Using CloudFlare 1.1.1.1 with TLS

Rohan Molloy -

Released in April 2018 by Cloudflare, 1.1.1.1 is a very attractive choice for resolving your DNS queries. It claims to be the fastest although it depends on your location. It gets top marks for privacy by holding logs for a max of 24 hour and it offers an encrypted link with TLS.

Here is how to use the encrypted TLS version of their service (on a Linux box)

Install Unbound

sudo apt-get install unbound

Configure Unbound

cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.original
cat > /etc/unbound.conf
server:
    verbosity: 1
    do-tcp: yes
    do-udp:yes
    interface:192.168.1.1
    interface:127.0.0.1
    num-threads: 1
    root-hints:/etc/unbound/root.hints
    outgoing-port-permit: 32768-60999
    outgoing-port-avoid: 0-32767
    log-time-ascii: yes
    access-control:  127.0.0.0/8 allow
    access-control:  192.168.1.0/24 allow
    username: "unbound"
    forward-zone:
        name: "."
        forward-addr:1.1.1.1@853
        forward-ssl-upstream: yes

Start Unbound

sudo systemctl start unbound
echo "nameserver 127.0.0.1" >/etc/resolv.conf

Test Unbound

[root@desktop ~]# dig example.com 

; <<>> DiG 9.11.2-P1-RedHat-9.11.2-1.P1.fc27 <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32326
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		3468	IN	A	93.184.216.34

;; Query time: 0 msec
;; SERVER: 127.0.53.53#53(127.0.0.1)
;; WHEN: Tue Apr 03 22:38:37 NZST 2018
;; MSG SIZE  rcvd: 56

Notice the query time of 0, because I queried it earlier, it got cached. The first query took about 150ms because TLS adds overhead

Full unbound tutorial

Running your own DNS with Unbound (and block ads)