Is Cloudflare's new 1.1.1.1 DNS service blocked by the Pace 5268ac?

[frankbh]

I've been reading about the new fast and secure consumer-focused DNS service offered to the world by Cloudflare on 1.1.1.1 and 1.0.0.1. It was announced on April 1 but is not a joke.
https://blog.cloudflare.com/dns-resolver-1-1-1-1/

I was unable to get to its info page on https://1.1.1.1/ and read in this ZDnet article that perhaps my Pace 5268AC is blocking it:
https://www.zdnet.com/article/1-1-1-1-c ... f-rubbish/

Quote from the article and its source:
"AT&T Gigapower using 1.1.1.1 on an internal interface on at least one model of router-gateway, the Pace 5268AC, which effectively blocks this address"
https://twitter.com/billplein/status/981307410643148801

My house in Bernal Heights in SF has a Sonic 5268AC on Sonic fiber and my girlfriend's house in Berkeley has an AT&T 5268AC on Sonic FTTN (Sonic fiber coming late in 2018). My phone or PC can't get to the info page https://1.1.1.1/ at either location, though if I turn off my phone's Wi-Fi and use cellular data, I can get to this info page.

I'm OK with Sonic's DNS, but I thought this new, faster DNS would be interesting to try with the fast fiber. I thought you folks at Sonic would want to be aware of this issue in case you can eliminate the 5268AC's restriction in a future firmware update. Hope it's not baked into the hardware.

[sonic guest]

I logged into my parents network who have Sonic fiber with a 5268ac and there is a route for 1.1.1.0/30 pointing to br6. Although there's no control to remove the route, you should be able to create a new route for 1.1.1.1/32 and 1.0.0.1/32 and use the default 192.168.42.1 gateway.

[kgc]

Use of any 3rd party DNS servers while on Sonic's network is not recommended for performance reasons. Our servers are virtually guaranteed to have lower latency and better overall response times for customers than is possible using any 3rd party service simply because of how close the servers are to end users.

https://www.grc.com/dns/benchmark.htm

[ngufra]

There was a great podcast about anycast a couple of years ago:
http://packetpushers.net/podcast/podcas ... tcp-myths/

[guest]

I'm OK with Sonic's DNS, but I thought this new, faster DNS would be interesting to try with the fast fiber. I thought you folks at Sonic would want to be aware of this issue in case you can eliminate the 5268AC's restriction in a future firmware update. Hope it's not baked into the hardware.

FTTN user here who ran into same issue with the 5268AC and 1.1.1.1. Instead I've been using Quad9 DNS over TLS with good results for some client devices which I'm not routing through Sonic's VPN.

[dane]

Use of any 3rd party DNS servers while on Sonic's network is not recommended for performance reasons. Our servers are virtually guaranteed to have lower latency and better overall response times for customers than is possible using any 3rd party service simply because of how close the servers are to end users.

https://www.grc.com/dns/benchmark.htm

Interesting results - I benchmarked from my home Sonic connection, and the local gateway which uses the Sonic servers was the best performance, as you suggested.

The Cloudflare 1.0.0.1 result was 46% slower, and Google's free DNS was 43% slower.

[virtualmike]

The Cloudflare 1.0.0.1 result was 46% slower, and Google's free DNS was 43% slower.

On my FTTN connection,

DNS Benchmark Conclusions & Recommendations
[...]
* System has only ONE (router based) nameserver configured.
It appears that only one local (router gateway) DNS nameserver, with the IP address of [192.168.1.254], is currently providing all DNS name resolution services to this system. This configuration is not recommended because most consumer-grade routers provide inefficient and under-powered DNS resolution services.

Unless the DNS resolvers your router is using is under your control, it may not be providing the best or complete name resolution services. For example, is it using multiple redundant DNS nameservers?
[...]
Recommended Actions:

Unless you have some specific reason not to, you should give serious thought to disabling your router's provisioning of DNS services (which it is providing for all computers on your local network). After this is done, a fresh reboot of your computers will likely reveal the multiple DNS nameservers provided by your ISP. This is a superior configuration, without an under-powered router acting as a incompetent middleman and impeding all DNS access.

* System nameserver is SLOWER than 24 public alternatives!
This benchmark found 24 publicly available DNS nameservers that are reliably faster than the slowest nameserver currently being used by this system. If you were to adjust your system's configuration to use the faster of these nameservers instead of what it is currently using, your DNS lookup performance, and all use of the Internet, would be improved.

The report includes caveats that I should run the utility several more times, at different points in the day, to see if I get similar results.

PS for others: Steve Gibson's GRC site has a bunch of useful diagnostic and investigation tools that anyone should find useful.

[makoshark]

I understand Sonic's recommendation against using 1.1.1.1 for performance reasons, but the end-consumer freedom reason still remains. I may want to use it even if it has lower performance. Will you help resolve this?

[dane]

I understand Sonic's recommendation against using 1.1.1.1 for performance reasons, but the end-consumer freedom reason still remains. I may want to use it even if it has lower performance. Will you help resolve this?

They are working on it.

Bear in mind this is an experimental IP address, which was never supposed to be allocated. Router manufacturers thus have used the IP for internal routing, never expecting it to be needing to be reachable.

Meanwhile, if you want to use Cloudflare DNS, use 1.0.0.1, their other IP.

-Dane

[chucko]

Reviving a dead thread with some likely useless data...

I did some poking around. I'm an FTTN customer in Sunnyvale with a Pace 5268AC.

The gateway lists 68.94.156.1 and 68.94.157.1 as its nameservers. These appear to be AT&T's, no surprise as Sonic is subleasing AT&T fiber infrastructure. Ping times are consistently 3ms or so.

1.0.0.1 ping times are typically under 6ms. 9.9.9.9 pings are under 7ms.

Pinging the Sonic nameservers at 208.201.224.[11,33] is slower, > 7ms.

Ping TTLs are 57 for the AT&T servers, 52 for 1.0.0.1 and 9.9.9.9, and 51/50 for Sonic's servers. So it appears Sonic's servers require more hops than any of the others mentioned.

For now I have our router (pfSense) configured with the AT&T nameservers, 1.0.0.1, and 9.9.9.9.

Any comments?