55 comments

[ 2.0 ms ] story [ 109 ms ] thread
This strikes me as the most pointless excuse for an app - if you are technically inclined enough to understand why using Cloudflare’s DNS in place of your cellphone service provider’s could be beneficial, you are probably also very much capable of typing “1.1.1.1” in the network preferences on your phone...

EDIT: I stand very much corrected, at least with regard to iOS and mobile carriers - I wrongly assumed DNS settings were exposed for the mobile connection the same way it is for WiFi, where it can be very easily manually overridden. As someone who doesn’t use an Android phone I’m even more surprised from comments below that Android doesn’t even allow this for WiFi via the stock settings app.

That this would also allow you to set cloudflare’s DNS globally for all WiFi connections on iOS rather than the current Settings app’s per-network basis is also an interesting advantage.

Show me where I can do that on iOS while on a cellular connection. Only way I know you can do it is while on WiFi.
Correct. Even on WiFi, you will have to update your settings everytime you switch WiFi networks.
Disclaimer: I work at Cloudflare.

How exactly would you do it in iOS? Would love to know!

Apologies, updated my comment to reflect my earlier ignorance!
(comment deleted)
> “1.1.1.1” in the network preferences on your phone

That's really not even straight forward on Android either (especially for mobile data connections), so I would love to know what phone you are referring to..

If you're on a network you control, sure you could setup your DHCP to broadcast the DNS addresses.

However, I don't see how you could set this for mobile networks or networks you have no control over, since both Android and iOS don't let you override the DNS address assigned.

Edit: I guess you can override your DNS on iOS when on wifi? I know I can't change it on my Android.

WiFi on android: if you set a static IP then you can also change DNS. Has to be done for every network you connect to though.

Mobile data (and wifi) on android: use VPN and choose your DNS (openvpn+pi-hole on a cheap VPS works great)

I use DNS66 for ad blocking, and set the custom DNS server in it as well.
Does it support dnscrypt or DoH in the free version yet?
Will this be available only in the US? Doesn't show up in the AT store (Apple App Store) yet or is it still rolling out in the other stores?

Edit: Looks like it works if I use the direct link, it's just not findable via the search yet

I work at Cloudflare, but regardless think this is awesome for security. Being more resilient to coffee shop type attacks and other DNS issues is great. It's a really user friendly and simple step in the right direction.
Does it use DoH?
Yes, it uses either DNS over HTTPS or DNS over TLS
So I’ve set this up on my iPhone and many websites now give this error:

“Origin DNS error

What happened? You've requested a page on a website (archive.is) that is on the Cloudflare network. Cloudflare is currently unable to resolve your requested domain (archive.is).”

Are there some restrictions that prevent CF DNS from resolving CF hosted sites?

There are probably more issues. Plenty of websites might not work with Cloudflare's DNS, since there is some noticeable amount of abuse towards DNS coming from their network. I've seen crap like a flood of "msn.com" queries coming from different Cloudflare IPs. That would be a reason enough to firewall anything coming from them to port 53.
Is there an app like 1^4 where you can simply set the DNS server of your choice in IOS? It would be awesome to have I could point it to my PiHole.
Is the service encrypted though? (DNScurve or something)
Why android app requires access to microphone, photos and multimedia files?
They mentionned it in the article, this is required and only used by the third-party bug-reporting service (instabug)
The permission request is being removed as we speak.
I would be careful of using the service further after this. I doubt it was only required for generating bug reports.
I wonder what use you think Cloudflare has for your voice data.
You can sell microphone data for correlating ads you see on TV to sites you browse to.
I know what you can do with the data. My question was more specific than that: What use does Cloudflare have for the data? Cloudflare, the company that already has a hugely profitable business, excellent privacy-friendly track record, etc.

I'm always amused when there's suggestions that a company like Cloudflare could in any way benefit from that. To recap, the company that has access to your DNS queries would embed a Microphone spy in their Android app, for a short period of time, risking their massively profitable enterprise business, just so they could shadily resell the few days worth of data they may have gotten for that.

There's so many good conspiracy theories to think about. Why would you choose this one?

You're not just giving microphone data to Cloudflare though but to the third party SDK using it (which CF may or may not have the source to and may have very different goals, security policies and so on than CF themselves).
It’s not just about what CloudFlare could do. CloudFlare is supposedly doing this for privacy reasons but they have third party code in thier product that we don’t know if they have the source code to. Neither you nor they know what this third party code is doing.
It's not about what I think, it's about why CF would request access to your microphone data in favor of giving DNS Service at 1.1.1.1. In the Android app they advertise: "Greater privacy". What privacy does it provide giving application access to microphone?
They explained what was happening and that they're changing it. Further conspiracy theories are unjustified imo.
It is remarkable that anybody building an application with the stated purpose of securing someone's privacy would launch with this permission.
Exactly. The Microphone access is only required when you want to report a bug or send feedback with a voice memo attached.

Instabug cofounder here.

So you're trying to train people to accept microphone access for apps that don't need it on the off-chance a user submits a bug report with a voice memo? I strongly recommend for the entire security ecosystem of mobile users that you don't do this, that's pretty awful. If you get your way for this "feature" then malicious apps will be able to use the exact same excuse.
I'm also concerned with such permissions and getting users accustomed to granting them for any and every app that asks for them (users don't need to be made more complacent than they are).
Can you share numbers of how many people are actually using the voice memo feature?
And also which languages they use it with and how that's handled (if it is) would be nice to know.
That is a really bad excuse. I’m glad iOS doesn’t allow that.
And this is somehow okay? There is a third party binary blob embedded in CloudFlare’s app that needs microphone, photos and multimedia files?

Uhh no.

On iOS it requires installing a VPN profile. My understanding from their FAQ is that it is to allow DNS proxying in iOS but it’s not clear to me if that’s all it does. Up to this day, seeing the VPN logo in my status bar has always meant my traffic was forwarded to a VPN server which meant it couldn’t be snooped on by my ISP. Is it also the case here?
VPN profiles in iOS can be used for network-level configuration: despite the label, that doesn’t have to mean just a VPN tunnel.

In this case, the profile is ONLY configuring DNS: there is no VPN tunnel being created. The “VPN icon” in the status bar just indicates the profile is active.

I wish there was a similar Dns service to block ads. Not via an app but via android pie Dns settings.
"[This app] will generate a VPN profile, which will automatically reroute the DNS traffic through the app so that it utilizes the 1.1.1.1 DNS servers."

Does this mean I won't be able to use a real VPN? If so this is rather bad for security.

Why the hell would I use this over just setting the DNS server?

I don't think that setting the DNS server is an option on Android prior to Pie.
I don't know which platform you're using. On iOS, the end user cannot setup a DNS server for mobile data connections. Doing it via such an app and a VPN profile is the only way out (AFAIK). Any DNS settings in Settings.app can be done (and will work) only for WiFi.
Setting the DNS servers on iOS is stored with each individual wireless network. There's no way, that I'm aware of at least, to set them in a global way outside of a VPN profile.

From what I can tell it is working correctly stacked on top of a VPN profile for a VPN.

I've been using the free and open source DNSCloak app [1] on iOS for encrypted DNS (DNS over HTTPS or DNS over TLS) to 1.1.1.1.

As with this app, it also sets up a VPN profile (and the icon always shows up on the status bar). It's also setup with the "Connect On Demand" option so that anytime the device connects to a network, no connections will go through until this gets activated (this is also called "Always On VPN" or "VPN Kill Switch", to prevent traffic leakage). I couldn't find such an option in the Cloudflare app.

[1]: https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-client...

On my Android 8.1 device, the "always on" and "no connection without vpn" options are in the VPN section of the Android settings app.
It's the same case with iOS too, where this setting is in Settings->VPN->{VPN Profile}. But it looks like these two apps I've tried provide it within the app as well.
FWIW it does default to always on when the VPN profile is installed.
I'm not really certain of how to react to this since [a] I can configure Wireguard on my phone to use any DNS server (usually my remote Pi-Hole+DoH but can be 1.1.1.1) and [b] wonder if non-tech folks will install this app and grasp the difference between encrypted DNS queries vs. encrypted traffic + DNS queries -- the latter being a better option requiring an actual VPN tunnel.

I understand that using a loopback VPN is the only way to do this kind of DNS enforcement on non-rooted phones, which happen to be the majority.

But I think Cloudflare would be better off promoting privacy by either offering a complete VPN service or partnering with the likes of Mullvad/Azire/ProtonVPN etc. to ensure DoH by default (which most end users of those services tweak anyway if they can).

I haven't used Wireguard, but on iOS does it properly persist DNS settings across wifi network changes? IIRC this was Cloudflare's technical rationale for wrapping their DNS nameservers inside a VPN profile, at least on iOS.

I'm currently running the 1.1.1.1 profile on top of my normal VPN service profile and it appears that both profiles are working correctly in iOS Settings FWIW.

I've been using 1.1.1.1 as dns last week through blokada (adblocker available of f-droid, highly recommended), and do feel al my requests are faster, which speed things up significantly (albeit subjectively)