In response to the security shortcomings of DNS, additional protocols have been created to mitigate security risks such as Domain Name System Security Extensions (DNSSEC). DNSSEC essentially forms a signed chain of trust within the hierarchical infrastructure of DNS nodes so when a client queries a node’s IP address there is verification that the resolved response is legitimate. Cloudflare, a cloud-based company that is known for its content delivery network, DDOS mitigation, and security services has recently made mainstream news with its new DNS public consumer services offering. What makes Cloudflare’s public DNS so attractive is that they can compete, if not surpass, Google’s DNS services in both performance and security. In their recent blog post published this past Sunday, they boast their “fast and highly distributed network, and claim they are the fastest authoritative DNS provider on the Internet with seven million Internet properties.” Additionally, their new public DNS service supports DNS over HTTPS and DNS over TLS for added encrypted communication across the Internet.
What seems to make Cloudflare more attractive than Google is their emphasis on privacy and speed. Their goal according to their blog is to keep expanding their infrastructure until everyone is within 10 milliseconds of at least one of their DNS locations. Additionally, Cloudflare uses protocols such as DNS Query Name Minimization to minimize captured public information as it crosses DNS nodes. Furthermore, Cloudflare states they will never store any information in their logs that identifies end users. All logs collected by public resolvers will be deleted within 24 hours. Their resolvers are built from the open source DNS resolver and the modular designed Knot Resolver, which was released about two years ago and currently has a large and active user base.