I work at Cloudflare, but regardless think this is awesome for security. Being more resilient to coffee shop type attacks and other DNS issues is great. It's a really user friendly and simple step in the right direction.
I've been using the free and open source DNSCloak app [1] on iOS for encrypted DNS (DNS over HTTPS or DNS over TLS) to 1.1.1.1.
As with this app, it also sets up a VPN profile (and the icon always shows up on the status bar). It's also setup with the "Connect On Demand" option so that anytime the device connects to a network, no connections will go through until this gets activated (this is also called "Always On VPN" or "VPN Kill Switch", to prevent traffic leakage). I couldn't find such an option in the Cloudflare app.
On iOS it requires installing a VPN profile. My understanding from their FAQ is that it is to allow DNS proxying in iOS but it’s not clear to me if that’s all it does. Up to this day, seeing the VPN logo in my status bar has always meant my traffic was forwarded to a VPN server which meant it couldn’t be snooped on by my ISP. Is it also the case here?
VPN profiles in iOS can be used for network-level configuration: despite the label, that doesn’t have to mean just a VPN tunnel.
In this case, the profile is ONLY configuring DNS: there is no VPN tunnel being created. The “VPN icon” in the status bar just indicates the profile is active.
I'm not really certain of how to react to this since [a] I can configure Wireguard on my phone to use any DNS server (usually my remote Pi-Hole+DoH but can be 1.1.1.1) and [b] wonder if non-tech folks will install this app and grasp the difference between encrypted DNS queries vs. encrypted traffic + DNS queries -- the latter being a better option requiring an actual VPN tunnel.
I understand that using a loopback VPN is the only way to do this kind of DNS enforcement on non-rooted phones, which happen to be the majority.
But I think Cloudflare would be better off promoting privacy by either offering a complete VPN service or partnering with the likes of Mullvad/Azire/ProtonVPN etc. to ensure DoH by default (which most end users of those services tweak anyway if they can).
I haven't used Wireguard, but on iOS does it properly persist DNS settings across wifi network changes? IIRC this was Cloudflare's technical rationale for wrapping their DNS nameservers inside a VPN profile, at least on iOS.
I'm currently running the 1.1.1.1 profile on top of my normal VPN service profile and it appears that both profiles are working correctly in iOS Settings FWIW.
So I’ve set this up on my iPhone and many websites now give this error:
“Origin DNS error
What happened?
You've requested a page on a website (archive.is) that is on the Cloudflare network. Cloudflare is currently unable to resolve your requested domain (archive.is).”
Are there some restrictions that prevent CF DNS from resolving CF hosted sites?
There are probably more issues. Plenty of websites might not work with Cloudflare's DNS, since there is some noticeable amount of abuse towards DNS coming from their network. I've seen crap like a flood of "msn.com" queries coming from different Cloudflare IPs. That would be a reason enough to firewall anything coming from them to port 53.
"[This app] will generate a VPN profile, which will automatically reroute the DNS traffic through the app so that it utilizes the 1.1.1.1 DNS servers."
Does this mean I won't be able to use a real VPN? If so this is rather bad for security.
Why the hell would I use this over just setting the DNS server?
I don't know which platform you're using. On iOS, the end user cannot setup a DNS server for mobile data connections. Doing it via such an app and a VPN profile is the only way out (AFAIK). Any DNS settings in Settings.app can be done (and will work) only for WiFi.
Setting the DNS servers on iOS is stored with each individual wireless network. There's no way, that I'm aware of at least, to set them in a global way outside of a VPN profile.
From what I can tell it is working correctly stacked on top of a VPN profile for a VPN.
I've been using 1.1.1.1 as dns last week through blokada (adblocker available of f-droid, highly recommended), and do feel al my requests are faster, which speed things up significantly (albeit subjectively)
This strikes me as the most pointless excuse for an app - if you are technically inclined enough to understand why using Cloudflare’s DNS in place of your cellphone service provider’s could be beneficial, you are probably also very much capable of typing “1.1.1.1” in the network preferences on your phone...
EDIT: I stand very much corrected, at least with regard to iOS and mobile carriers - I wrongly assumed DNS settings were exposed for the mobile connection the same way it is for WiFi, where it can be very easily manually overridden. As someone who doesn’t use an Android phone I’m even more surprised from comments below that Android doesn’t even allow this for WiFi via the stock settings app.
That this would also allow you to set cloudflare’s DNS globally for all WiFi connections on iOS rather than the current Settings app’s per-network basis is also an interesting advantage.
If you're on a network you control, sure you could setup your DHCP to broadcast the DNS addresses.
However, I don't see how you could set this for mobile networks or networks you have no control over, since both Android and iOS don't let you override the DNS address assigned.
Edit: I guess you can override your DNS on iOS when on wifi? I know I can't change it on my Android.
> “1.1.1.1” in the network preferences on your phone
That's really not even straight forward on Android either (especially for mobile data connections), so I would love to know what phone you are referring to..
[+] [-] ejcx|7 years ago|reply
[+] [-] newscracker|7 years ago|reply
As with this app, it also sets up a VPN profile (and the icon always shows up on the status bar). It's also setup with the "Connect On Demand" option so that anytime the device connects to a network, no connections will go through until this gets activated (this is also called "Always On VPN" or "VPN Kill Switch", to prevent traffic leakage). I couldn't find such an option in the Cloudflare app.
[1]: https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-client...
[+] [-] fwn|7 years ago|reply
[+] [-] tedmiston|7 years ago|reply
[+] [-] StavrosK|7 years ago|reply
[+] [-] captn3m0|7 years ago|reply
[+] [-] kubelsmieci|7 years ago|reply
[+] [-] AntonyGarand|7 years ago|reply
[+] [-] blazingfrog2|7 years ago|reply
[+] [-] elithrar|7 years ago|reply
In this case, the profile is ONLY configuring DNS: there is no VPN tunnel being created. The “VPN icon” in the status bar just indicates the profile is active.
[+] [-] oedmarap|7 years ago|reply
I understand that using a loopback VPN is the only way to do this kind of DNS enforcement on non-rooted phones, which happen to be the majority.
But I think Cloudflare would be better off promoting privacy by either offering a complete VPN service or partnering with the likes of Mullvad/Azire/ProtonVPN etc. to ensure DoH by default (which most end users of those services tweak anyway if they can).
[+] [-] tedmiston|7 years ago|reply
I'm currently running the 1.1.1.1 profile on top of my normal VPN service profile and it appears that both profiles are working correctly in iOS Settings FWIW.
[+] [-] dogma1138|7 years ago|reply
“Origin DNS error
What happened? You've requested a page on a website (archive.is) that is on the Cloudflare network. Cloudflare is currently unable to resolve your requested domain (archive.is).”
Are there some restrictions that prevent CF DNS from resolving CF hosted sites?
[+] [-] george_perez|7 years ago|reply
1.1.1.1 doesn't resolve it. https://community.cloudflare.com/t/archive-is-error-1001/182...
[+] [-] zzzcpan|7 years ago|reply
[+] [-] solarkraft|7 years ago|reply
Does this mean I won't be able to use a real VPN? If so this is rather bad for security.
Why the hell would I use this over just setting the DNS server?
[+] [-] newscracker|7 years ago|reply
[+] [-] tedmiston|7 years ago|reply
From what I can tell it is working correctly stacked on top of a VPN profile for a VPN.
[+] [-] fwn|7 years ago|reply
[+] [-] dddw|7 years ago|reply
[+] [-] dewey|7 years ago|reply
Edit: Looks like it works if I use the direct link, it's just not findable via the search yet
[+] [-] irtefa|7 years ago|reply
Can you not access it?
[+] [-] Amazonerh|7 years ago|reply
[+] [-] exabrial|7 years ago|reply
[+] [-] wyoh|7 years ago|reply
[+] [-] kamaln7|7 years ago|reply
[+] [-] giobox|7 years ago|reply
EDIT: I stand very much corrected, at least with regard to iOS and mobile carriers - I wrongly assumed DNS settings were exposed for the mobile connection the same way it is for WiFi, where it can be very easily manually overridden. As someone who doesn’t use an Android phone I’m even more surprised from comments below that Android doesn’t even allow this for WiFi via the stock settings app.
That this would also allow you to set cloudflare’s DNS globally for all WiFi connections on iOS rather than the current Settings app’s per-network basis is also an interesting advantage.
[+] [-] beckler|7 years ago|reply
However, I don't see how you could set this for mobile networks or networks you have no control over, since both Android and iOS don't let you override the DNS address assigned.
Edit: I guess you can override your DNS on iOS when on wifi? I know I can't change it on my Android.
[+] [-] irtefa|7 years ago|reply
How exactly would you do it in iOS? Would love to know!
[+] [-] craftyguy|7 years ago|reply
That's really not even straight forward on Android either (especially for mobile data connections), so I would love to know what phone you are referring to..
[+] [-] dawnerd|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]