
Cloudflare 1.1.1.1 iOS app - Mistri
https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627?mt=8
======
EZ-E
This app works by connecting to a VPN. From experience, user experience on
these kind of apps using a VPN is pretty poor (for example, ad blockers)

I believe keeping VPN connected drains the battery because some of the
device's chips cannot "sleep"

A VPN-based app also disconnects when going from Wi-FI to cellular.

Worse, when going from cellular to WiFi (ie: going back home) with a VPN on,
the iPhone just keeps using the mobile network until the VPN is disconnected

These apps usually try to auto-connect to VPN but when your connection is
spotty, it becomes a very annoying, you have to kill the app, disconnect the
vpn manually etc

As user you're left manually putting the VPN on/off constantly if you're on
the move

It's definitively not a "set and forget thing". I wish Apple could give a way
for ad-blockers and this kind of apps to function normally without using a VPN
as a crutch

~~~
nothrabannosir
I’ve been using openvpn on iOS for about a year, and this 1.1.1.1 app for a
day now, and I can guarantee that most of the connectivity issues described
are not true. [edit: for me, of course. sorry, didn't mean to discredit parent
comment like that. just wanted to add my perspective.]

\- it automatically switches networks, both to and from WiFi

\- it does not disconnect when switching

\- the 1.1.1.1 app does not make anything more spotty or unreliable; it’s just
DNS. Openvpn yes, but this app clearly not.

As for the battery issue: could very well be true, I have no idea how to test
it.

The difference between this app and an actual VPN are clear from using it.

~~~
jlgosse
'the 1.1.1.1 app does not make anything more spotty or unreliable; it’s just
DNS. Openvpn yes, but this app clearly not.'

Not entirely true, in my experience it really fucks with your ability to
connect to public hotspots (ex. airports, airplanes, trains, coffee shops)
which took me a while to realize

~~~
elcomet
Well this is normal if those network rely on their special DNS servers to
connect you.

It's not cloudflare you should blame here, but those providers

~~~
skj
Is blame really relevant?

~~~
elcomet
I think it is, as they don't follow any standard if they return wrong DNS
answers, and they might mess with user's systems

------
Mistri
Also on the Google Play store:
[https://play.google.com/store/apps/details?id=com.cloudflare...](https://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone)

~~~
blinkingled
Btw, you don't need the App if you the 1% of Android - Pie introduced a system
setting for this under Private DNS.

------
saagarjha
It's cute that the time in the screenshots is 11:11.

~~~
lenocinor
I get the joke, but I wonder if some folks will believe it's for a different
reason:
[https://en.wikipedia.org/wiki/11:11_(numerology)](https://en.wikipedia.org/wiki/11:11_\(numerology\))

------
Down_n_Out
On IOS there's also DNSCloak[0], which goes even further and has the option to
choose for ad-filtering (eg, via PiHole) in combination with no-logging and
using 1.1.1.1 as DNS.

[0] [https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-
client...](https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-
client/id1330471557)

~~~
Mistri
Does it encrypt DNS queries like the 1.1.1.1 app though?

~~~
ripdog
The URL includes 'doh', which means 'dns over https'. That is the encryption
layer which 1.1.1.1 uses.

~~~
roboyoshi
Cloudflare also has DNS over TLS that you can enable in the Settings, which is
probably what everyone should be using anyway.

~~~
elithrar
What drives that suggestion?

I prefer DNS over HTTPS as some networks intercept DNS traffic, fail to parse
the TLS-wrapped DNS payloads, and fail. DoH exists because DoTLS is prone to
more interference.

------
z3t4
ISP DNS servers will always be closer, eg have less latency then third party
DNS servers. And after one query, the result will be stored locally, eg no DNS
servers will be used for following lookups. The thing with expensive DNS
solutions is they only speed up the very first lookup, which might be cached
on your ISP anyway. DNS is already a distributed system, which is much larger
then any single private entity. Some third party DNS services might also
sacrifice resiliency for performance, they will for example not try secondary
DNS if primary is down. The reason why private organizations want you to use
their DNS service is because they want to know every site you visit, then sell
that information.

~~~
kasey_junk
Cloudflare is on record saying they will not sell the information. You can
trust that or not but your ISP is almost certainly selling it if it is one of
the major US ISP.

Verizon owns Oath, Att owns App Nexus, Comcast has a whole suite of adtech
companies & owns gigantic publishers. Time Warner literally started out in the
sell side of advertising.

~~~
z3t4
I think ISP selling user data is outrageous and should be illegal. Thankfully
where I live (EU) I got 20 ISP's to choose from, allowing me to vote with my
wallet.

~~~
kasey_junk
I don't know much about the ISP market in the EU but Telenor (a Norwegian ISP)
owns Tapad which is an adtech company most recently named in a big GDPR case.
So its not purely a US based problem.

------
bart3r
If you install this on iOS, you'll see a little 'VPN' icon in the top bar of
your phone. Not sure if you can hide that though.

~~~
dividuum
Same on Android. It's also implemented as a VPN.

------
cntlzw
For what it's worth I think this is a beautifully designed app. The usability
and user experience is great. Yes, it does just one simple thing but it does
so in a smooth and elegant way.

------
tomschlick
Been using this since the beta on testflight and it has beeen awesome. The
only thing it needs IMO is the ability to whitelist WiFi networks not to run
it on. I run a PiHole instance at home that does DoH through CF already so I
have to remember to turn it off/on all the time to get the ad blocking.

~~~
krispbyte
On Android I use DNS66 [0], it creates a VPN server in my phone, redirects DNS
traffics through it and filters it. This way I get adblock all the time even
if I don't have a PiHole. Edit: I see now this app by CloudFlare does the
same. However DNS66 let's you choose your own hosts filters and your own DNS
servers.

[0]
[https://f-droid.org/en/packages/org.jak_linux.dns66/](https://f-droid.org/en/packages/org.jak_linux.dns66/)

~~~
tomschlick
Yeah iPhone user here so thats probably a no go.

I've considered just creating a VPN back to my gigabit connection at home
(running R715 in a homelab rack) but not super keen about the data making a
round trip back home first, especially when travelling.

~~~
nawtacawp
R715 might be a bit overkill. I use a RPI with docker. One container with vpn
server and one container with pi hole. The pi hole container is not accessible
outside the local LAN. The VPN server is configured to use it as a DNS server.
I use iOS devices and just use the on demand function for cellular/WiFi VPN
(always on). I have an iPhone X and I don’t notice a degraded user experience
in regards to the battery.

    
    
       13:20:52 up 10:57,  1 user,  load average: 0.00, 0.03, 0.00
    

I just restarted it 11 hours ago, but the load is never high for the two
containers. Currently free -m is reporting 114/927 used

~~~
tomschlick
It's not bare metal, I have Xen Server running with quite a few VMs so PiHole
is just a small chunk.

------
johnklos
I'm not quite so sure why everyone is happy to just blindly trust Cloudflare.
These are the people who play games when Adobe Flash "updater" sites which are
clearly, obviously and unambiguously hosting Trojans are hosted via their
services.

I don't trust them one tiny bit.

~~~
eridius
What do you mean, you don’t trust them? Cloudflare provides services to scummy
websites, yes. But Cloudflare isn’t doing anything to promote these websites,
trick users into visiting them, or otherwise aide them in any way other than
providing the exact same services they provide to everybody else.

I fully understand disagreeing with Cloudflare’s decision to turn a blind eye
towards what their customers are doing. I just don’t understand why this
behavior means you “don’t trust them”. What do you think Cloudflare is going
to do?

~~~
johnklos
Something is clearly and obviously illegal. Nobody can say there's ambiguity
about the legitimacy of these sites. Yet Cloudflare not only does nothing even
when these sites are reported to them, they help make sure the sites continue
to run.

Would the problem here be more clear if Cloudflare did nothing when people use
them to provide hosting services for child porn sites? Why do you think it's
OK for Cloudflare to decide when to ignore the law and when to do something
about obviously illegal content?

~~~
eridius
Providing services to malware sites isn't illegal. Providing services to child
porn sites is. That's the distinction that Cloudflare draws.

~~~
JumpCrisscross
> _That 's the distinction that Cloudflare draws_

And we free persons are at liberty to disagree with their lime. Personally,
their delineation seems self-serving and marginally scummy. (The service and
this app are appreciated and used.)

~~~
SmellyGeekBoy
How about torrent sites? Where would you personally draw the line? It has to
be drawn somewhere.

------
ptrinh
I can just add 1.1.1.1 as the DNS server in iOS Settings. What's the
difference?

~~~
cjensen
Configuring with iOS settings sends unencrypted DNS requests to 1.1.1.1 and,
as a result, the sites you access can be seen in your internet traffic by
people like your Mobile provider (when using mobile internet) or the local
cafe (when using their WiFi) or your home ISP (when using your home WiFi).

This app enables your DNS requests to be encrypted. Your requests are still
seen by Cloudflare, of course.

~~~
zackbloom
We try to hold on to as few logs as possible, the goal of the project is
improving privacy. You can read the full policy here:
[https://developers.cloudflare.com/1.1.1.1/commitment-to-
priv...](https://developers.cloudflare.com/1.1.1.1/commitment-to-
privacy/privacy-policy/privacy-policy/)

~~~
rabboRubble
Got a follow up question for you... have you guys integrated the IOS into
Apple's "Shortcuts" app? This app was created by a 3rd party used to be called
Workflow. Apple bought the app 2 years ago or so.

Reason I ask... I have a one-tap shortcut to turn off WIFI and Bluetooth for
leaving home. Would be awesome to turn off WIFI / Bluetooth / turn on
Cloudfare with a single tap as I head out the door.

I don't need the battery drain from VPN usage while sitting at home, and
already have my DNS routed away from my ISP.

~~~
zackbloom
Thanks for the suggestion, we'll look into integrating. There shouldn't be
notable battery drain from the app though, it's not a VPN in the traditional
sense.

~~~
rabboRubble
Very cool. Thanks. Yeah, in addition to the battery issue (which sounds a
nonissue based on your reply) there is the simply issue of me not remembering
to turn on / off.

------
jen729w
So the app shows you your DNS logs, without any sort of protection.

I imagine this is a trivially simple way of snooping on an unsuspecting
target. Let’s say you don’t trust your spouse. You install this app – showing
them the security benefits as advertised by the application, letting them do
their own research if necessary – then a day later come back and scroll
through their DNS logs looking for cheatonmypartner.com.

~~~
laumars
This app changes nothing. If you've got access to install software on someones
handset then there isn't much they can do to prevent you from installing
tracking tools - aside having to trust that you wouldn't.

~~~
jen729w
All good points in response, I hadn't thought this through.

\- You need to be able to unlock their device without their knowledge to view
the DNS logs.

\- Therefore you know their PIN or have your fingerprint loaded (as I do on my
partner's phone and vice versa).

\- Therefore you can just install [any other tracking malware] and hide the
icon in a folder somewhere. And now you don't have a VPN icon in the toolbar.

But does [any other tracking malware] _actually exist_ for iOS?

~~~
m45t3r
> But does [any other tracking malware] actually exist for iOS?

Much easier would be to install a router with OpenWRT, set a DNS server (that
your DHCP points to) and look at the logs. Or even running Wireshark in your
own network should do the trick.

As long the DNS requests are not encrypt, you should got the information you
want.

------
kevinSuttle
I want to believe this is a good thing, but I can’t get that whole “we block
Tor users” campaign out of my mind.

~~~
kodablah
I'm quite the opposite as I appreciate the work towards supporting Tor with
easy-to-setup onion fronts as alt-svc's and their work towards limiting their
DDOS mitigation for Tor users. These are usually thankless efforts that don't
affect their bottom line, or maybe even are a net negative depending upon the
level of effort they expend.

------
blablabla123
I still need to understand how that is going to be faster and more private

------
jedisct1
For something with way more features, check out DNSCloak, probably the best
DNS app for mobile devices: [https://itunes.apple.com/us/app/dnscloak-
dnscrypt-doh-client...](https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-
client/id1330471557?mt=8)

DNSCloak supports Cloudflare (among many other options), and has since day
one. It will also let you choose how to steer DNS traffic, what domains to
block and when, has a built-in cache to reduce latency, and more.

~~~
elithrar
Is there a trustworthy third-party review of DNSCloak?

Short of installing & packet sniffing myself, or breaking apart the package;
neither of which I have time to do.

(edit: to be clear, I’d love more options, including one that allows me to use
Google’s DoH DNS, but I won’t blindly instal an app that intercepts my
traffic, even if ‘just’ DNS)

------
gigatexal
It’s not a real VPN from what I think of a VPN in that my IP is still from my
ISP (checked at whatismyip.com) just the DNS requests are encrypted. Still
cool though.

------
auslander
It is a bad idea for several reasons.

1\. You won't be able to configure real VPN, iOS allows only one VPN profile.
Get a real VPN for native IKEv2 client you have.

2\. It gives CF golden mine of your browsing history. It already has your
traffic to many sites in _plaintext_ , emails and passwords included

3\. You trust the third-party app without the source code, probaly with access
all your traffic

------
odedregev
Can someone please help me understand something please? I understand that the
main feature of 1.1.1. is privacy from the ISP, however, after the DNS
resolution when my device will actually go to the destination, lets say to
www.example.com domain - my ISP will know about this too, so what exactly am I
hiding here?

~~~
homero
Encrypted sni will add some plausible deniability

~~~
nly
IIRC, a prerequisite for the confidentiality of eSNI is in fact secure DNS.

~~~
tialaramex
You need that your adversary can't snoop your DNS queries (which DoH and other
DPRIVE offerings provide) and if the adversary is active you also need DNSSEC
with validation so that the adversary can't lie to your DNS provider and say
eSNI isn't available.

Cloudflare do both

------
natch
Will they rent/lease/lend/share my data out to partners/non partners/anyone? I
understand they clearly state they won’t sell the data or use it (themselves)
for ad targeting, but their wording doesn’t cover rental to others.

~~~
CoryG89
Maybe I'm a little naive, but to me, "renting" data sounds a lot like just
selling data.

~~~
natch
Right... but it’s a known dark pattern for companies to make deceptive-but-
technically-true assurances, so I’m not so sure. They do it because it works,
as evidenced by what you say. I do tend to trust Cloudflare to do what they
say, but they should say it with full clarity.

------
imagetic
It's super slow for me. I'm on AT&T fiber at home. Which I can't even set my
DNS to without taking everything down. But when using the Cloudfare app it
appears to work, but it's 10+ seconds to load a page.

~~~
Mistri
I've actually had a noticeable increase in speed, not sure why that's
happening to you.

~~~
imagetic
I'm jealous. It's still incredibly slow for me. I assume it's an AT&T thing
since I'm on wifi working from home. I am unable to use 1.1.1.1 with AT&T at
all still. So I use Google's 8.8.8.8 until they fix the issue. But it's been 6
months and I doubt it will ever be resolved at this point.

------
chrisweekly
Related tangent: does this (or any other similar app or service) provide a
straightforward way to bind a static IP address to outbound HTTP requests? Use
case: persistent IP address that can be whitelisted by a secured endpoint.

------
nyolfen
so, it's a vpn -- the other vpn app i use is local hosts file adblocker that
apple removed from the app store last year for the following reason:

>According to Apple, Future Mind's AdBlock app violates section 4.2 of the App
Store Review Guidelines, which dictates that apps must be useful, unique, and
"app-like."

‾\\_(ツ)_/‾

~~~
rconti
It's not a VPN. Unless you mean "it's a VPN for your DNS traffic only". Which
is an odd distinction.

~~~
ebeip90
It's implemented on iOS as a VPN, of which you can only have one active at a
time.

Some Ad Blockers are implemented as VPNs. This is unfortunate, and they should
use the Safari Content Blockers interface instead. Content Blockers cannot
intercept or sell your content, since the code is sandboxed and doesn't get
network access. NeverAds seems to work well for me.

------
vegardx
I imagine they don't want anyone to find the app with that name, given how
notoriously bad AppStore search is.

------
ashishb4u
From their play store description:

"Best of all: No upsells, no in-app purchases, and free for life. Website
owners pay us to make your Internet faster so you don’t have to."

That sounds totally against net neutrality to me. Unless website owners are
not getting preferential speed up.

~~~
eridius
The description does not mean website owners are paying so that users of this
app can get a faster connection to them. It just means website owners pay
Cloudflare already, Cloudflare’s business model is selling services to website
owners, and so this dinky app for consumers has no need to make money and
therefore is free.

~~~
brians
Wellll.... paying Cf customers will get lower latency service using this, just
as Cloudfront gives better service to AWS users.

That’s part of why this app is in CF’s interests.

~~~
eridius
This app only redirects DNS, it does not tunnel any other networking. The DNS
speedup someone will get by using this app applies to all domains, not just
those of websites that pay for Cloudflare.

------
gt640k
How do I test this is working correctly?

~~~
social_quotient
Connect your phone to desktop via adhoc network and run Wireshark. You’ll see
the dns lookups and be able to confirm the tcp traffic afterwards.

This SO post seemed to give a lot of details if you need it

[https://stackoverflow.com/questions/9555403/capturing-
mobile...](https://stackoverflow.com/questions/9555403/capturing-mobile-phone-
traffic-on-wireshark)

Good luck!

------
znpy
33.6 MB? to change the dns ?

~~~
Klonoar
Sounds like a React Native app (and feels like one, sadly?).

I could be wrong, though, since the NetworkExtension would have to be written
in Swift, so I don't see why they wouldn't just write the rest in Swift and/or
ObjC... would be happy to be wrong actually.

------
MordodeMaru
Works like a charm.

~~~
sjroot
Yep. Doesn’t get more simple than a toggle switch.

------
hendry
Yay! Centralisation

~~~
AckSyn
it's just a service

you can run your own easily

just connect to roots

------
asasidh
Trust us, not them?

~~~
jonny_eh
I'd trust one organization that I trust a bit (Cloudflare), rather than random
wifi hotspots or my cell & ISP providers which have proven themselves
untrustworthy.

------
dschuetz
Don't use that. Don't use 1.1.1.1 or 8.8.8.8 or any other DNS service which
have clear conflicts of interest on both sides. Don't ever trust DNS servers
you don't have any control over.

~~~
jrockway
I don't have control over the root domain name servers, so I guess I shouldn't
use DNS?

~~~
slimsag
Just run your own root name server! I only use my own self-hosted internet,
because it is safe and only contains things that I myself have set up.

 _/ s_

~~~
jrockway
Smart!

