The Cloudflare Blog

Subscribe to receive notifications of new posts:

Encrypting DNS end-to-end

2018-12-21

Irtefa

1 min read

Over the past few months, we have been running a pilot with Facebook to test the feasibility of securing the connection between 1.1.1.1 and Facebook’s authoritative name servers. Traditionally, the connection between a resolver and an authoritative name server is unencrypted i.e. over UDP.

In this pilot we tested how an encrypted connection using TLS impacts the end-to-end latency between 1.1.1.1 and Facebook’s authoritative name servers. Even though the initial connection adds some latency, the overhead is amortized over many queries. The resulting DNS latency between 1.1.1.1 and Facebook’s authoritative name servers is on par with the average UDP connections.

To learn more about how the pilot went, and to see more detailed results, check out the complete breakdown over on Code, Facebook's Engineering blog.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.

1.1.1.1 DNS Resolver Speed & Reliability TLS

Follow on X

Cloudflare|@cloudflare

November 08, 2024 2:00 PM

How we prevent conflicts in authoritative DNS configuration using formal verification

We describe how Cloudflare uses a custom Lisp-like programming language and formal verifier (written in Racket and Rosette) to prevent logical contradictions in our authoritative DNS nameserver’s behavior....

DNS, Research, Addressing, Formal Methods

November 07, 2024 2:00 PM

A look at the latest post-quantum signature standardization candidates

NIST has standardized four post-quantum signature schemes so far, and they’re not done yet: there are fourteen new candidates in the running for standardization. In this blog post we take measure of them and discover why we ended up with so many PQ signatures....

Bas Westerbaan,
Luke Valenta

Post-Quantum, Research, Cryptography, TLS

October 29, 2024 2:00 PM

Migrating billions of records: moving our active DNS database while it’s in use

DNS records have moved to a new database, bringing improved performance and reliability to all customers....

Alex Fattouche,
Corey Horton

DNS, API, Database, Kafka, Postgres, Tracing, Quicksilver

October 09, 2024 1:00 PM

Improving platform resilience at Cloudflare through automation

We realized that we need a way to automatically heal our platform from an operations perspective, and designed and built a workflow orchestration platform to provide these self-healing capabilities across our global network. We explore how this has helped us to reduce the impact on our customers due to operational issues, and the rich variety of similar problems it has empowered us to solve....

Opeyemi Onikute

Edge, Engineering, Serverless, Developer Platform, Developers, Agile Developer Services, Go, Reliability, Speed & Reliability