Cloudflare dns server 1.1.1.1

 

Cloudflare has launched new free public DNS resolvers 1.1.1.1 and 1.0.0.1 on April Fools day 2018 (This is not a joke, its a real service). This service competes directly with Google's and OpenDNS's public resolvers.

Cloudflare claims to build the new resolvers with Security and Speed as basic features. Here are the results for latency test for both 1.1.1.1 and 8.8.8.8 from all over the world for comparison (Click on the image to zoom).

CloudFlare 1.1.1.1 DNS Latency Test

Cloudflare

Google 8.8.8.8 DNS Latency Test

Google

 

 

 

 

 

 

Of course this is just a simple latency test and actual performance may vary depending on different other factors.

Memorable IP Address

Until now Google 8.8.8.8 used to be the most memorable publicly used ip address followed by Level 3's 4.2.2.2. Cloudflare's 1.1.1.1 is not more memorable than Google's 8.8.8.8 but I have to admit its way cooler. This is important because you can use domain names so you dont have to remember ip addresses of websites but you cannot do it with DNS servers and you need to know the ip address.

DNS-over-TLS and DNS-over-HTTPS Support

DNS protocol was not designed with security in mind because at the time it was designed it did not need it. Its not true for today's internet. For that reason CloudFlare's DNS servers support both DNS-over-TLS and DNS-over-HTTPS from day 1.

Fastest DNS Server

Cloudflare has also posted in their blog that DNSPerf has ranked 1.1.1.1 as the fastest DNS server with an average of 14ms of query speed. Of course you will get different results based on your location and whether or not you are a Cloudflare customer.

DNS Query Name Minimisation to Improve Privacy

Cloudflare also supports DNS Query Name Minimisation to Improve Privacy as defined in RFC7816 which means that Cloudflare's DNS resolvers do not send full query to the upstream name servers which reduces the information leaked to upstream DNS servers, like the root and TLDs.

IPv6 Support

Along with 1.1.1.1 and 1.0.0.0.1 Cloudflare has also provided memorable ip addresses for their IPv6 DNS servers 2606:4700:4700::1111 and 2606:4700:4007::1001.

You can learn more about Cloudflare's DNS server's on https://1.1.1.1

Let's Encrypt has recently started supporting wildcard certificates using its new ACME2 protocol. This means that you can have a single wildcard certificate like *.asknetsec.com and use it on all the other sub-domains like blog.askenetsec.com, email.asknetsec.com.

This makes is very easy to manage certificates for different sub-domains. Until now each sub-domain needed its own certificate generated for the specific sub-domain.

Install Certbot

Certbot is not available in the default ubuntu repository. Run the below command to add ppa repository.

sudo add-apt-repository ppa:certbot/certbot

This will add the repository from where certbot can be installed

sudo add-apt-repository ppa:certbot/certbot
This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu(s).
More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring `/tmp/tmp1hyvak__/secring.gpg' created
gpg: keyring `/tmp/tmp1hyvak__/pubring.gpg' created
gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmp1hyvak__/trustdb.gpg: trustdb created
gpg: key 75BCA694: public key "Launchpad PPA for certbot" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK

Update packages

sudo apt update

Run below command to install certbot

sudo apt install certbot

Make sure that you are using Certbot version 0.22 or above. Certbot before the version 0.22 does not support wildcard certificate.

Steps to generate wildcard certificate

Run this below command on the linux cli.

$ sudo certbot certonly --manual -d *.asknetsec.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Replace *.asknetsec.com with your domain name for example *.yourdomainname.com. Once you run this command it will generate a text DNS value.

The command output will be similar to the one below

debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): admin@asknetsec.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for asknetsec.com

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.asknetsec.com with the following value:

AVOwxVcSTfASueHcoOosBFF4sxEFZuso5ip6w63GrMs

Before continuing, verify the record is deployed.

-------------------------------------------------------------------------------
Press Enter to Continue

Create a text DNS record for the sub-domain  _acme-challenge.yourdomainname.com with the value generated by certbot when the above command is run. In my case the value was AVOwxVcSTfASueHcoOosBFF4sxEFZuso5ip6w63GrMs.

You will have to wait for some time for the new DNS record to propagate over the internet. I waited for 10 minutes and pressed enter.

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/asknetsec.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/asknetsec.com-0001/privkey.pem
Your cert will expire on 2018-06-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Congratulations!! The wildcard certificate is generated. You can use this wildcard certificate with any sub-domain you create for your domain name.

Microsoft has released an out of band patch to fix the "Meltdown" vulnerability on 3rd of Jan 2018. More details of the patch can be found on the official KB4056892 page.

This patch is available only for Windows 10 OS. The patch will install automatically once the PC connects to internet.

 

There has been multiple reports of some application not being compatible with this latest patch. Certain Antiviruses are causing blue-screen after installing the Meltdown patch.

There has been reports of some SSL VPN applications not connecting to the server after the patch is applied

Antivirus vendors are releasing patch to fix the compatibility issues but it may take a few days for all of them to be available.

I would recommend you to update all the important application installed on the PC before applying this patch to prevent any incompatibility issues.

If you the patch is already installed and there is some critical application causing issues, you can try to uninstall the patch and check if the application works without this patch.