X
Tech

1.1.1.1: Cloudflare's new DNS attracting 'gigabits per second' of rubbish

Cloudflare is conducting an experiment with APNIC, and it's revealing plenty of dirty hacks.
Written by Stilgherrian , Contributor
c-3-cloudflare.jpg

Cloudflare's new speed and privacy enhancing domain name system (DNS) servers, launched on Sunday, are also part of an experiment being conducted in partnership with the Asia Pacific Network Information Centre (APNIC).

The experiment aims to understand how DNS can be improved in terms of performance, security, and privacy.

"We are now critically reliant on the integrity of the DNS, yet the details of the way it operates still remains largely opaque," wrote APNIC's chief scientist Geoff Huston in a blog post.

"We are aware that the DNS has been used to generate malicious denial of service attacks, and we are keen to understand if there are simple and widely deployable measures that can be taken to mitigate such attacks. The DNS relies on caching to operate efficiently and quickly, but we are still unsure as to how well caching actually performs. We are also unclear how much of the DNS is related to end user or application requirements for name resolution, and how much is related to the DNS chattering to itself."

Also read: Failing to secure DNS is 'savage ignorance'

Huston, an Internet Hall of Fame inductee, has a long-standing interest in DNS, and is a strong supporter of a proposal that promises to improve DNS resilience against DDoS (distributed denial of service) attacks. He's previously said that failing to secure DNS is savage ignorance.

The Cloudflare-APNIC experiment uses two IPv4 address ranges, 1.1.1/24 and 1.0.0/24, which have been reserved for research use. Cloudflare's new DNS uses two addresses within those ranges, 1.1.1.1 and 1.0.0.1.

These address ranges were originally configured as "dark traffic addresses", and some years ago APNIC partnered with Google to analyse the unsolicited traffic directed at them. There was a lot of it.

"Our initial work with it certainly showed it to be an unusually strong attractor for bad traffic. At the time we stopped doing it with Google, it was over 50 gigabits per second. Quite frankly, few folk can handle that much noise," Huston told ZDNet on Wednesday.

By putting Cloudflare's DNS on these research addresses, APNIC gets to see the noise as well as the DNS traffic -- or at least "a certain factored amount" of it -- for research purposes.

Huston emphasised that APNIC intends to protect users' privacy. "DNS is remarkably informative about what users do, if you inspect it closely, and none of us are interested in doing that," he said.

Indeed, Cloudflare's aim is to create, as the company's chief executive officer Matthew Prince put it, "the internet's fastest, privacy-first consumer DNS service".

While 1.1.1.1 is meant to have been used only for research, the Cloudflare-APNIC experiment has revealed that many operational systems have been using it in a variety of dirty hacks that breach internet routing standards.

Twitter cybersecurity celebrity @SwiftOnSecurity has been retweeting some of the more egregious allegations, such as 1.1.1.1 being used by Fortinet VPN as the virtual endpoint; 1.1.1.1 being used as the default logout for Nomadix controllers, which are primarily used in hospitality industry environments; AT&T Gigapower using 1.1.1.1 on an internal interface on at least one model of router-gateway, the Pace 5268AC, which effectively blocks this address; and even Vodafone Germany using it as an image caching server on their mobile network.

Huston is familiar with usages like this, and has also seen Wi-Fi hotspots using 1.1.1.1 as their router address. He's not impressed.

"Some folk, without any material to justify it, started configuring 1.1.1.1. Now, I can start using your IP address, I suppose, but we're both going to have a problem," Huston told ZDNet, laughing.

Also: What are the fastest DNS providers?

"You should never have done it in the first place. You're squatting on somebody else's address. That's a bad thing," he said.

"In this case, I'm not sure that it really impacts upon the folk who are advertising the address, and to some extent because I am looking at the junk traffic that hits that address, it all adds to the interesting junk. But you shouldn't be doing it."

While Huston has yet to analyse any of the junk traffic in this new experiment, he said that it can still be measured in multiple gigabits per second.

"There's a lot of rubbish out there," he said.

Related Coverage

1.1.1.1: How to use Cloudflare's DNS service to speed up and secure your internet

Cloudflare's new Domain Name System promises to both speed up your internet access and protect your privacy.

Free APNIC, CloudFlare tool prevents ISPs from selling your internet history (TechRepublic)

APNIC and CloudFlare announced the free 1.1.1.1 DNS resolver service, which is intended as a drop-in replacement to protect your privacy from providers.

How Cloudflare uses lava lamps to encrypt the Internet

Cloudflare's encryption secret? Gelatinous floating blobs.

Cisco critical flaw: At least 8.5 million switches open to attack, so patch now

Cisco patches a severe flaw in switch deployment software that can be attacked with crafted messages sent to a port that's open by default.

Google shutting down goo.gl shortlink service: Here are the alternatives (TechRepublic)

The service is being sunsetted in favor of FireBase Dynamic Links for developers, while regular users are advised to use competing services.

Editorial standards