Related post here in the forum from Jul 2024: BGP hijack of Cloudflare' DNS 1.1.1.1
Yeah I was using 1.1.1.1 on some of my servers because (I’m lazy and) I directly peer with them so it’s convenient, and that caused some downtime lol
Just goes to show you can never rely on anyone but yourself, time to break out the self-hosted DNS resolvers.
Cloudflare is an interesting company because they position themselves as this big and independent cloud computing giant, but they have frequent outages, sometimes caused by third parties. They recently had a much more major outage that was caused by Google Cloud having an outage, which was surprising to me. You’d think a company like Cloudflare wouldn’t tie their critical infra to a separate cloud provider.
4 Likes
It is often about convenience or independence. I myself ponder about these topics frequently. Absolute independence is not possible. Trusting someone or some company is not in general bad. But I am definitely more on the not trusting side of the spectrum and try to avoid dependencies as good as possible.
If I had to build a company I would try to vertically integrate it. Meaning I would try to produce every resource from the bottom up to my endproduct. Which is a lot harder than just doing one thing and outsource the rest.
Back to Cloudflare. I don’t think Cloudflare is a bad actor, they do a lot of good. I only feel they’ve gotton too big and if something gets too big and it breaks, well that has ripple effects.
3 Likes
Unbound really is great, use it at home
I think some of that infra is stuff that they haven’t had the chance to move to their own data centers yet, which sucks but also the % of the web that relies on just a few big providers is scary
1 Like
I use Unbound with OpenWrt as well. I believe there is even an option to encrypt DNS over TLS through Cloudfare servers.
1 Like
I also use Unbound, but I forward the queries. Maybe time to either don’t forward them anymore or at least add some more if some zone goes down.
I don’t think there’s much benefit in forwarding to public resolvers instead of simply using root hints and resolving directly. You’d benefit slightly from the cache on the public resolver for domains you’ve never visited before but someone else has. Otherwise it’s pretty much just slower than fully resolving names and caching them in Unbound yourself.
1 Like
Good point. I think I was resource constraint when I’ve set it up and thought I would save on resources. But it can’t be that much more and the situation also changed. Will definitely change that soon. Thanks!