New Cloudflare DNS service filtered in Turkey on day of launch

An investigation by Turkey Blocks has found that Turkey’s DNS blocking measures are already actively filtering a new DNS service launched by Cloudflare and APNIC on 1 April 2018. Addresses for Wikipedia and Dutch national broadcaster NOS among several other sites known to be withheld in the country are failing to resolve using standard UDP DNS queries via the new Cloudflare service.

Confirmed: New @Cloudflare 1.1.1.1 DNS service filtered in #Turkey on day of launchhttps://t.co/dF7pFtpibN pic.twitter.com/hwMvM493Zp

— Turkey Blocks (@TurkeyBlocks) April 1, 2018

DNS-over-TLS unnaffected by restrictions

Meanwhile, the investigation shows that the new encrypted DNS-over-TLS DNS Privacy protocol supported by Cloudflare’s servers is not vulnerable to Turkey’s filters. Using the new standard, addresses known to be blocked were successfully resolved during measurement, partially circumventing Turkey’s blocking measures.

UDP DNS queries to 1.1.1.1 for wikipedia.org and nos.nl are silently dropped

In our investigation using the experimental NetBlocks.org DNS-over-TLS measurement backend, IP addresses for Wikipedia and NOS.nl resolved successfully to the correct IP addresses. However, the websites remained inaccessible due to additional TCP filtering implemented by the service provider. Turkey Blocks is among several civil society and network engineering groups examining the impact of safe and secure protocols as part of its work at the Internet Engineering Task Force.

It's time to design internet protocols around #HumanRights; I explain why in the final print edition of @IETFjournal https://t.co/CYRxV1EJsF pic.twitter.com/u8X2uIEjRR

— Alp Toker (@atoker) November 6, 2017

The DNS filtering measures affecting Cloudflare are similar to those affecting UDP DNS queries on port 53 made to Google’s 8.8.8.8 DNS service and recently-launched Quad9, suggesting that they are implemented broadly or universally for all standard DNS traffic.

Cloudflare cites filtering in Turkey as an inspiration for its new DNS service

In its press release, Cloudflare highlights Turkey as a country that could benefit from access to secure DNS servers, citing a 2014 Twitter shutdown and 2016 military coup attempt as instances where network services were restricted. DNS is the underlying technology that allows internet and website host names to resolve to an IP address, and is often the first protocol to be filtered by governments that seek to restrict access to online services.

Impact assessment for end users

Our findings suggest that switching to Cloudflare’s 1.1.1.1 service will not provide users in Turkey with immediate circumvention or privacy benefits unless they take additional measures to enable one of the new secure DNS transports. Users may enable DNS-over-TLS, DNS-over-HTTPS or another secure transport to gain these benefits. However those technologies are not yet widely supported in consumer operating systems and devices.

Update: 1.1.1.1 has experienced additional connectivity issues from 7 April 2018 rendering DNS-over-TLS and DNS-over-HTTPS unusable for a period of time.