April Fools day is normally filled with internet pranks, creative advertising and implausible stories. And so, when we saw that CloudFlare and APNIC had put together some marketing on a new DNS service, we thought it must be just another April Fools prank. It’s anything but.
What is DNS?
DNS is the way the internet finds things using “domain names”. It translates human readable addresses (like rwts.com.au) into “IP Addresses” in either IPv4 or IPv6 format. Every time you visit a website, or send an email, your computer asks a DNS server for the address of the website you are visiting, so that it can work out how to get there. DNS addresses have a mechanism to “expire” the address, so a computer can cache the answer for a period of time.
We, like every other ISP, host our own DNS servers for our customers. Our DNS servers handle a large volume of queries, and handle the important job of working out who to ask for the correct DNS address for a website. There are a number of public DNS servers, such as Google’s Anycast 22.214.171.124 DNS servers and OpenDNS.
In the days of streaming content, rich media applications, and SSL everywhere DNS is becoming more and more important, and increasingly a bottleneck to website performance.
Why does DNS make things slow?
So what is 126.96.36.199?
CloudFlare, in partnership with APNIC, have launched a new Public DNS service that is much faster than many other DNS systems. It also claims a strong privacy position, not storing any details or data about DNS queries. In our tests, it seems around 2x faster than our own DNS systems and up to 50x faster than Google’s 188.8.131.52.
We’ve tested a number of common websites that are behind CDNs (such as facebook.com, apple.com, smh.com.au) and have observed that the addresses being resolved closely match the ones our internal servers use — which means that you should still continue to receive the best content choices if you switch your browser to use these sites instead of our local resolvers.
Should I swap to using this instead of Real World or Oxygen’s resolvers?
This is a great question. We certainly don’t see any down sides at the moment, and we are certainly very happy with performance in our tests.
One of the more interesting things about this announcement is that APNIC has initially provided the address space to CloudFlare for a 5 year period, and at the end of 5 years will consider an application from CloudFlare to allow them to continue to run the program.
So, as long as CloudFlare keeps providing this service you’ll have at least 5 years to use it.
So how do I use it?
You can use the new DNS resolvers by changing your computer or router’s DNS settings to use 184.108.40.206 and 220.127.116.11 for IPv4 queries and 2606:4700:4700::1111 and 2606:4700:4007::1001 for IPv6 queries. For more details on how to do this, you can visit https://18.104.22.168/.
If you are in a business network, it’s important you do not change your computer DNS resolver details without first checking with your network administrator, as doing so will likely break your access to network shares, corporate websites and result in your computer being unable to log in.
Is it secure?
CloudFlare claims it is so. They are using this project to help combat internet censorship, and claim that they will never sell user data to a third party.
How fast is it?
We did a sample of 10 websites and compared Real World’s Recursive DNS servers, CloudFlare’s 22.214.171.124 and Google’s 126.96.36.199 on a Real World NBN connection. The websites we tested were pool.ntp.org, smh.com.au, apple.com, facebook.com, twitter.com, reddit.com, microsoft.com, google.com, and telstra.com.
Real World’s 188.8.131.52 scored an average of 45ms across the 9 tests. Cloudflare scored an average of 21ms across the 9 tests. Google scored an average of 126ms. Perhaps more telling is the standard deviation, which is 70ms for Real World, 126ms for Google and only 4ms for CloudFlare!
What do we take from this? Well, CloudFlare’s DNS servers are fast. Really fast.
I can’t access 184.108.40.206 — what’s going on?
We know that there are definitely going to be instances of people not being able to use this service. Some popular captive portal software and internet gateways use the address 220.127.116.11 for internal addresses. This has been against internet best practice for at least 10 years, but still persists in some hardware and network setups. Your Network Manager, infrastructure provider or hardware vendor may be able to adjust settings or help you define a technology pathway to upgrade to resolve this for you.