Hacker News new | past | comments | ask | show | jobs | submit login
Cloudflare iOS app (itunes.apple.com)
210 points by Mistri on Nov 12, 2018 | hide | past | favorite | 153 comments

This app works by connecting to a VPN. From experience, user experience on these kind of apps using a VPN is pretty poor (for example, ad blockers)

I believe keeping VPN connected drains the battery because some of the device's chips cannot "sleep"

A VPN-based app also disconnects when going from Wi-FI to cellular.

Worse, when going from cellular to WiFi (ie: going back home) with a VPN on, the iPhone just keeps using the mobile network until the VPN is disconnected

These apps usually try to auto-connect to VPN but when your connection is spotty, it becomes a very annoying, you have to kill the app, disconnect the vpn manually etc

As user you're left manually putting the VPN on/off constantly if you're on the move

It's definitively not a "set and forget thing". I wish Apple could give a way for ad-blockers and this kind of apps to function normally without using a VPN as a crutch

I’ve been using openvpn on iOS for about a year, and this app for a day now, and I can guarantee that most of the connectivity issues described are not true. [edit: for me, of course. sorry, didn't mean to discredit parent comment like that. just wanted to add my perspective.]

- it automatically switches networks, both to and from WiFi

- it does not disconnect when switching

- the app does not make anything more spotty or unreliable; it’s just DNS. Openvpn yes, but this app clearly not.

As for the battery issue: could very well be true, I have no idea how to test it.

The difference between this app and an actual VPN are clear from using it.

I wish there was an option in OpenVPN to not use connection on SSID/network xyz. I have static IP at home and use dyndns for DNS resolution with service specific subdomains. Then, using forwarder at home I create split DNS to point to local device for public domain. It currently doesn't work as I combined domain for VPN and another service out of laziness after moving VPN to physical box.

All that said, I don't need to VPN while at home to home network and prefer a little more granularity instead wifi or cell only. I believe this could be where battery drain would come from, at least in my case as the client constantly retries at home though it will never resolve the proper host internally cause I am lazy admin.

You’re right, that’s because (I think) this is an “on-demand” VPN, which basically only connects as needed, and allows for switching between Wi-Fi and cellular. It also shouldn’t drain more battery, since it’s not keeping the connection alive when the device is asleep.

'the app does not make anything more spotty or unreliable; it’s just DNS. Openvpn yes, but this app clearly not.'

Not entirely true, in my experience it really fucks with your ability to connect to public hotspots (ex. airports, airplanes, trains, coffee shops) which took me a while to realize

Well this is normal if those network rely on their special DNS servers to connect you.

It's not cloudflare you should blame here, but those providers

Is blame really relevant?

I think it is, as they don't follow any standard if they return wrong DNS answers, and they might mess with user's systems

Because it obscures the source address for DNS queries, it will mess with split-horizon DNS and other systems that give different answers in different places. You might be surprised how many that is.

It’s not a “real” VPN. I’m not sure exactly how much it does, but everything but the actual DNS queries happen on-device, with other network connections not touching CloudFlare servers.

It just acts as both server and client. The issues described still apply

Not quite. There’s no VPN tunnel - no IPSec tunnel is being set up, even on loopback.

The reason the “VPN” icon appears is because VPN profiles are how you override iOS network settings on unmanaged devices: which can include just DNS. Any time a profile is ‘active’, the icon appears.

You could generate your own unsigned profile to do the same, if you were so inclined.

Having tried it, my biggest gripe is the DNS query log stored in the app. This should be optional.

It can be a privacy feature. It allows you to see exactly what the apps on your device are connecting to.

Btw, you don't need the App if you the 1% of Android - Pie introduced a system setting for this under Private DNS.

There are also generic apps that allow you to use cloudflare or another provider, such as: https://play.google.com/store/apps/details?id=com.frostnerd....

It's cute that the time in the screenshots is 11:11.

I get the joke, but I wonder if some folks will believe it's for a different reason: https://en.wikipedia.org/wiki/11:11_(numerology)

On IOS there's also DNSCloak[0], which goes even further and has the option to choose for ad-filtering (eg, via PiHole) in combination with no-logging and using as DNS.

[0] https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-client...

Until I set up PiHole, does anyone know a good blocklist to use with DNSCloak for blocking ads?

See https://github.com/jedisct1/dnscrypt-proxy/wiki/Public-black...

As well as the configuration file for the script that comes with dnscrypt-proxy: https://github.com/jedisct1/dnscrypt-proxy/blob/master/utils...

Does it encrypt DNS queries like the app though?

As others have replied already, it does, depending on which solution you pick out of the list. I'm a happy user of this app, no affiliation at all in case someone was wondering.

The URL includes 'doh', which means 'dns over https'. That is the encryption layer which uses.

Cloudflare also has DNS over TLS that you can enable in the Settings, which is probably what everyone should be using anyway.

What drives that suggestion?

I prefer DNS over HTTPS as some networks intercept DNS traffic, fail to parse the TLS-wrapped DNS payloads, and fail. DoH exists because DoTLS is prone to more interference.

Yes, DNSClock only supports encrypted DNS.

ISP DNS servers will always be closer, eg have less latency then third party DNS servers. And after one query, the result will be stored locally, eg no DNS servers will be used for following lookups. The thing with expensive DNS solutions is they only speed up the very first lookup, which might be cached on your ISP anyway. DNS is already a distributed system, which is much larger then any single private entity. Some third party DNS services might also sacrifice resiliency for performance, they will for example not try secondary DNS if primary is down. The reason why private organizations want you to use their DNS service is because they want to know every site you visit, then sell that information.

This is a perfect line of reasoning, assuming:

a) your ISP can competently run a secure DNS service correctly (latency is not the whole story of 'performance')

b) it's acting entirely in your interests and not attempting to hijack your DNS service to insert ads etc.

Personally, I've had ISPs where neither of these things have been true.

Cloudflare is on record saying they will not sell the information. You can trust that or not but your ISP is almost certainly selling it if it is one of the major US ISP.

Verizon owns Oath, Att owns App Nexus, Comcast has a whole suite of adtech companies & owns gigantic publishers. Time Warner literally started out in the sell side of advertising.

I think ISP selling user data is outrageous and should be illegal. Thankfully where I live (EU) I got 20 ISP's to choose from, allowing me to vote with my wallet.

I don't know much about the ISP market in the EU but Telenor (a Norwegian ISP) owns Tapad which is an adtech company most recently named in a big GDPR case. So its not purely a US based problem.

CloudFlare can say anything and have all the good intentions in the world. But, on Android, they are using a third party bug tracking software that they don’t have source control for (Instabug). That third party binary blob requests camera and microphone access.

If you install this on iOS, you'll see a little 'VPN' icon in the top bar of your phone. Not sure if you can hide that though.

Same on Android. It's also implemented as a VPN.

For what it's worth I think this is a beautifully designed app. The usability and user experience is great. Yes, it does just one simple thing but it does so in a smooth and elegant way.

Been using this since the beta on testflight and it has beeen awesome. The only thing it needs IMO is the ability to whitelist WiFi networks not to run it on. I run a PiHole instance at home that does DoH through CF already so I have to remember to turn it off/on all the time to get the ad blocking.

On Android I use DNS66 [0], it creates a VPN server in my phone, redirects DNS traffics through it and filters it. This way I get adblock all the time even if I don't have a PiHole. Edit: I see now this app by CloudFlare does the same. However DNS66 let's you choose your own hosts filters and your own DNS servers.

[0] https://f-droid.org/en/packages/org.jak_linux.dns66/

Yeah iPhone user here so thats probably a no go.

I've considered just creating a VPN back to my gigabit connection at home (running R715 in a homelab rack) but not super keen about the data making a round trip back home first, especially when travelling.

R715 might be a bit overkill. I use a RPI with docker. One container with vpn server and one container with pi hole. The pi hole container is not accessible outside the local LAN. The VPN server is configured to use it as a DNS server. I use iOS devices and just use the on demand function for cellular/WiFi VPN (always on). I have an iPhone X and I don’t notice a degraded user experience in regards to the battery.

   13:20:52 up 10:57,  1 user,  load average: 0.00, 0.03, 0.00
I just restarted it 11 hours ago, but the load is never high for the two containers. Currently free -m is reporting 114/927 used

It's not bare metal, I have Xen Server running with quite a few VMs so PiHole is just a small chunk.

Heh, if you're using global roaming on your SIM, the data is making a round trip anyway.

Definitely not. Simple services like ipchicken.com will show you're using an IP address local to the roaming provider that you're using. If you're travelling far enough, you can try accessing local services vs home-country-services and compare loading times. Or better still, just ping various services that are local or in your home and compare the actual latencies.

That doesn't match my experience - while I was using Vodafone Germany in France, my IP was German. Someone else on EE had a UK IP.

I guess then that it depends on the local carrier, roaming carrier, and the carrier agreements in place. Probably not safe to say one or the other always happens definitively.

Thanks for the DoH (DNS over HTTP) tip re: pihole. Here's the setup guide: https://docs.pi-hole.net/guides/dns-over-https/

Same. My home Unifi network is all integrated with PiHole and does DNS over HTTPS to CF.

Having the on my phone is great except when I'm at home and want it disabled.

It would be a good use of the VPN-on-demand features of iOS. Assuming you only connect to wifi at home, I guess.

The whitelist feature would be great because our work wi-fi network seems to be incompatible with this app somehow.

I'm not quite so sure why everyone is happy to just blindly trust Cloudflare. These are the people who play games when Adobe Flash "updater" sites which are clearly, obviously and unambiguously hosting Trojans are hosted via their services.

I don't trust them one tiny bit.

What do you mean, you don’t trust them? Cloudflare provides services to scummy websites, yes. But Cloudflare isn’t doing anything to promote these websites, trick users into visiting them, or otherwise aide them in any way other than providing the exact same services they provide to everybody else.

I fully understand disagreeing with Cloudflare’s decision to turn a blind eye towards what their customers are doing. I just don’t understand why this behavior means you “don’t trust them”. What do you think Cloudflare is going to do?

Something is clearly and obviously illegal. Nobody can say there's ambiguity about the legitimacy of these sites. Yet Cloudflare not only does nothing even when these sites are reported to them, they help make sure the sites continue to run.

Would the problem here be more clear if Cloudflare did nothing when people use them to provide hosting services for child porn sites? Why do you think it's OK for Cloudflare to decide when to ignore the law and when to do something about obviously illegal content?

The issue here is there is not clear line for where one should start and stop moderating their own service. eg do they disallow anything illegal? What about stuff that is illegal in some countries but not others? What about stuff that is immoral but not illegal? Then who defines what is immoral and what is unpopular? Or do you then just ban anything that is also unpopular as well?

There is a reason why platforms like Cloudflare, Google and ISPs are against proactively moderating their own services; from a business standpoint it's an expensive and futile task (because it's dead easy for malicious actors to set up new sites and re-abuse the aforementioned services) and from a social perspective it's not Cloudflares job as a CDN to dictate what is and isn't socially acceptable.

Now just because Cloudflare have taken the decision not to police the internet that doesn't mean they cannot be trusted with your privacy. Those two points you're trying to equate are actually unrelated.

Providing services to malware sites isn't illegal. Providing services to child porn sites is. That's the distinction that Cloudflare draws.

> That's the distinction that Cloudflare draws

And we free persons are at liberty to disagree with their lime. Personally, their delineation seems self-serving and marginally scummy. (The service and this app are appreciated and used.)

How about torrent sites? Where would you personally draw the line? It has to be drawn somewhere.

Actually, sites which claim they are one thing (Adobe, a bank's web site) when they obviously aren't are, in fact, illegal.

But hey - if you want to pretend that a site which pretends to be Bank of America is somehow in some grey area, then by all means be a phishing apologist.

Sites that sell malware aren’t pretending to be Bank of America.

Also, while I certainly believe that some phishing site pretending to be Bank of America should be illegal, I’m not actually sure what law that would violate. Is it actually illegal or do you just believe that it it should be? And I’m not looking for “it violates copyright/trademark” as an answer, that’s a civil issue.

Its just weird they are willing to censor legal speech but not illegal things like malware.

Except they're not willing to censor legal speech.

What they did was, one time and one time only, kicked someone off their platform for publicly advertising that Cloudflare supported their awful site. This was a unilateral decision made by the Cloudflare CEO because he was mad that they were saying that, and it's a decision that he admitted was wrong and said would not happen again.

So this wasn't about "censoring legal speech" but rather for the specific act of trying to publicly associate Cloudflare with white supremacy ideology, and it's something they've committed to not doing again.

You can read some of the reaction here: https://www.cloudflare.com/cloudflare-criticism/

It's so strange that we live in a time where refusing to give a platform to Nazis is considered controversial. Perhaps we are due another world war.

Actions speak much louder than words. They did it knowing it violated their principles yet they want to eat their cake and have it too. We wouldn't give another corporation the same benefit of the doubt, but because they are in tech we're willing to use a double standard.

They were absolutely right in what they did. Free speech does not mean you have to give a platform to people you find abhorrent.

Being a common carrier does, though. If they want to be treated like a common carrier - and I think there's a reasonable case for treating infrastructure providers like that - they should be expected to act like one.

Well i would like to see you if some hardcore communists were claiming you are supporting them because you let them use your service?

Its private company - those can choose who they make bussiness with.

Also lets not forget they are nothing like carrier. Carrier laws exist because there is no possible alternative. This is just CDN we are talking about. You can quite easily replace it, even yourself.

I sort of agree with the parent. They clearly had the right to do what they did, and the world is probably a better place for it but then if they're willing to bend their "neutrality" principle for that then why not for other things?

And let's be clear, I'm not taking the stance that they shouldn't refuse service to hate speech websites, I'm saying that IMO they morally and ethically should strive not to provide service to obvious scams and malware websites either.

I really don't think that the "common carrier" angle holds any water. An ISP requires infrastructure and as a user you don't even have a lot of choice about which one you use. Even if you do have a choice it's not like you can change your ISP easily and quickly. That's why "common carrier" and net neutrality make some sense in that context.

Cloudflare is much closer to a web host than an ISP. You can still very much host websites that will be accessible by everybody without Cloudflare's help. If OVH hosted spammers and botnets and refused to do anything about it under the guise of "free speech" would we consider that a good thing? Is it really all that noble?

That's fine, but if CloudFlare believes that then they shouldn't write long winded blog posts explaining how they believe the exact opposite immediately after de-platforming someone.

Its the two-faced nature of it I object to.

> Free speech does not mean you have to give a platform to people you find abhorrent.

From wikipedia: "Freedom of speech is a principle that supports the freedom of an individual or a community to articulate their opinions and ideas without fear of retaliation, censorship, or legal sanction."

A platform either supports free speech or it doesn't. Most of them do not. That's fine as long as we (and they) understand the difference between freedom and censorship. Freedom is awesome but comes at a cost, censorship is good too but comes at a cost...

Have they said they won't? Or is it just more difficult to stamp out? The malware sites can use any URL, so I imagine it's difficult to stamp out automatically.

Cloudflare explicitly takes a hands-off approach. They said they'll provide their basic services to anyone and everyone as long as it's not violating the law (which basically means they won't protect child pornography sites), and they explicitly don't police the content of the sites. AIUI their rationale is that it's so easy to DDoS sites these days that everyone deserves to have access to basic DDoS protection no matter who they are or what they believe.

Do you trust your cellular carrier more?

I am not saying you are wrong, but the decision is which provider do I trust the least? I personally do not trust Verizon Wireless at all and they know my real name, mobile phone number, address, and credit card number. Cloudflare does not have these validated data points about me, so maybe they are using my data in a nefarious way, but they don't have the other PII to go along with it. Perhaps they have a method to match my data requests to publicly purchased PII, but their matching is not already validated by me, so there is a chance for error fuzzing.

This might be true if you're from the US. Being situated in Europe (or elsewhere on the map) might very well change the perspective towards Cloudflare a bit.

You shouldn't, but there's some vague notion that giant corporations have taken over the net and fighting against it is actively harming your privacy more than it helps. Is cloudflare better than your {ISP, self hosted, Google, etc} DNS servers? That's probably for an individual to decide.

Have they ever explicitly not taken down one of these sites? https://www.cloudflare.com/abuse/form

A lot of cracking- and RE-related websites sit now behind CF and, no, they are not taking them down, because apparently flaunting one's cracks (while linking to them on other sites) is not an abuse of their terms.

Unless your site involves something particularly terrible, their abuse form is only good for the fact that it gets forwarded to the underlying web host.

Most web hosts are going to be more strict than CloudFlare is, but you'll notice that most scummy sites use scummy hosts.

They’ll take your site down if they don’t like your political views though.

I can just add as the DNS server in iOS Settings. What's the difference?

Configuring with iOS settings sends unencrypted DNS requests to and, as a result, the sites you access can be seen in your internet traffic by people like your Mobile provider (when using mobile internet) or the local cafe (when using their WiFi) or your home ISP (when using your home WiFi).

This app enables your DNS requests to be encrypted. Your requests are still seen by Cloudflare, of course.

We try to hold on to as few logs as possible, the goal of the project is improving privacy. You can read the full policy here: https://developers.cloudflare.com/

Got a follow up question for you... have you guys integrated the IOS into Apple's "Shortcuts" app? This app was created by a 3rd party used to be called Workflow. Apple bought the app 2 years ago or so.

Reason I ask... I have a one-tap shortcut to turn off WIFI and Bluetooth for leaving home. Would be awesome to turn off WIFI / Bluetooth / turn on Cloudfare with a single tap as I head out the door.

I don't need the battery drain from VPN usage while sitting at home, and already have my DNS routed away from my ISP.

Thanks for the suggestion, we'll look into integrating. There shouldn't be notable battery drain from the app though, it's not a VPN in the traditional sense.

Very cool. Thanks. Yeah, in addition to the battery issue (which sounds a nonissue based on your reply) there is the simply issue of me not remembering to turn on / off.

That setting change only changes DNS while on Wifi. IOS offers no direct method of changing DNS while on cellular. Without something like Terminal on an iPhone, pretty difficult to tell which DNS is being used by the iPhone unless the phone is jailbroke. I use an app called Net Analyzer to check various networking configs. I'm not sure even the Cloudflare app is actually changing DNS. Need to do a bit more poking about to figure out what exactly is going on.

Edit: After playing around a bit, with the CloudFlare app alongside Net Analyzer, DNS on cellular appears to modified from my cell provider to what I think is the CloudFlare VPN profile on the device with IP addresses,,

It installs a VPN policy to do it, that's the only viable method on non-managed devices. There is another big difference as well, the app enables DNS-over-HTTPS which encrypts your DNS traffic.

Thanks! Good info. Yeah, was able to confirm that the Cloudflare app defaulted to DNS over https. That's an improvement over my previous attempts to excise cellular DNS traffic away from my carrier.

Is Cloudflare also servicing internet requests or are requests still being serviced by the cellular providers after DNS is resolved?

Cloudflare is using the NetworkExtension API purely to intercept DNS requests and nothing else. Everything happens on device and not in some remote VPN service.

Is there a performance hit vs using native carrier DNS?

Your carrier's DNS may or may not be fast depending on how it is set up and who you use. In general is faster than any of the other public DNS resolvers, and does a lot of preemptive caching that it's likely your ISP does not. Of course, it also doesn't sell your data which is a bonus.

How do you do that for non wifi??

You can’t specify your DNS server at all on iOS when you’re not on WiFi.

dns over https as well

So the app shows you your DNS logs, without any sort of protection.

I imagine this is a trivially simple way of snooping on an unsuspecting target. Let’s say you don’t trust your spouse. You install this app – showing them the security benefits as advertised by the application, letting them do their own research if necessary – then a day later come back and scroll through their DNS logs looking for cheatonmypartner.com.

This app changes nothing. If you've got access to install software on someones handset then there isn't much they can do to prevent you from installing tracking tools - aside having to trust that you wouldn't.

All good points in response, I hadn't thought this through.

- You need to be able to unlock their device without their knowledge to view the DNS logs.

- Therefore you know their PIN or have your fingerprint loaded (as I do on my partner's phone and vice versa).

- Therefore you can just install [any other tracking malware] and hide the icon in a folder somewhere. And now you don't have a VPN icon in the toolbar.

But does [any other tracking malware] actually exist for iOS?

> But does [any other tracking malware] actually exist for iOS?

Much easier would be to install a router with OpenWRT, set a DNS server (that your DHCP points to) and look at the logs. Or even running Wireshark in your own network should do the trick.

As long the DNS requests are not encrypt, you should got the information you want.

physical access = device owned in almost every case

Might raise some flags with the 'VPN' icon in the corner of the device.

I want to believe this is a good thing, but I can’t get that whole “we block Tor users” campaign out of my mind.

I'm quite the opposite as I appreciate the work towards supporting Tor with easy-to-setup onion fronts as alt-svc's and their work towards limiting their DDOS mitigation for Tor users. These are usually thankless efforts that don't affect their bottom line, or maybe even are a net negative depending upon the level of effort they expend.

I still need to understand how that is going to be faster and more private

For something with way more features, check out DNSCloak, probably the best DNS app for mobile devices: https://itunes.apple.com/us/app/dnscloak-dnscrypt-doh-client...

DNSCloak supports Cloudflare (among many other options), and has since day one. It will also let you choose how to steer DNS traffic, what domains to block and when, has a built-in cache to reduce latency, and more.

Is there a trustworthy third-party review of DNSCloak?

Short of installing & packet sniffing myself, or breaking apart the package; neither of which I have time to do.

(edit: to be clear, I’d love more options, including one that allows me to use Google’s DoH DNS, but I won’t blindly instal an app that intercepts my traffic, even if ‘just’ DNS)

It’s not a real VPN from what I think of a VPN in that my IP is still from my ISP (checked at whatismyip.com) just the DNS requests are encrypted. Still cool though.

It is a bad idea for several reasons.

1. You won't be able to configure real VPN, iOS allows only one VPN profile. Get a real VPN for native IKEv2 client you have.

2. It gives CF golden mine of your browsing history. It already has your traffic to many sites in plaintext, emails and passwords included

3. You trust the third-party app without the source code, probaly with access all your traffic

Can someone please help me understand something please? I understand that the main feature of 1.1.1. is privacy from the ISP, however, after the DNS resolution when my device will actually go to the destination, lets say to www.example.com domain - my ISP will know about this too, so what exactly am I hiding here?

I think this is mainly a USian mindset.

I trust my UK ISPs ( Goscomb, AA.net ) to whom I pay a monthly fee for service more than I do some US-based company who wants to provide me a critical service for 'free'. And yet which at other times prevents me reaching websites with a 'One more step...' blocker page.

Many sites these days are hosted on cloud services not owned by the company owning the site, and in these cases it can fairly hard to find the actual domain from the IP address. In other cases, however, you’re right—the ISP can still figure out where you’re going.

In conjunction with tls your ISP loses the ability to know the domain. IP then becomes the thing they can track but in many cases that will just route to big IP blocks for hosting providers.

Having netflix.com is a lot more revealing than having an AWS block.

Encrypted sni will add some plausible deniability

IIRC, a prerequisite for the confidentiality of eSNI is in fact secure DNS.

You need that your adversary can't snoop your DNS queries (which DoH and other DPRIVE offerings provide) and if the adversary is active you also need DNSSEC with validation so that the adversary can't lie to your DNS provider and say eSNI isn't available.

Cloudflare do both

Will they rent/lease/lend/share my data out to partners/non partners/anyone? I understand they clearly state they won’t sell the data or use it (themselves) for ad targeting, but their wording doesn’t cover rental to others.

Maybe I'm a little naive, but to me, "renting" data sounds a lot like just selling data.

Right... but it’s a known dark pattern for companies to make deceptive-but-technically-true assurances, so I’m not so sure. They do it because it works, as evidenced by what you say. I do tend to trust Cloudflare to do what they say, but they should say it with full clarity.

According to a comment on ProductHunt:

> “Cloudflare will never sell your data or use it to target ads. Period.".


"Sell" does not cover rent, trade, share, lease, give, etc. Period.

No. We (Cloudflare) barely even store the data, we get rid of it as fast as we can.

OK, that's great. Just as feedback to the company, if you're able to pass it on to someone, as a potential user I would feel more confident in the service if they would clarify the wording (not just from a Hacker News account, I mean). From a user's perspective outside the company it's hard to distinguish between weasel words, and the mere appearance of weasel words.

It's super slow for me. I'm on AT&T fiber at home. Which I can't even set my DNS to without taking everything down. But when using the Cloudfare app it appears to work, but it's 10+ seconds to load a page.

I've actually had a noticeable increase in speed, not sure why that's happening to you.

I'm jealous. It's still incredibly slow for me. I assume it's an AT&T thing since I'm on wifi working from home. I am unable to use with AT&T at all still. So I use Google's until they fix the issue. But it's been 6 months and I doubt it will ever be resolved at this point.

Related tangent: does this (or any other similar app or service) provide a straightforward way to bind a static IP address to outbound HTTP requests? Use case: persistent IP address that can be whitelisted by a secured endpoint.

so, it's a vpn -- the other vpn app i use is local hosts file adblocker that apple removed from the app store last year for the following reason:

>According to Apple, Future Mind's AdBlock app violates section 4.2 of the App Store Review Guidelines, which dictates that apps must be useful, unique, and "app-like."


It's not a VPN. Unless you mean "it's a VPN for your DNS traffic only". Which is an odd distinction.

It's implemented on iOS as a VPN, of which you can only have one active at a time.

Some Ad Blockers are implemented as VPNs. This is unfortunate, and they should use the Safari Content Blockers interface instead. Content Blockers cannot intercept or sell your content, since the code is sandboxed and doesn't get network access. NeverAds seems to work well for me.

Well, VPN software is one place you don’t have to use Apple’s “walled garden”. They could sell thier service outside of the App Store and publish instructions on how to set it up within settings on the iPhone.

Not quite. iPhone VPN settings are limited to the protocols that Apple has built into iOS (primarily IPsec). If you want something different like WireGuard, you need a separate app.

If you are marketing a VPN solution to iOS users, and you want to sell outside of the App Store, how is it an onerous requirement to implement industry standards?

I imagine they don't want anyone to find the app with that name, given how notoriously bad AppStore search is.

From their play store description:

"Best of all: No upsells, no in-app purchases, and free for life. Website owners pay us to make your Internet faster so you don’t have to."

That sounds totally against net neutrality to me. Unless website owners are not getting preferential speed up.

The description does not mean website owners are paying so that users of this app can get a faster connection to them. It just means website owners pay Cloudflare already, Cloudflare’s business model is selling services to website owners, and so this dinky app for consumers has no need to make money and therefore is free.

Wellll.... paying Cf customers will get lower latency service using this, just as Cloudfront gives better service to AWS users.

That’s part of why this app is in CF’s interests.

This app only redirects DNS, it does not tunnel any other networking. The DNS speedup someone will get by using this app applies to all domains, not just those of websites that pay for Cloudflare.

How do I test this is working correctly?

Connect your phone to desktop via adhoc network and run Wireshark. You’ll see the dns lookups and be able to confirm the tcp traffic afterwards.

This SO post seemed to give a lot of details if you need it


Good luck!

33.6 MB? to change the dns ?

Sounds like a React Native app (and feels like one, sadly?).

I could be wrong, though, since the NetworkExtension would have to be written in Swift, so I don't see why they wouldn't just write the rest in Swift and/or ObjC... would be happy to be wrong actually.

Works like a charm.

Yep. Doesn’t get more simple than a toggle switch.

Yay! Centralisation

it's just a service

you can run your own easily

just connect to roots

Trust us, not them?

I'd trust one organization that I trust a bit (Cloudflare), rather than random wifi hotspots or my cell & ISP providers which have proven themselves untrustworthy.

Don't use that. Don't use or or any other DNS service which have clear conflicts of interest on both sides. Don't ever trust DNS servers you don't have any control over.

I don't have control over the root domain name servers, so I guess I shouldn't use DNS?

Just run your own root name server! I only use my own self-hosted internet, because it is safe and only contains things that I myself have set up.



Yep. Too untrustworthy. My isp's DNS which shows me Yahoo ads instead of a NXDOMAIN error is much safer.

Any specific thing that either of them are doing wrong, or just hypothetical? Not a huge fan of a lot of things Google does, but they do seem to run quite responsibly. (I don't have much against Cloudflare, and they also seem to good a job.)

What? Who has complete control over their DNS?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact