
Cloudflare Brings Its 1.1.1.1 DNS Service to Android &amp; iOS Mobile Devices - chablent
https://www.bleepingcomputer.com/news/security/cloudflare-brings-its-1111-dns-service-to-android-and-ios-mobile-devices/
======
ejcx
I work at Cloudflare, but regardless think this is awesome for security. Being
more resilient to coffee shop type attacks and other DNS issues is great. It's
a really user friendly and simple step in the right direction.

------
newscracker
I've been using the free and open source DNSCloak app [1] on iOS for encrypted
DNS (DNS over HTTPS or DNS over TLS) to 1.1.1.1.

As with this app, it also sets up a VPN profile (and the icon always shows up
on the status bar). It's also setup with the "Connect On Demand" option so
that anytime the device connects to a network, no connections will go through
until this gets activated (this is also called "Always On VPN" or "VPN Kill
Switch", to prevent traffic leakage). I couldn't find such an option in the
Cloudflare app.

[1]: [https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-
client...](https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-
client/id1330471557)

~~~
fwn
On my Android 8.1 device, the "always on" and "no connection without vpn"
options are in the VPN section of the Android settings app.

~~~
newscracker
It's the same case with iOS too, where this setting is in Settings->VPN->{VPN
Profile}. But it looks like these two apps I've tried provide it within the
app as well.

------
StavrosK
I use DNS66 for ad blocking, and set the custom DNS server in it as well.

~~~
captn3m0
Does it support dnscrypt or DoH in the free version yet?

------
kubelsmieci
Why android app requires access to microphone, photos and multimedia files?

~~~
AntonyGarand
They mentionned it in the article, this is required and only used by the
third-party bug-reporting service (instabug)

~~~
msoliman
Exactly. The Microphone access is only required when you want to report a bug
or send feedback with a voice memo attached.

Instabug cofounder here.

~~~
lreeves
So you're trying to train people to accept microphone access for apps that
don't need it on the off-chance a user submits a bug report with a voice memo?
I strongly recommend for the entire security ecosystem of mobile users that
you don't do this, that's pretty awful. If you get your way for this "feature"
then malicious apps will be able to use the exact same excuse.

~~~
newscracker
I'm also concerned with such permissions and getting users accustomed to
granting them for any and every app that asks for them (users don't need to be
made more complacent than they are).

------
blazingfrog2
On iOS it requires installing a VPN profile. My understanding from their FAQ
is that it is to allow DNS proxying in iOS but it’s not clear to me if that’s
all it does. Up to this day, seeing the VPN logo in my status bar has always
meant my traffic was forwarded to a VPN server which meant it couldn’t be
snooped on by my ISP. Is it also the case here?

~~~
elithrar
VPN profiles in iOS can be used for network-level configuration: despite the
label, that doesn’t have to mean just a VPN tunnel.

In this case, the profile is ONLY configuring DNS: there is no VPN tunnel
being created. The “VPN icon” in the status bar just indicates the profile is
active.

------
oedmarap
I'm not really certain of how to react to this since [a] I can configure
Wireguard on my phone to use any DNS server (usually my remote Pi-Hole+DoH but
can be 1.1.1.1) and [b] wonder if non-tech folks will install this app and
grasp the difference between _encrypted DNS queries vs. encrypted traffic +
DNS queries_ \-- the latter being a better option requiring an actual VPN
tunnel.

I understand that using a loopback VPN is the only way to do this kind of DNS
enforcement on non-rooted phones, which happen to be the majority.

But I think Cloudflare would be better off promoting privacy by either
offering a complete VPN service or partnering with the likes of
Mullvad/Azire/ProtonVPN etc. to ensure DoH by default (which most end users of
those services tweak anyway if they can).

~~~
tedmiston
I haven't used Wireguard, but on iOS does it properly persist DNS settings
across wifi network changes? IIRC this was Cloudflare's technical rationale
for wrapping their DNS nameservers inside a VPN profile, at least on iOS.

I'm currently running the 1.1.1.1 profile on top of my normal VPN service
profile and it appears that both profiles are working correctly in iOS
Settings FWIW.

------
dogma1138
So I’ve set this up on my iPhone and many websites now give this error:

“Origin DNS error

What happened? You've requested a page on a website (archive.is) that is on
the Cloudflare network. Cloudflare is currently unable to resolve your
requested domain (archive.is).”

Are there some restrictions that prevent CF DNS from resolving CF hosted
sites?

~~~
zzzcpan
There are probably more issues. Plenty of websites might not work with
Cloudflare's DNS, since there is some noticeable amount of abuse towards DNS
coming from their network. I've seen crap like a flood of "msn.com" queries
coming from different Cloudflare IPs. That would be a reason enough to
firewall anything coming from them to port 53.

~~~
dogma1138
Is there an app like 1^4 where you can simply set the DNS server of your
choice in IOS? It would be awesome to have I could point it to my PiHole.

------
solarkraft
"[This app] will generate a VPN profile, which will automatically reroute the
DNS traffic through the app so that it utilizes the 1.1.1.1 DNS servers."

Does this mean I won't be able to use a real VPN? If so this is rather bad for
security.

Why the hell would I use this over just setting the DNS server?

~~~
newscracker
I don't know which platform you're using. On iOS, the end user cannot setup a
DNS server for mobile data connections. Doing it via such an app and a VPN
profile is the only way out (AFAIK). Any DNS settings in Settings.app can be
done (and will work) only for WiFi.

------
dddw
I've been using 1.1.1.1 as dns last week through blokada (adblocker available
of f-droid, highly recommended), and do feel al my requests are faster, which
speed things up significantly (albeit subjectively)

------
dewey
Will this be available only in the US? Doesn't show up in the AT store (Apple
App Store) yet or is it still rolling out in the other stores?

Edit: Looks like it works if I use the direct link, it's just not findable via
the search yet

~~~
irtefa
Here is the link: [https://itunes.apple.com/us/app/1-1-1-1-faster-
internet/id14...](https://itunes.apple.com/us/app/1-1-1-1-faster-
internet/id1423538627?mt=8)

Can you not access it?

~~~
dewey
See my edit, with the direct link it works. Through the search on iOS it
doesn't show up yet.

------
Amazonerh
I wish there was a similar Dns service to block ads. Not via an app but via
android pie Dns settings.

------
exabrial
Is the service encrypted though? (DNScurve or something)

------
wyoh
Does it use DoH?

~~~
kamaln7
Yes, it uses either DNS over HTTPS or DNS over TLS

------
giobox
This strikes me as the most pointless excuse for an app - if you are
technically inclined enough to understand why using Cloudflare’s DNS in place
of your cellphone service provider’s could be beneficial, you are probably
also very much capable of typing “1.1.1.1” in the network preferences on your
phone...

EDIT: I stand very much corrected, at least with regard to iOS and mobile
carriers - I wrongly assumed DNS settings were exposed for the mobile
connection the same way it is for WiFi, where it can be very easily manually
overridden. As someone who doesn’t use an Android phone I’m even more
surprised from comments below that Android doesn’t even allow this for WiFi
via the stock settings app.

That this would also allow you to set cloudflare’s DNS globally for all WiFi
connections on iOS rather than the current Settings app’s per-network basis is
also an interesting advantage.

~~~
beckler
If you're on a network you control, sure you could setup your DHCP to
broadcast the DNS addresses.

However, I don't see how you could set this for mobile networks or networks
you have no control over, since both Android and iOS don't let you override
the DNS address assigned.

Edit: I guess you can override your DNS on iOS when on wifi? I know I can't
change it on my Android.

~~~
crtasm
WiFi on android: if you set a static IP then you can also change DNS. Has to
be done for every network you connect to though.

Mobile data (and wifi) on android: use VPN and choose your DNS (openvpn+pi-
hole on a cheap VPS works great)

