doubt about that.

[–] nachtigall@feddit.de 8 points 2 years ago

What DNS provider do I use now?

Kuketz Blog has compiled a nice list of uncensored and unprotocolled DNS providers (see spoiler below). If you live in Europe those should be sufficiently fast.

::: spoiler Alternative DNS Provider Digitalcourage | Serverstandort: Deutschland

[1] dns3.digitalcourage.de (unterstützt DNSSEC)
DNS over TLS:
   Host: dns3.digitalcourage.de
   Port: 853
   IPv4: 5.9.164.112
   IPv6: 2a01:4f8:251:554::2
Besonderheit: Unterstützt aussschließlich DNS over TLS (DoT)

dismail.de | Serverstandort: Deutschland

[1] fdns1.dismail.de (unterstützt DNSSEC)
Unverschlüsselt (Port 53)
   IPv4: 80.241.218.68
   IPv6: 2a02:c205:3001:4558::1
DNS over TLS:
   Host: fdns1.dismail.de
   Port: 853
Besonderheit: Werbe- und Tracking-Filterliste

[2] fdns2.dismail.de (unterstützt DNSSEC)
Unverschlüsselt (Port 53)
   IPv4: 159.69.114.157
   IPv6: 2a01:4f8:c17:739a::2
DNS over TLS:
   Host: fdns2.dismail.de
   Port: 853
Besonderheit: Werbe- und Tracking-Filterliste

dnsforge.de | Serverstandort: Deutschland

[1] dnsforge.de (unterstützt DNSSEC)
Unverschlüsselt (Port 53)
   IPv4: 176.9.93.198
   IPv6: 2a01:4f8:151:34aa::198
   IPv4: 176.9.1.117
   IPv6: 2a01:4f8:141:316d::117
DNS over TLS:
   Host: dnsforge.de
   Port: 853
Besonderheit: Werbe- und Tracking-Filterliste

Mullvad | Serverstandort: Deutschland, Australien, Schweiz und weitere Länder

[1] adblock.doh.mullvad.net (unterstützt DNSSEC)
DNS over TLS:
   Host: adblock.doh.mullvad.net
   Port: 853
   IPv4: 194.242.2.3
   IPv4: 193.19.108.3
   IPv6: 2a07:e340::3
DNS over HTTPS: 
   Host: https://adblock.doh.mullvad.net/dns-query
   Port: 443
Besonderheit: Werbe- und Tracking-Filterliste | Unterstützt aussschließlich DNS over TLS (DoT) und DNS over HTTPS (DoH)

ffmuc.net | Serverstandort: Deutschland

[1] dot.ffmuc.net (unterstützt DNSSEC)
Unverschlüsselt (Port 53)
   IPv4: 5.1.66.255
   IPv6: 2001:678:e68:f000::
   IPv4: 185.150.99.255
   IPv6: 2001:678:ed0:f000::
DNS over TLS:
   Host: dot.ffmuc.net
   Port: 853

Digitale Gesellschaft | Serverstandort: Schweiz

[1] dns.digitale-gesellschaft.ch (unterstützt DNSSEC)
DNS over TLS:
   Host: dns.digitale-gesellschaft.ch
   Port: 853
DNS over HTTPS:
   Host: https://dns.digitale-gesellschaft.ch/dns-query
   Port: 443

UncensoredDNS | Serverstandort: Dänemark

[1] anycast.censurfridns.dk (unterstützt DNSSEC):
Unverschlüsselt (Port 53)
   IPv4: 91.239.100.100
   IPv6: 2001:67c:28a4::

[2] unicast.censurfridns.dk (unterstützt DNSSEC)
Unverschlüsselt (Port 53)
   IPv4: 89.233.43.71
   IPv6: 2a01:3a0:53:53::
DNS over TLS:
   Host: unicast.uncensoreddns.org
   Port: 853
[–] hanabatake@lemmy.ml 6 points 2 years ago (1 children)
[–] cypherpunks@lemmy.ml 5 points 2 years ago (2 children)

whats the business model of operating this large expensive service for free? (if you read their website, you'll find the answer is that they do it for the data. shocking, right?)

[–] hanabatake@lemmy.ml 4 points 2 years ago

They detail their business model in this blog post: https://quad9.net/news/blog/quad9-and-your-data

It seemed honnest to me. Furthermore, it is non-profit organisation. Am I wrong to trust them ?

[–] isleofmist@lemmy.ml 2 points 2 years ago

Best thing about Quad9 is that they are based outside of the US in Switzerland. Swiss privacy laws are much better than US ones.

[–] Decentralizer@lemmy.ml 4 points 2 years ago

Nextdns is great, but yes 9.9.9.9 or mullvad would also be a great option. More advanced is nextdns, decloudus and controld

[–] hellojack@lemmy.ml 3 points 2 years ago

Desec.io it also offers a nameserver

[–] isleofmist@lemmy.ml 3 points 2 years ago* (last edited 2 years ago)

dns.watch is pretty good

[–] tardigrada@lemmy.ml 3 points 2 years ago (1 children)

There is a BBC article on Cloudflare's beginnings, saying, ". ..when he (Cloudflare's CEO Matthew Prince, ed.) got an unexpected phone call from the US Department of Homeland Security asking him about the information he had gathered on attacks.

Mr Prince recalls: "They said 'do you have any idea how valuable the data you have is? Is there any way you would sell us that data." "

(see https://47a824e91bd781c66916f216129b096363daefb2-m.eu-proxy.startpage.com/npd/dcc/xxx/ST/m54xdoDgc5nRTxiNsIgZF4aWuw//////////news/business-37348016)

Cloudflare blocks Tor by default. Technically it is a man in the middle (which is VERY unfriendly to say the least). It decrypts your data. It is a big step towards the centralization of the web.

https://news.ycombinator.com/item?id=28854425

load more comments (1 replies)
[–] danie10@lemmy.ml 3 points 2 years ago (1 children)

What interests me is that there is too much speculation without actual facts. We can suspect anything of anyone (including Lemmy, Facebook, etc). We've seen the numerous factual revelations about Facebook and a few others, but then there is something that proves they are being unethical. I'd be interested to see such facts though about CloudFlare, not what they can potentially do.

Cloudflare also means a lot to small websites that want to obscure their hosting IP address, and who want to make use of a global CDN to speed up the response on their self-hosted sites, as a CDN. So yes, they do also provide a positive service in that regard. They are not a free service as many including big corporates pay CloudFlare - that payment is not to get our data or push adverts into our websites, but to use the actual service. So that I see as their business model.

Yes they break the end-to-end SSL, but for plain public websites that is not a major concern. I gather the paying service is where corporates go for security which allows pass-through of SSL to the hosting site.

For smaller guys, CloudFlare can provide a valuable service if the data being hosted is not super sensitive. Yes it is US based, but so are many IT services, and again that needs to be considered in terms of what you are hosting. I recently went to look for alternatives that would be free for global CDN, obscuring IP, proxy, malicious traffic protection, etc and really could not find anything. Only basic DNS services.

[–] Decentralizer@lemmy.ml 3 points 2 years ago (1 children)
[–] danie10@lemmy.ml 3 points 2 years ago

Yes, it draws from what is published on their own website at https://www.cloudflare.com/our-story/. It is still speculation though as to what is happening. They claim their motivation was to identify and prevent spammers and other malicious actors taking websites, by crowdsourcing and blacklisting bad actors. From that perspective, users will see numerous addresses blocked that are supposedly part of those identified.

So yes, one could say, is that real? Well that's the point, we don't really know either way, and as far as I'm aware there have been no court cases yet against CloudFlare ie. evidence brought forward justifying criminal actions.

Certainly my own website was being hammered every day as I can see for the WP WordFence security plugin. WordFence also blocks masses of IP addresses based on attempted logins as well as crowdsourced data from similar actions elsewhere that they have detected. I can see people, after being blocked, running up their IP address range attempting to get around the block. So there are genuinely bad actors out their running automated tools to do this. That does not make WordFence now a bad thing. So websites are looking at many ways to try to protect themselves from this constant bombardment, that also uses up the hosting network traffic.

I'm not saying either that Cloiudflare does not have the potential to do bad. We can see how they work technically. But have they actually sold users' data, have they exploited the man-in-the-middle or given others access to it? That I've seen no evidence of yet. I just dislike ungrounded speculation, as that leads to conspiracy theories that may be unfounded.

[–] Zerush@lemmy.ml 1 points 2 years ago* (last edited 2 years ago)

9.9.9.9 fast and without problems since years

[–] Mylemmy@lemmy.ml 1 points 2 years ago

the article is mostly "The process is extremely annoying"