Cloudflare has become a nearly ubiquitous cloud service provider in recent years, fronting many of the busiest web sites on the Internet. They provide tremendous value both in terms of security and performance for their customers. They have a wide array of solutions designed to provide better security, including optimized SSL/TLS configuration and Web Application Firewall (WAF) capabilities. Their DDoS mitigation service is second to none, and their robust Content Delivery Network (CDN) ensures optimal loading of content for web sites anywhere in the world.
Public DNS Resolver
Recently Cloudflare announced their first consumer service, a public DNS resolver that is free for general use. It offers exceptional performance and supports many of the latest DNS security and privacy enhancements such as DNS-over-TLS. Cloudflare has also pledged not to write DNS queries to disk at all and not to store them for more than 24 hours to further ensure privacy for their customers.
DNS Security Controls
What Cloudflare DNS is lacking today is granular security enforcement to provide additional protection for client computers outside the firewall. For example, public DNS resolvers from OpenDNS and Quad9 have built-in security features that use threat intelligence to identify and block DNS name resolution requests for domains that are known to be malicious or unsafe. OpenDNS has the added benefit of providing more granularity for setting policy, allowing administrators to select different filtering levels and optionally to create custom policies to allow or block individually selected categories. With OpenDNS, security administrators can also manage domains individually by manually assigning allow or block to specific, individual domains as necessary.
Recommended Use Cases
Cloudflare DNS clearly offers the best performance of all public DNS resolvers today, which makes it a good candidate for servers that rely heavily on DNS for operation. Mail servers come to mind immediately, but any system that performs many forward and/or reverse DNS lookups would benefit from using Cloudflare DNS. Cloudflare DNS can also be used by client machines where better performance and enhanced privacy are desired.
Quad9 DNS is a good choice for client computers where additional security is required. OpenDNS is the best choice where the highest level of security is required, and where granular control of security and web filtering policies is necessary.
Additional Information
David Redekop (@DRtheNerd)
/ April 3, 2018Good high-level assessment, I wrote about the perspective of different stakeholders which are quite distinct (end-user, sysadmin, provider, nation state) but also surprising how little coverage the circumvention opportunity has become. OpenDNS or Quad9 has just become that much more difficult to be enforced at the network edge:
https://www.dnsthingy.com/2018/04/dns-over-tls-or-https-the-rest-of-the-story/
Richard M. Hicks
/ April 3, 2018Thanks David. Controlling DNS behavior is an often overlooked aspect of network security. It is not uncommon to see enterprise firewalls configured to allow DNS queries to *any* public resolver, which is obviously a bad idea. 😉 I think the real challenge is for managed clients outside the firewall. There are some good cloud-based filtering solutions that can be used to address those challenges though.