From the #AllesIstKaput department: DNS 1.1.1.1 is unusable for many; 9.9.9.9 has government affiliation
Posted by jpluimers on 2018/04/04
Abstract from this morning’s Twitter feed:
1.1.1.1[Wayback] DNS is broken in many areas (because of for instance AT&T, Vodafone, Cisco screwing up and1.1.1.1historically being marked for research purposes)9.9.9.9[Wayback] DNS has government affiliation (owned by Quad9, but the partner list below does not look nice)
So what’s left?
- Cloudflare:
1.0.0.1alternative to1.1.1.1 - Google:
8.8.8.8with secondary at8.8.4.4
There are a more interesting IPv4 addresses untaken for DNS, but I’m not sure they are likable enough:
2.2.2.2[Wayback] owned by Orange which is owned by France Telekom3.3.3.3[Wayback] owned by Amazon4.4.4.4[Wayback] owned by Level 35.5.5.5[Wayback] owned by E-Plus, now owned by Telefónica Germany6.6.6.6[Wayback] owned by United States Army Intelligence and Security Command7.7.7.7[Wayback] owned by USA DoD Network Information Center69.69.69.69[Wayback] owned by Centurylink
And of course there is the reserved [Wayback] 0.0.0.0 (;
Or you could go the 10.10.10.10 way with DNSSEC (and some public ones mentioned in [WayBack] DNS Server mit Persönlichkeitschutz / Blog / Privat – Lutz Donnerhacke):
Zunächst gibt es eine massive Beschränkung von leicht merkbaren IP-Adressen. Der IPv4 Adressraum läßt nur 220 Adressen der Form
x.x.x.xzu.Via:
- [WayBack] #Cloudflare launches 1.1.1.1 #DNS service with #privacy, #TLS and more https://www.internetsociety.org/blog/2018/04/cloudflare-launches-enhanced-dns-ser… – Internet Society – Google+
- [WayBack] A new, truly privacy aware resolver, and it could be yours! Check out 10.10.10.10, and if you do not like the config, you could even fix it yourself. Th… – Kristian Köhntopp – Google+
So maybe CloudFlare was an April 1st joke after all: [WayBack] Announcing 1.1.1.1: the fastest, privacy-first consumer DNS service / [WayBack] 1.1.1.1 — the Internet’s Fastest, Privacy-First DNS Resolver
References:
- 2018:
- [WayBack] APNIC – Query the APNIC Whois Database
-
inetnum: 1.1.1.0 - 1.1.1.255 netname: APNIC-LABS descr: APNIC and Cloudflare DNS Resolver project descr: Routed globally by AS13335/Cloudflare descr: Research prefix for APNIC Labs
-
- [WayBack] Mehmet on Twitter: “Not sure what is going on with 1.1.1.1 and @Cloudflare – This IP address was allocated for test purposes by @apnic rumor is there will be a public resolver behind this ip. I wonder what the truth is.”
- [WayBack] Thread by @SwiftOnSecurity: “Badly-configured ISP equipment blocking access to 1.1.1.1 for some unfortunate users hostage to upstream network engineers. Screenshots of v […]”
- [WayBack] Cloudflare touts privacy-friendly 1.1.1.1 public DNS service. Hmm, let’s take a closer look at that • The Register: We’ll share query data, but only with these really trustworthy researchers
- via [WayBack] Dru Dude on Twitter: “What do you guys think of this? “Ironically for a project predicated on privacy, Cloudflare is sharing DNS query data with APNIC Labs, a part of Asian registry APNIC, in exchange for the use of its 1.1.1.1 network address.” https://t.co/JKqbnQAemJ… https://t.co/C3NDWY1N3K”
- [WayBack] Paul Hinze on Twitter: “See I TOLD you 69.69.69.69 was a better choice!” — presumably at least one person at Cloudflare… “
- [WayBack] ⒭⒴⒜⒩💫 on Twitter: “Have you looked at the partner list for the Global Cyber Alliance? It’s hard to look at that list and come away thinking “I trust 9.9.9.9”. There are too many parties involved. The government involvement doesn’t help. It seems safer to send DNS elsewhere. “
- [WayBack] Our Community Involvement – Global Cyber Alliance
- City of London Police
- France Ministry of Justice: Division of Criminal Affairs & Pardon
- France National Police
- Manhattan District Attorney’s Office
- Multi-State Information Sharing and Analysis Center
- National Information Technology Authority – Uganda
- New York City Department of Information Technology and Telecommunications (NYC DOITT)
- Procureur de la Republique Paris
- Sioux County, Iowa
- United States Secret Service
- [WayBack] Our Community Involvement – Global Cyber Alliance
- [WayBack] Pete Verdon on Twitter: “IBM’s like that. They own 9. That is, 9.everything, a 256th of the (IPv4) Internet. Plug in a Raspberry Pi at your desk and it gets a (firewalled, obviously) unique publicly routable IP. Kind of cool, in a way…”
- [WayBack] Joel on Twitter: “1.1.1.1 is the default logout for Nomadix controllers, which are primarily used in Hospitality environs. Tested at my company on Monday. Waiting for the calls from guests when they have an issue because their techie child setup DNS for them & don’t get why it doesn’t work now.… “
- [WayBack] Ian Yates on Twitter: “Also wondering how long @TeamViewer can get away with 7.x.y.z and @LogMeInHamachi for 5.x.y.z as private adhoc VPN Address spaces.… “
- [WayBack] APNIC – Query the APNIC Whois Database
- 2010:
- [WayBack] bmi-Links verseuchen das Internet – Forum: Computer & Spiele for years screwing internet access for customers of AT&T, China Mobile, China Telecom, KDDI, KPN, Orange, Orascom, Sprint Nextel, T-Mobile, Telefónica, TeliaSonera, and Vodafone by abusing at least 1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4, 1.1.1.5, 1.2.3.4, 1.2.3.9, 1.2.3.10, 1.2.3.11
- [WayBack] RIPE plays with 1.1.1.1 and 1.2.3.4 following APNIC allocation – PacketLife.net
--jeroen
Via: [WayBack] From the #AllesIstKaput department: 1.1.1. trouble . – Jeroen Wiert Pluimers – Google+
Not sure what is going on with
1.1.1.1and @Cloudflare – This IP address was allocated for test purposes by @apnic rumor is there will be a public resolver behind this ip. I wonder what the truth is.Ok not april fools day announcement @Cloudflare is running a public dns server on
1.1.1.1– no announcement from @apnic – i am curious how this allocation decision was made. I would guess public consultation might be required. (I might be wrong)
[Wayback]
Not sure what is going on with 1.1.1.1 and @Cloudflare – This IP address was allocated for test purposes by @apnic rumor is there will be a public resolver behind this ip. I wonder what the truth is.
https://twitter.com/mhmtkcn/status/980190179578146817
[Wayback]
http://web.archive.org/web/20200805191544/https://twitter.com/mhmtkcn/status/980459400811827200
https://twitter.com/mhmtkcn/status/980459400811827200
[Wayback]
[Wayback]
Have you looked at the partner list for the Global Cyber Alliance? It’s hard to look at that list and come away thinking “I trust 9.9.9.9”. There are too many parties involved. The government involvement doesn’t help. It seems safer to send DNS elsewhere.
https://twitter.com/33b5e5/status/981366340861612032
[Wayback]
“See I TOLD you 69.69.69.69 was a better choice!”
— presumably at least one person at Cloudflare
https://twitter.com/phinze/status/981308398070312962
[Wayback]
[Wayback]
I know of a City who’s entire corporate IT infrastructure sits on public address space; Servers, Desktop’s, even the WiFi. They’d been assigned a Class B and never saw the benefit to NAT.
[Wayback]
[Wayback]
1.1.1.1 is the default logout for Nomadix controllers, which are primarily used in Hospitality environs. Tested at my company on Monday. Waiting for the calls from guests when they have an issue because their techie child setup DNS for them & don’t get why it doesn’t work now.
https://twitter.com/leojloke/status/981323146446942208
[Wayback]
The Wiert Corner - irregular stream of stuff 
Leave a comment