Cloudflare's 1.1.1.1 DNS service and the effect on broadband gateways

In the world of the Internet, it’s vitally important that technologies keep evolving. Change is a rule of all technology, even if it comes slowly to fundamental systems like DNS (Domain Name Service).

The company Cloudflare is an infrastructure provider for web applications and networks that has solutions for performance, security, and reliability - including DNS. In April of 2018, Cloudflare launched a new publicly facing DNS resolver at 1.1.1.1, and 1.0.0.1.

 

https://twitter.com/Cloudflare?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E980430875258212352%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.qacafe.com%2Farticles%2Fhow-cloudfare-dns-service-affects-home-gateways%2F

You can read about their motivations for doing so here.

Effects on your network and CPE

Cloudflare is advertising 1.1.1.1 as a go-to DNS server for the public to use, specifically targeting end-users. This means that personal computers, gaming and video consoles, and other end devices could be set to use it as the default DNS server (in addition to gateways themselves). This has implications for gateways that provide routing and/or DNS proxy functionality, in part because these IP addresses were assumed to never be used, even if they are valid public IPv4 addresses.

1.1.1.1 and 1.0.0.1 were previously owned by APNIC and not used externally. Use of both the 1.0.0.0/24 and 1.1.1.0/24 networks has uncovered issues with network devices and services where vendors may have wrongly assumed these networks would never be used globally. For example:

1. A device may use the 1.1.1.0/24 network for “internal” addresses, causing routing issues.
2. A device may filter out 1.0.0.0/24 traffic by default.
3. If a client is making use of DNS over HTTPS or DNS over TLS, the device may treat that traffic differently than it would “normal” DNS traffic.

How can I test that my CPE handles these new services?

If you are a CDRouter customer, you already have the tests available to make sure your devices support the use of the 1.0.0.0/24 and 1.1.1.0/24 networks. CDRouter’s closed loop test model allows the end user to create a network topology that matches any production network. To verify there are no likely issues with Cloudflare’s new DNS service, CDRouter can be configured to use 1.1.1.1 and 1.0.0.1 as its DNS services. This allows you to test DNS functionality across various WAN modes to make sure all your target CPE configurations will support Cloudflare.

• You can verify that LAN clients can send and receive DNS messages to 1.0.0.0/8 using test cases cdrouter_app_21 and cdrouter_app_22 from the apps.tcl test module. These test cases send DNS queries directly to the primary and back DNS servers.
• You can also verify the DNS proxy behavior of your CPE devices by running tests from the dns.tcl and dns-tcp.tcl modules. These module offer a comprehensive set of tests to verify DNS proxy behavior of a home or business CPE for both UDP and TCP.

Example configuration

You can create a CDRouter configuration to match Cloudflare’s DNS network by setting the WAN side DNS entries to 1.1.1.1 and 1.0.0.1 respectively. This is done by editing new or existing CDRouter configuration files and setting the DNS services under the WAN interface configuration section:

testvar wanDnsServer                     1.1.1.1
testvar wanBackupDnsServer               1.0.0.1

All of these new ways of doing things will have implications for your network and for the devices you build or deploy. CDRouter will continue to explore them for future test cases.