In the world of the Internet, it’s vitally important that technologies keep evolving. Change is a rule of all technology, even if it comes slowly to fundamental systems like DNS (Domain Name Service).
The company Cloudflare is an infrastructure provider for web applications and networks that has solutions for performance, security, and reliability - including DNS. In April of 2018, Cloudflare launched a new publicly facing DNS resolver at 184.108.40.206, and 220.127.116.11.
You can read about their motivations for doing so here.
Effects on your network and CPE
Cloudflare is advertising 18.104.22.168 as a go-to DNS server for the public to use, specifically targeting end-users. This means that personal computers, gaming and video consoles, and other end devices could be set to use it as the default DNS server (in addition to gateways themselves). This has implications for gateways that provide routing and/or DNS proxy functionality, in part because these IP addresses were assumed to never be used, even if they are valid public IPv4 addresses.
22.214.171.124 and 126.96.36.199 were previously owned by APNIC and not used externally. Use of both the 188.8.131.52/24 and 184.108.40.206/24 networks has uncovered issues with network devices and services where vendors may have wrongly assumed these networks would never be used globally. For example:
- A device may use the 220.127.116.11/24 network for “internal” addresses, causing routing issues.
- A device may filter out 18.104.22.168/24 traffic by default.
- If a client is making use of DNS over HTTPS or DNS over TLS, the device may treat that traffic differently than it would “normal” DNS traffic.
How can I test that my CPE handles these new services?
If you are a CDRouter customer, you already have the tests available to make sure your devices support the use of the 22.214.171.124/24 and 126.96.36.199/24 networks. CDRouter’s closed loop test model allows the end user to create a network topology that matches any production network. To verify there are no likely issues with Cloudflare’s new DNS service, CDRouter can be configured to use 188.8.131.52 and 184.108.40.206 as its DNS services. This allows you to test DNS functionality across various WAN modes to make sure all your target CPE configurations will support Cloudflare.
You can verify that LAN clients can send and receive DNS messages to 220.127.116.11/8 using test cases cdrouter_app_21 and cdrouter_app_22 from the apps.tcl test module. These test cases send DNS queries directly to the primary and back DNS servers.
You can also verify the DNS proxy behavior of your CPE devices by running tests from the dns.tcl and dns-tcp.tcl modules. These module offer a comprehensive set of tests to verify DNS proxy behavior of a home or business CPE for both UDP and TCP.
You can create a CDRouter configuration to match Cloudflare’s DNS network by setting the WAN side DNS entries to 18.104.22.168 and 22.214.171.124 respectively. This is done by editing new or existing CDRouter configuration files and setting the DNS services under the WAN interface configuration section:
testvar wanDnsServer 126.96.36.199 testvar wanBackupDnsServer 188.8.131.52
All of these new ways of doing things will have implications for your network and for the devices you build or deploy. CDRouter will continue to explore them for future test cases.