|
|
Subscribe / Log in / New account

DNS over HTTPS in Firefox

DNS over HTTPS in Firefox

Posted Jun 1, 2018 16:36 UTC (Fri) by fest3er (guest, #60379)
Parent article: DNS over HTTPS in Firefox

That might explain the disconcerting ARP traffic (who-has w.x.y.z, tell 1dot1dot1dot1.cloudflare-dns.com) that now appears on my LAN.

I suspect that 1.1.1.1--and probably all of 1.1.1/24 and 1.0.0/24--should now be included in the list of 'never route' addresses, because what's on my private LAN is no one else's business.

to post comments

DNS over HTTPS in Firefox

Posted Jun 1, 2018 16:50 UTC (Fri) by Sesse (subscriber, #53779) [Link]

1.1.1.1 is not private address space, so if you're using it on your LAN, you're doing it wrong.

DNS over HTTPS in Firefox

Posted Jun 1, 2018 18:35 UTC (Fri) by flussence (guest, #85566) [Link] (6 responses)

"1dot1dot1dot1.cloudflare-dns.com" isn't Cloudflare ARP scanning your LAN remotely — which is in fact impossible unless you're sitting in their datacentre and connected to their server with a crossover cable — that's just what the official owner of 1.1.1.1 has set its reverse DNS to.

It sounds like someone else on your LAN already decided to hijack 1.1.1.1 for use in a non-routable (and standards-breaking) way. You can null route it, but you may find yourself locked out from trashy Cisco hardware and the like.

DNS over HTTPS in Firefox

Posted Jun 1, 2018 22:03 UTC (Fri) by ajs124 (guest, #110052) [Link] (2 responses)

Vodafone (Germany) does that. Their router (EasyBOX 804, in my case) firmware was evidently written by someone that has never even taken a look at any DNS or other Internet related RFC.

First it MITMs your DNS, but only on UDP, apparently TCP was too much effort. Then it breaks DNSSEC.

And if there's not connection to the outside world, it just starts to return 1.1.1.1, because that's totally not a private IP space anyone is ever going to use. Oh wait.

They also don't deploy IPv6, because when is that ever going to catch on?

DNS over HTTPS in Firefox

Posted Jun 5, 2018 13:42 UTC (Tue) by darwish (guest, #102479) [Link]

> Vodafone (Germany) ... don't deploy IPv6, because when is that ever going to catch on?

I have a "Vodafone Kabel Deutschland" Internet connection at home, and there is IPv6, completely out of the box, _and enabled by default_.

Opening Google and asking "what is my IP" always shows my IPv6 address.

DNS over HTTPS in Firefox

Posted Jun 17, 2018 16:52 UTC (Sun) by nilsmeyer (guest, #122604) [Link]

I remember when it still was Kabel Deutschland they were highjacking NXDOMAIN, instead displaying a search engine with lots of advertising.

DNS over HTTPS in Firefox

Posted Jun 4, 2018 16:28 UTC (Mon) by jmanig (guest, #120108) [Link] (2 responses)

> that's just what the official owner of 1.1.1.1 has set its reverse DNS to.

Actually, 1.1.1.1 seems to be Cloudflare's new DNS over HTTPS server, or at least if the https://1.1.1.1 website is to be believed. I'll admit I just looked quickly and did not dig into whether this is legit or not.

DNS over HTTPS in Firefox

Posted Jun 4, 2018 17:40 UTC (Mon) by tialaramex (subscriber, #21167) [Link] (1 responses)

Yes, but the point is that when you use software to examine ARP packets on your local network, that software isn't magically divining the true identity of the sender of those packets, if the packets have IP address 1.1.1.1 the software just does rDNS and says 1dot1dot1dot1.cloudflare-dns.com because that's what the entry for 1.1.1.1 in the reverse DNS says.

Now, is it technically possible that a Cloudflare DNS server is on your LAN? Sure (maybe "your LAN" is in a datacentre or you work for Cloudflare). Is it likely? Nope, lots of idiots hijack 1.1.1.1 because they figure they'll pick a real value later, or they assume it's unused because it wasn't used back when they wrote their software, or just because they're very lazy and unimaginative.

And yes, it's legitimate. The 1.1.1.0/24 network (and several others in that neighbourhood) are so poisoned as to be useless for most purposes because of the hijacking I mentioned. However this particular address is memorable and thus valuable to Cloudflare. They struck a deal with, IIRC APNIC (the RIR for the Asia Pacific region) who were unable to issue this address to an LIR because it's poisoned, Cloudflare's DoS-resistant network resources would be used to monitor the subnet for APNIC and in exchange APNIC would let them advertise anycast routing into this /24 (effectively just for 1.1.1.1 itself) to run DNS services around the world.

DNS over HTTPS in Firefox

Posted Jun 4, 2018 19:37 UTC (Mon) by jmanig (guest, #120108) [Link]

OK, I understand your comment a little better now. Thank you for the clarification.

DNS over HTTPS in Firefox

Posted Jun 6, 2018 15:00 UTC (Wed) by buchanmilne (guest, #42315) [Link]

> That might explain the disconcerting ARP traffic (who-has w.x.y.z, tell 1dot1dot1dot1.cloudflare-dns.com) that now appears on my LAN.

Use tcpdump -nn, to avoid being fooled by the change in reverse DNS for 1.1.1.1.

Or, set your DNS servers up to be claim authority for 1.1.1.in-addr.arpa if you are going to steal someone else's public address space on your private LAN ...

> I suspect that 1.1.1.1--and probably all of 1.1.1/24 and 1.0.0/24--should now be included in the list of 'never route' addresses, because what's on my private LAN is no one else's business.

Your private LAN has no business being on 1.1.1/24, or any subnet of 1/8.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds