Cloudflare vs. OpenDNS vs. Google Public DNS

A few months ago, Cloudflare revealed their public DNS server, and I’ve been pleased so far. In addition to performance, Cloudflare claims to be investing heavily in security of DNS. The top competitors in this field already being Cisco’s OpenDNS and Google. As these are all global players, they will (in most cases) have better speed and reliability than those of your local ISP.

Changing these for your entire network generally involves the administrative features/config of your gateway, modem or router. If you are familiar with this, the change should take just a minute or two.

If you are looking for some content filtering at the DNS level, OpenDNS still presents the easiest option for home users and also provides logs.

Cloudflare DNS:
IPv4: 1.1.1.1
IPv4: 1.0.0.1
IPv6: 2606:4700:4700::1111
IPv6: 2606:4700:4700::1001

(Cisco) OpenDNS:
IPv4: 208.67.222.222
IPv4: 208.67.220.220
IPv6: 0000:0000:0000:0000:0000:ffff:d043:dede
IPv6: 0000:0000:0000:0000:0000:ffff:d043:dcdc

Google Public DNS:
IPv4: 8.8.8.8
IPv4: 4.4.4.4
IPv6: 2001:4860:4860::8888
IPv6: 2001:4860:4860::8844

REFERENCES:

Poodle.. or rather, what’s all the fuss with SSLv3

The “Poodle” attack on websites and browsers was all over the media a few weeks ago, following in the shadow of Heartbleed.

Here’s what most users need to know… This is an vulnerability that exists in secure internet communication because…

  1. While most newer systems rely on TLS security, they still support older protocols (SSLv3 in particular for this issue)
  2. As secure communications generally attempt to find a “common” method, they will often “drop down” to older supported versions (even if they are now often considered insecure!)
  3. Most browser and server software (unless recently patched) will allow for this “drop down” in security.
  4. Most software provides a mechanism to disable this by the user or in configuration.
  5. Upgrading your software will usually remove these “problematic” vulnerabilities.

Simply put… for a consumer, it’s best to upgrade to a newer browser or find the appropriate configuration to disable SSLv3 if you are unable to upgrade. Server administrators generally should update their sofware on a regular basis for security items such as this one!

NOTE: Many CDN’s such as CloudFlare are proactive and block this vulnerability.

Technical details on the Poodle vulnerability (if you’re into that sort of thing!):

Instructions here are for Apache HTTPd 2.2.23 and newer, other servers will require a similar change:


  1. sudo vi /etc/apache2/mods-enabled/ssl.conf
  2. Change the following line from:
    SSLProtocol All -SSLv2
    to:
    SSLProtocol All -SSLv2 -SSLv3
  3. sudo service apache2 reload
  4. sudo service apache2 restart

Can be tested at the following websites:

REFERENCES:

Preventing Pinterest “pinning” of your content

While many people are happy when images from their websites get “pinned” on Pinterest, there are many times that you might not be so pleased. You may have a need to prevent images from being shared for copyright or similar reasons, or simply not want the extra website traffic.

Thankfully, you can stop this with the addition of a simple HTML META tag. Also, if you already use CloudFlare, they can add it for you at runtime!


<meta name="pinterest" content="nopin" />

REFERENCES:

Cloudflare CDN (Content Delivery Network)

Best practices for web applications often call for the use of a CDN. Those of you that have worked with YSlow! are likely very accustomed to seeing warnings for this reason. I’ve found that CloudFlare is very easy to setup, and for basic services costs absolutely nothing. In addition to the obvious performance advantages of using a CDN to offload much of your network traffic, it also has the advantage of improved security.

CDN’s work by caching a copy of your static content at several locations around the world, making it closer and faster for your users.

Implementation takes only minutes as it requires that you:

  1. create a (free) account,
  2. retrieve your existing DNS values from your current provider,
  3. determine direct vs. CDN “cloud” routing for each subdomain,
  4. change your DNS records to point to the CloudFlare DNS servers

Some additional advantages I’ve seen since implementing:

  • Site remains available in limited capability to users during server outages or upgrades.
  • Simplified network configuration as all requests can be sent outside of the LAN for users local to the servers
  • IPv6 dual-stack support

REFERENCES: