Setting Up 1.1.1.1 for Families on a Pi-Hole(uglyduck.ca)
uglyduck.ca
Setting Up 1.1.1.1 for Families on a Pi-Hole
https://uglyduck.ca/pihole-cloudflare/
81 comments
That particular domain is sluggish from the UK, but other domains, but my route53 hosted domains - including ones never before used (wildcard subdomain) - are all fine - around 5ms.
When I tried, Quad9 (9.9.9.9) resolved enigma.rs in 5.2 s.
I'm happy with Cloudflare, even if it's slightly slower.
I'm happy with Cloudflare, even if it's slightly slower.
Interesting, but what are long tail domain?
I think the idea is that you take a list of all domains and then count the number of DNS lookups that are done for each over the course of some time period (e.g. 1 year). Then sort them from high to low number of lookups. At the start of the list you'll probably find only a few domains with many billions of lookups. As you go down the list you'll find many domains with very few lookups, the "long tail".
It's a bit confusing because normally "long tail" refers to a histogram or probability distribution where a large portion of the population is far from the central part. I don't think that works in this case, unless I'm confused about what to put on the x-axis. (Because if the x-axis is lookup frequency, the domains being referred to here would be in a peak close to 0, not in the tail.)
edit: maybe the x-axis of a histogram could be "mean time between lookups" instead of frequency? That would put the popular domains in the peak near 0, and the unpopular ones farther out in the "tail".
It's a bit confusing because normally "long tail" refers to a histogram or probability distribution where a large portion of the population is far from the central part. I don't think that works in this case, unless I'm confused about what to put on the x-axis. (Because if the x-axis is lookup frequency, the domains being referred to here would be in a peak close to 0, not in the tail.)
edit: maybe the x-axis of a histogram could be "mean time between lookups" instead of frequency? That would put the popular domains in the peak near 0, and the unpopular ones farther out in the "tail".
> what to put on the x-axis
Perhaps 1/frequency.
Perhaps 1/frequency.
Domains that have less frequent lookups so the chance of getting a cached response is lower.
Why aren't they just called infrequently used domains then?
>Why aren't they just called infrequently used domains then?
You could call them "infrequent" but "long-tail" is also a common description to convey a Power Law distribution: https://en.wikipedia.org/wiki/Long_tail
I think in this case about DNS caching, "long tail" is better than "infrequent". In the wikipedia graph, some of the domain lookups in yellow may be "frequent" (absolute sense) but simultaneously but much less popular (long tail) such that they don't stay in DNS lookup caches.
You could call them "infrequent" but "long-tail" is also a common description to convey a Power Law distribution: https://en.wikipedia.org/wiki/Long_tail
I think in this case about DNS caching, "long tail" is better than "infrequent". In the wikipedia graph, some of the domain lookups in yellow may be "frequent" (absolute sense) but simultaneously but much less popular (long tail) such that they don't stay in DNS lookup caches.
DNS is essentially a cache. I've never once in my life heard of infrequently accessed cache items as "long-tail". This is definitely a dumb phrase that should be avoided.
I've never heard them referred to as anything else, so YMMV
>I've never once in my life heard of infrequently accessed cache items as "long-tail".
The parent poster wrote "long tail _domains_" and not cache items: https://news.ycombinator.com/item?id=29036188
You also used the word "domains" when you asked about "infrequently used domains" and that's the context I was responding to. I didn't say that cache items are labeled "long tail".
The parent poster wrote "long tail _domains_" and not cache items: https://news.ycombinator.com/item?id=29036188
You also used the word "domains" when you asked about "infrequently used domains" and that's the context I was responding to. I didn't say that cache items are labeled "long tail".
I’d urge everyone to run a dns bench tool at home. Cloudflare isn’t always the right choice and for some ISPs with routing issues it can sometimes be a bad choice.
I found https://github.com/cleanbrowsing/dnsperftest/
to be really user friendy and easy to customize.
Here are results for my custom edited list of domains (first three are popular domains, rest are "long-tail" domains):
to be really user friendy and easy to customize.
Here are results for my custom edited list of domains (first three are popular domains, rest are "long-tail" domains):
test1 test2 test3 test4 test5 test6 test7 test8 test9 Average
2001:558:feed::1 18 ms 18 ms 16 ms 30 ms 202 ms 377 ms 90 ms 87 ms 485 ms 147.00
2001:558:feed::2 47 ms 31 ms 32 ms 154 ms 436 ms 343 ms 102 ms 76 ms 254 ms 163.88
75.75.75.75 20 ms 16 ms 17 ms 78 ms 191 ms 293 ms 68 ms 75 ms 203 ms 106.77
75.75.76.76 35 ms 33 ms 34 ms 149 ms 437 ms 283 ms 123 ms 102 ms 464 ms 184.44
cloudflare 17 ms 19 ms 19 ms 103 ms 1135 ms 427 ms 69 ms 293 ms 191 ms 252.55
level3 18 ms 17 ms 17 ms 45 ms 209 ms 231 ms 73 ms 49 ms 358 ms 113.00
google 21 ms 17 ms 16 ms 37 ms 381 ms 124 ms 79 ms 28 ms 183 ms 98.44
quad9 18 ms 19 ms 17 ms 42 ms 211 ms 127 ms 71 ms 73 ms 181 ms 84.33
freenom 36 ms 49 ms 59 ms 88 ms 534 ms 342 ms 219 ms 82 ms 204 ms 179.22
opendns 16 ms 19 ms 27 ms 23 ms 1514 ms 325 ms 85 ms 69 ms 488 ms 285.11
norton 25 ms 27 ms 26 ms 134 ms 389 ms 243 ms 277 ms 273 ms 354 ms 194.22
cleanbrowsing 22 ms 24 ms 27 ms 105 ms 533 ms 142 ms 70 ms 289 ms 199 ms 156.77
yandex 192 ms 197 ms 191 ms 293 ms 378 ms 803 ms 287 ms 603 ms 232 ms 352.88
adguard 84 ms 75 ms 74 ms 144 ms 240 ms 257 ms 72 ms 292 ms 170 ms 156.44
neustar 18 ms 21 ms 16 ms 29 ms 389 ms 222 ms 276 ms 285 ms 315 ms 174.55
comodo 65 ms 65 ms 82 ms 119 ms 458 ms 417 ms 236 ms 267 ms 290 ms 222.11
This was my setup for reference: DOMAINS2TEST="www.google.com amazon.com facebook.com mateja.prelovac.com enigma.rs hmdt.jp podravka.hr argentia.com.ar bildung.sachsen.de"I'd like use self-hosted dnscrypt-proxy, point pi-hole's upstream to it.
Then dnscrypt-proxy will choose the servers that has lowest RTT and meet your requirement ( if DNSSEC, no log, family filter available) for you.
Then dnscrypt-proxy will choose the servers that has lowest RTT and meet your requirement ( if DNSSEC, no log, family filter available) for you.
I even use it with blocklist and allowlist. No need for Pi-Hole, if you don't mind editing the lists directly.
Does it have regex support? That is the Pi-hole killer feature for me.
Also note that DNS queries might be overridden by your ISP. I've seen a few ISPs override DNS queries to 8.8.8.8 and respond with their own stuff. It might not be the case for 1.1.1.1 since it's not that popular.
Is there an easy way to tell if this is happening?
What is that? ping 1.1.1.1?
I recently switched to AdGuard (hosted in Home Assistant), and I like it a bit better than PiHole. It seems more configurable.
Yes, send more data to big companies like cloud front and google. They need it.
This has nothing to do with either of them?
Ah yes, it's cloudflare of course. On of the other contesters.
The one thing Cloudflare DNS is missing is providing something like NextDNS.
Choose your own filter lists (that are constantly updated), create multiple profiles to use according to the target device/location and enjoy as blocking at the DNS level. It’s not a complete match for something like uBlock Origin, but a lot of stuff still gets blocked with DNS filters.
Choose your own filter lists (that are constantly updated), create multiple profiles to use according to the target device/location and enjoy as blocking at the DNS level. It’s not a complete match for something like uBlock Origin, but a lot of stuff still gets blocked with DNS filters.
Have you checked out Cloudflare Gateway? We used that to do DNS filtering on some iPads we deployed
Thanks for pointing that out. I hadn't known about Cloudflare Gateway and am exploring at now. Preliminary thoughts: it seems a lot more complex than configuring and setting up NextDNS. Had a look at setting up policies, and it doesn't seem to support adding ad-blocking lists (like the ones used in uBlock Origin) easily. In NextDNS these are just checkboxes for each filter list.
Congratulations, you've just sent all of your legitimate DNS traffic to a tracker (the thing pi-hole is usually deployed to avoid).
Remember that when a service is free, you are usually paying with your data.
Remember that when a service is free, you are usually paying with your data.
Depends on whether you trust your ISP's DNS more than Cloudflare's. According to https://www.cloudflare.com/en-gb/learning/dns/what-is-1.1.1....:
> Unlike most DNS resolvers, 1.1.1.1 does not sell user data to advertisers.
Putting aside the question of whether they actually honour that commitment, has your ISP even published a similar statement to put their reputation on the line?
I think Cloudflare's commitment is plausible. They have a financial incentive to maintain their free DNS resolver's reputation and popularity, because they are selling points for their commercial authoritative DNS service; https://www.cloudflare.com/en-gb/dns/. Does your ISP have a similar financial incentive to behave?
"If it's free, you are the product" is not always true. Sometimes, if it's free, you are the marketing funnel.
> Unlike most DNS resolvers, 1.1.1.1 does not sell user data to advertisers.
Putting aside the question of whether they actually honour that commitment, has your ISP even published a similar statement to put their reputation on the line?
I think Cloudflare's commitment is plausible. They have a financial incentive to maintain their free DNS resolver's reputation and popularity, because they are selling points for their commercial authoritative DNS service; https://www.cloudflare.com/en-gb/dns/. Does your ISP have a similar financial incentive to behave?
"If it's free, you are the product" is not always true. Sometimes, if it's free, you are the marketing funnel.
Anybody know from where does CF get the domains to block on 1.1.1.2 (malware) and 1.1.1.3 (porn)?
why? arent we already using pi-hole for blocking all the stuff?
that said, i have a query about a simple way to force all dns in a local network to pass through pi-hole. i only have access to the iSP router and pi-hole and cannot use third party router
that said, i have a query about a simple way to force all dns in a local network to pass through pi-hole. i only have access to the iSP router and pi-hole and cannot use third party router
Pihole comes with a list of ads and trackers by default, but not with a maintained list of porn domains. There are more people working on getting trackers blacklisted than there are people scouring the web for new porn sites for free.
Pointing pihole at a porn blocker seems like a good combination of the best of both worlds to me.
Pointing pihole at a porn blocker seems like a good combination of the best of both worlds to me.
Your router must support outbound NAT in order to force all connections on a specified port to a specified host.
If your router doesn't have that feature, there's no way to do it.
If your router doesn't have that feature, there's no way to do it.
You could double-NAT with a second router (apparently causes problems with some things like consoles, although I’ve never had a problem).
Double NATting is underrated. I have zero problems with it and I like the buffer zone (subnet) between the ISP's Gateway/Router and my home network. Should the ISP's device have a known Zero Day exploit then it won't affect my home's subnet. Then there's all the additional stuff that can be done on your own router and also use DoH to ensure that a compromised ISP-router can't rewrite your DNS queries. Plus your ISP's router won't be able to gather statistics about the devices in your home, in case it would do that. I don't trust ISP-provided devices at all.
can the pi zero as pi hole for example itself be the second router and pi hole at the same time?
What would that feature be listed as on the back of the box/spec sheet?
It's extremely unlikely that any consumer router would support it.
If you really want to force clients on your LAN to always use a specified DNS server you're looking at a more enterprise-y router solution, probably something running pfSense or OPNsense.
If you really want to force clients on your LAN to always use a specified DNS server you're looking at a more enterprise-y router solution, probably something running pfSense or OPNsense.
[deleted]
MITM port 53 traffic
I wonder how much ICMP is going to those IPs. I ping 1.0.0.1 ("ping 1.1") as a quick check to ensure my internet is working a lot, far quicker and less stretching than typing ping 8.8.8.8. When I'm tracing a fault I'll ping 1.1.1.x as I can then tcpdump on a spanport against that IP and be fairly confident any traffic is from my test point and not from another device.
I'm sure I'm not the only one.
I'm sure I'm not the only one.
funny that you mention it but most technically minded Germans I know (maybe outside of people spending their days with datacenter stuff) habitually use `ping heise.de` (of c't and ix print magazine fame), which seems to have been a thing since the 90s. It's usually fast, you can really count on it being up and still around.
I even remember them once writing about having such an unusually high volume of ICMP traffic that they had to divert that traffic to a dedicated box at some point.
I even remember them once writing about having such an unusually high volume of ICMP traffic that they had to divert that traffic to a dedicated box at some point.
I'd suspect a huge amount of IoT devices continually test their network connection by pinging these well known IPs.
1.1.1.3 for blocking also adult content, could be even faster than commonly used 1.1.1.1
I use Adguard DNS.
https://adguard.com/en/adguard-dns/overview.html
DNS Servers:
94.140.14.15 94.140.15.16
Also, for android phones (via private DNS):
dns-family.adguard.com
https://adguard.com/en/adguard-dns/overview.html
DNS Servers:
94.140.14.15 94.140.15.16
Also, for android phones (via private DNS):
dns-family.adguard.com
[deleted]
I still think this is a business that Cloudflare shouldn't be involved in. There are very legitimate reasons for parents to filter Internet content. But Cloudflare is in a unique position here, they have a brand as a company that cares about free speech, and specifically because of who they are, they really shouldn't be making determinations about what is and isn't inappropriate content for kids.
When 1.1.1.1 for Families launched, it blocked access to GLADD's site because Cloudflare didn't do a good enough job testing any of this stuff and they just pulled in filters from other parental companies, some of which turned out to be anti-gay. Cloudflare apologized, pushed a couple of fixes, but never actually took a step back and asked how this happened. In the meantime, 1.1.1.1 for Families launched without blocking access to sites like Stormfront. Cloudlfare didn't think it was appropriate for them to make a determination over whether that site was safe for kids.
I think that our society is just generally a lot less thoughtful about filtering adult content than it is about filtering other forms of content like political speech, and we don't think about adult content filters as having a downside, or being real censorship. So when 1.1.1.1 for Families was released, I came up with a challenge: https://danshumway.com/blog/sex-censorship-is-censorship/
I do think there are scenarios where it's completely appropriate to block content for children, and I do think families should always able to make these kinds of determinations. People and communities have a fundamental Right to Filter (https://anewdigitalmanifesto.com/#right-to-filter). However, adult content isn't the only content that falls into the category of being harmful to children. It is utter hypocrisy for Cloudflare to launch a service that blocks adult content but not hate speech; both forms of content are legitimate for parents to want off of their networks.
My challenge is, if Cloudflare is frightened of the implications of being the company that decides what is and isn't hate speech, then why isn't it also frightened of being the company that decides what is and isn't adult material? Why do we view accidental censorship of LGBTQ+ informational materials as less of an existential free speech risk than accidental censorship of political ideas or extremist groups? Cloudflare still, over a year later, doesn't really have clear documentation I can find anywhere about what specific criteria they use to make filtering decisions on 1.1.1.3 beyond that they "aim to imitate" Google Safe Search. Would people tolerate that kind of fuzziness if they were filtering hate speech or political extremism?
There is a reasonable debate people can have about whether or not it's appropriate for Cloudflare to be the company that carves out sections of the Internet that are inappropriate, even as an opt-in filter. I think both sides of that debate can make some good points, and reasonable people could go in either direction. But for me, the biggest question isn't really whether Cloudflare is the right company to build and maintain Internet filters. For me, the biggest question is about which subjects Cloudflare views as OK to moderate, and which communities Cloudflare is OK offloading the externalities of their moderation onto.
Because frankly, in free speech communities we do have a lot of hypocrisy about this. There's no argument to be made that extremist hate sites aren't just as dangerous to kids as pornography is. We should try to have more consistency about stuff like this. Are we OK with content moderation or not?
When 1.1.1.1 for Families launched, it blocked access to GLADD's site because Cloudflare didn't do a good enough job testing any of this stuff and they just pulled in filters from other parental companies, some of which turned out to be anti-gay. Cloudflare apologized, pushed a couple of fixes, but never actually took a step back and asked how this happened. In the meantime, 1.1.1.1 for Families launched without blocking access to sites like Stormfront. Cloudlfare didn't think it was appropriate for them to make a determination over whether that site was safe for kids.
I think that our society is just generally a lot less thoughtful about filtering adult content than it is about filtering other forms of content like political speech, and we don't think about adult content filters as having a downside, or being real censorship. So when 1.1.1.1 for Families was released, I came up with a challenge: https://danshumway.com/blog/sex-censorship-is-censorship/
I do think there are scenarios where it's completely appropriate to block content for children, and I do think families should always able to make these kinds of determinations. People and communities have a fundamental Right to Filter (https://anewdigitalmanifesto.com/#right-to-filter). However, adult content isn't the only content that falls into the category of being harmful to children. It is utter hypocrisy for Cloudflare to launch a service that blocks adult content but not hate speech; both forms of content are legitimate for parents to want off of their networks.
My challenge is, if Cloudflare is frightened of the implications of being the company that decides what is and isn't hate speech, then why isn't it also frightened of being the company that decides what is and isn't adult material? Why do we view accidental censorship of LGBTQ+ informational materials as less of an existential free speech risk than accidental censorship of political ideas or extremist groups? Cloudflare still, over a year later, doesn't really have clear documentation I can find anywhere about what specific criteria they use to make filtering decisions on 1.1.1.3 beyond that they "aim to imitate" Google Safe Search. Would people tolerate that kind of fuzziness if they were filtering hate speech or political extremism?
There is a reasonable debate people can have about whether or not it's appropriate for Cloudflare to be the company that carves out sections of the Internet that are inappropriate, even as an opt-in filter. I think both sides of that debate can make some good points, and reasonable people could go in either direction. But for me, the biggest question isn't really whether Cloudflare is the right company to build and maintain Internet filters. For me, the biggest question is about which subjects Cloudflare views as OK to moderate, and which communities Cloudflare is OK offloading the externalities of their moderation onto.
Because frankly, in free speech communities we do have a lot of hypocrisy about this. There's no argument to be made that extremist hate sites aren't just as dangerous to kids as pornography is. We should try to have more consistency about stuff like this. Are we OK with content moderation or not?
I think it’s up to the network owner to decide what should be blocked or allowed in their network.
1.1.1.3 (or 2) is a tool in the tool chest. Some people may find it too aggressive and don’t need to implement it, some may find it too conservative and implement more. No tool will be perfect for everyone, and if you don’t find it hits the right balance you don’t have to use it. No one has to use it, and cloudflare can literally release any free block list they want and call it parental blocking. It’s free, it’s a best effort product that doesn’t drive revenue, and it is up to each network owner to determine which blocks they want.
It would be a totally different story if the company was determining blocking for the US or people were forced to use it. But they aren’t.
1.1.1.3 (or 2) is a tool in the tool chest. Some people may find it too aggressive and don’t need to implement it, some may find it too conservative and implement more. No tool will be perfect for everyone, and if you don’t find it hits the right balance you don’t have to use it. No one has to use it, and cloudflare can literally release any free block list they want and call it parental blocking. It’s free, it’s a best effort product that doesn’t drive revenue, and it is up to each network owner to determine which blocks they want.
It would be a totally different story if the company was determining blocking for the US or people were forced to use it. But they aren’t.
I agree that for an optional tool, Cloudflare can make any blocklist they like. People have a fundamental Right to Filter. I personally don't think it's consistent with Cloudflare's brand or stated purpose to go down this route, but that's just my opinion, people can have other opinions.
I do want to kind of question how egalitarian we are inside free speech communities about this stuff though in reality. I am fairly confident that if Cloudflare added hate speech to 1.1.1.3 or started adding misinformation to their filtering list, that is something that would show up on HN and see debate. I think a lot of people on this site wouldn't see that as a neutral act, I think a lot of people would be on here arguing that it was a dangerous value judgment, or at the very least a dangerous behavior for Cloudflare to normalize.
We all have the right to filter content, and we all have the right to choose which filter lists we'll use. But is that actually our philosophy? Would we collectively as a community be applying those same standards if Cloudflare started blocking Covid misinformation or conversion-therapy sites from 1.1.1.3? The way society debates filter lists can sometimes betray our collective ideas about what kinds of information needs more or less protection.
> or people were forced to use it
There's a separate conversation to be had here about the fact that children are forced to use filter lists. This is exactly why Cloudflare reacted so quickly to stop blocking sites like GLADD and why if it ever does offer the ability to choose custom categories, it's probably never going to offer an "LGBTQ+ information" category to block.
Cloudflare (to its credit) does at least recognize that child filters are often only semi-consensual and can be (and regularly are) abused at the network level.
That doesn't change the overall debate, it doesn't mean that making a filter list is always evil, communities still have a Right to Filter. But it is important to bring up, kids at schools don't get to choose whether or not the filters on those networks are too conservative or too liberal with what they block.
Kids (necessarily by virtue of being kids) do not have agency to decide what networks they're a part of. There are good reasons for that, but it still puts kids into a somewhat more vulnerable position, and it means there are more dangerous implications for network-wide filters than there are for user-controlled filters. This is also something that kind of gets glossed over in these debates sometimes.
I do want to kind of question how egalitarian we are inside free speech communities about this stuff though in reality. I am fairly confident that if Cloudflare added hate speech to 1.1.1.3 or started adding misinformation to their filtering list, that is something that would show up on HN and see debate. I think a lot of people on this site wouldn't see that as a neutral act, I think a lot of people would be on here arguing that it was a dangerous value judgment, or at the very least a dangerous behavior for Cloudflare to normalize.
We all have the right to filter content, and we all have the right to choose which filter lists we'll use. But is that actually our philosophy? Would we collectively as a community be applying those same standards if Cloudflare started blocking Covid misinformation or conversion-therapy sites from 1.1.1.3? The way society debates filter lists can sometimes betray our collective ideas about what kinds of information needs more or less protection.
> or people were forced to use it
There's a separate conversation to be had here about the fact that children are forced to use filter lists. This is exactly why Cloudflare reacted so quickly to stop blocking sites like GLADD and why if it ever does offer the ability to choose custom categories, it's probably never going to offer an "LGBTQ+ information" category to block.
Cloudflare (to its credit) does at least recognize that child filters are often only semi-consensual and can be (and regularly are) abused at the network level.
That doesn't change the overall debate, it doesn't mean that making a filter list is always evil, communities still have a Right to Filter. But it is important to bring up, kids at schools don't get to choose whether or not the filters on those networks are too conservative or too liberal with what they block.
Kids (necessarily by virtue of being kids) do not have agency to decide what networks they're a part of. There are good reasons for that, but it still puts kids into a somewhat more vulnerable position, and it means there are more dangerous implications for network-wide filters than there are for user-controlled filters. This is also something that kind of gets glossed over in these debates sometimes.
This is correct.
1.1.1.1 for Families is an awful, dangerous, harmful product. You should not use it.
1.1.1.1 for Families is an awful, dangerous, harmful product. You should not use it.
Unbound and root.hints
any ideas why 1.1.1.2 doesn't support tls?
It does. If you’re having issues, submit a support ticket.
It's not supported.
https://community.cloudflare.com/t/community-tip-best-practi...
> Does 1.1.1.1 for Families support DNS over TLS?
No. But our team is working on it.
https://community.cloudflare.com/t/community-tip-best-practi...
> Does 1.1.1.1 for Families support DNS over TLS?
No. But our team is working on it.
For those playing at home you can specify tls://security.cloudflare-dns.com instead
[deleted]
hn_throwaway_69(10)
I bascially ran a 'dig' with multiple DNS providers and CloudFlare was slowest among the bunch for long-tail domains.
Here are the details: https://twitter.com/vladquant/status/1428761979808669704
CloudFlare never responded to this tweet.