Cloudflare is introducing Malware and Adult DNS filters.

[TetraSky]

We all know and love the 1.1.1.1 DNS from Cloudflare. But now, on this foolish day, Cloudflare has announced two new DNS addresses that were quite in demand apparently. (technically four new DNS ).

 

Here's a partial quote from the article, which I encourage you to go and read the source of:

Quote

Since launching 1.1.1.1, the number one request we have received is to provide a version of the product that automatically filters out bad sites. While 1.1.1.1 can safeguard user privacy and optimize efficiency, it is designed for direct, fast DNS resolution, not for blocking or filtering content. The requests we’ve received largely come from home users who want to ensure that they have a measure of protection from security threats and can keep adult content from being accessed by their kids. Today, we're happy to answer those requests.

Introducing 1.1.1.1 for Families

[...] it includes the same strong privacy guarantees that we committed to when we launched 1.1.1.1 two years ago. And, just like 1.1.1.1, we're providing it for free and it’s for any home anywhere in the world.

Two Flavors: 1.1.1.2 (No Malware) & 1.1.1.3 (No Malware or Adult Content)
 

1.1.1.1 for Families has two default options: one that blocks malware and the other that blocks malware and adult content. You choose which setting you want depending on which IP address you configure.
 

Malware Blocking Only
Primary DNS: 1.1.1.2
Secondary DNS: 1.0.0.2

 

Malware and Adult Content
Primary DNS: 1.1.1.3
Secondary DNS: 1.0.0.3

 

For IPv6 use:

Malware Blocking Only
Primary DNS: 2606:4700:4700::1112
Secondary DNS: 2606:4700:4700::1002

 

Malware and Adult Content
Primary DNS: 2606:4700:4700::1113
Secondary DNS: 2606:4700:4700::1003

Now I'm sure I know what you're thinking.
Surely this is a joke right? It IS April fool's day, after all. Nope.

Quote

Not A Joke

Most of Cloudflare's business involves selling services to businesses. However, we've made it a tradition every April 1 to launch a new consumer product that leverages our network to bring more speed, reliability, and security to every Internet user. While we make money selling to businesses, the products we launch at this time of the year are close to our hearts because of the broad impact they have for every Internet user.

It actually works!

I've tried the 1.1.1.3 DNS on my router and it did indeed blocks those darn websites that are just everywhere these days.

Honestly, this is great for families and likely for system admins of various businesses too, to prevent their users from watching pr0n on the job.

I've been using the 1.1.1.1 DNS for a while now and am quite satisfied with it. But with these new DNS, I'm making the switch.

Certainly, I am not personally going to use the 1.1.1.3 DNS... For obvious reasons  ( ͡° ͜ʖ ͡°).
But if the 1.1.1.2 DNS can offer somewhat additional protection, I'm happy to switch to it and will likely add this DNS to the list of things I should change on other networks that I manage.

 

Source:

https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

[TempestCatto]

PIA! Private Internet Access allows you to browse the web anonymously, and safely using military grade encryption, multi hop, and more. It also allows you to access porn sites when your parents have set the default DNS of your router to block out all the nastiness. Click the link in the video description to learn more.

 

 

[Salv8 (sam)]

no my free p0rn!!!!

[justpoet]

Good stuff.  I'll probably switch to 1.1.1.2 for many things in the future.

[vanished]

My first thought is

1. how good is it at catching things (what percent of things that should be filtered get through anyway), and
2. how good is it at not over-reaching (what percent of things that should be allowed get blocked by mistake).

Sounds like a good idea, I just wonder where they're getting the data from to apply this filter.

 

Edit: Reading the comments on their page, it appears as though (unsurprisingly) there are serious problems with the .3 version in both of these regards.  I'm mainly interested in the malware protection though...

Edited April 2, 2020 by Ryan_Vickers

[JoostinOnline]

Quote

 Cloudflare is introducing Malware

That part really caught my attention.

[desertcomputer]

Hmmm my local DNS resolver already does this for my home network with filters ads/trackers plus I can redirect external dns to local to enforce this rule.

[RejZoR]

There is also NextDNS which is more flexible as you can pick what lists you want to use or even curate your own black/whitelist. With logs, analytics and all that jazz. Youc an also turn all of it off and it'll act as DNS alone.

[Doobeedoo]

Well interesting though for malware filter. 

[rcmaehl]

Where's the IPv6 versions? We're in the future man, we shouldn't be using older tech

[TetraSky]

8 minutes ago, rcmaehl said:

Where's the IPv6 versions? We're in the future man, we shouldn't be using older tech

It's in the source.

It originally wasn't in the article, but I had seen them in their comments. I wasn't sure if it was legit or not, hence why I hadn't added them.
Now that they've edited their article to add this info, I've also added them to the original post.

 

Malware Blocking Only
Primary DNS: 2606:4700:4700::1112
Secondary DNS: 2606:4700:4700::1002

 

Malware and Adult Content
Primary DNS: 2606:4700:4700::1113
Secondary DNS: 2606:4700:4700::1003

[williamcll]

Imagine being the person that has to review every site on the mature ban list. 

[TetraSky]

25 minutes ago, williamcll said:

Imagine being the person that has to review every site on the mature ban list. 

Dream job.

[rcmaehl]

1 hour ago, williamcll said:

Imagine being the person that has to review every site on the mature ban list. 

Apparently it not manually reviewed. It's a list from a provider


 

[Kisai]

11 hours ago, Doobeedoo said:

Well interesting though for malware filter. 

They would know, since they protect 99% of it.

[Way2Broke]

What malware filters are they using?

[Letgomyleghoe]

*teenagers sweating profusely*

[captain_to_fire]

We already use Bitdefender Gravityzone for my family's small business with 7 computers and that does the job for blocking not just malware but also job search and porn sites. It would be interesting how a malware/porn blocking DNS resolver complement what we use.

 

Spoiler

To be honest, I see this as a good parental control in the house or if you want your customers to stop watching porn in a small coffee shop. There's always VPN to circumvent it but with some investments, VPNs can be blocked too.

[xAcid9]

On 4/2/2020 at 6:54 AM, TetraSky said:

Surely this is a joke right? It IS April fool's day, after all. Nope.

1.1.1.1 released on 1st April as well. 

[vanished]

13 hours ago, rcmaehl said:

Apparently it not manually reviewed. It's a list from a provider

That just shifts the question though.  How does that provider make the list?

[Arika]

Why is malware filtering not on their normal DNS? Seems like something that should be always on

[SansVarnic]

1.1.1.3 and iv6 is not working currently for me, seems it not being accepted in the settings [wont validate].

I'll just use the 1.1.1.2 for now until they get that resolved.

 

I hope they get this feature included in their upcoming Android 1.1.1.1 app updates.

[LAwLz]

37 minutes ago, Arika S said:

Why is malware filtering not on their normal DNS? Seems like something that should be always on

Several reasons for it, but here are two.

1) DNS was never meant to provide protection from malware. It's kind of like making a keyboard where you can't type certain words because "they might be dangerous". The default, if you ask me, should be for a DNS to just do its job, which is translating domain names to IP addresses. It shouldn't get in the way and decide which sites I can and can't visit.

2) There is always a risk of false positives. If you switch to the malware free DNS resolver you might run into issues where you can't visit certain sites because your DNS provider THINKS that they are malicious, but they aren't. If that happens to someone slightly less tech literate they will have problems. Just look at the shitstorm the adult filter has caused by blocking some LGBTQ sites (because they talk about things such as sex).

Also, I strongly recommend that you do not read too much of that twitter thread and the replies. It's full off lunatics that believe Cloudflare is doing this to promote nazis and censor LGBTQ people. Because obviously that's the logical explanation and not that those sites are full of keywords related to sex which also happens to be on a lot of porn websites. Nahh, that's totally unreasonable...

[captain_to_fire]

56 minutes ago, Ryan_Vickers said:

That just shifts the question though.  How does that provider make the list?

I'm guessing they're logging each IP addresses and URLs from their DNS resolver and classify sites as either clean, pornographic or malicious/phishing via an automated classifier.

[vanished]

2 minutes ago, captain_to_fire said:

I'm guessing they're logging each IP addresses and URLs from their DNS resolver and classify sites as either clean, pornographic or malicious/phishing via automated classifiers or through an manual review.

 

Antivirus programs and even the Google Safe Browsing API does something similar via their telemetry.

It was semi-rhetorical.  I assume all lists are some combination of AI or other less sophisticated (keyword-based) automated screening, and manual reviews (blacklists).  My point is just that whatever the process is, it's important to know since it will impact the issues you experience, and there will be issues.  No list I've used has ever had a 100% catch rate or avoided ever having a false positive.