1.1.1.1 on travelling iPhone - iPad automatically links to closest cloudflare server?

My wife takes her iPhone (6S I think) and iPad with her from New York to Seoul to Bangkok to Hong Kong and elsewhere - for her own business. Her iPhone’s AT&T plan has UNLIMITED WORLDWIDE DATA - data, not voice. (It’s a VERY unusual plan.) Her iPad connects to whatever WiFi is available (usually hotel).

  1. If we set her iPhone and iPad to use 1.1.1.1 for DNS lookup, will those lookups always automatically go to the CLOSEST Cloudflare 1.1.1.1 server, or will her phone continue to try to reach Cloudflare near NYC?
  2. How can we test to make sure?
  3. If we ALSO install the DNSCloak app on each device (which runs dnscrypt-proxy to encrypt the DNS lookups) and make it point to 1.1.1.1 as the only resolver, same question - when she’s traveling, will the DNS queries go to Cloudflare’s closest 1.1.1.1 server, or back to the NYC area?
  4. Again, how could we test to be sure? (Should testing be done differently with DNSCloak installed?)
    Thanks.

1.1.1.1 is always the closest Cloudflare data center.

To check, go to the hamburger menu (three horizontal lines) and tap Advanced Settings. The Diagnostics option will show you which Colocation center you’re hitting.

sdayman - thanks for fast reply.
As I’m not an iPhone person, where is this hamburger menu? In her safari browser or in a 1.1.1.1 app that she should install first?

I think we’re done here. :stuck_out_tongue_winking_eye:

Well…ok. It’s in the 1.1.1.1 app, upper right corner.

I agree about being done when it comes to iPhone. Thanks for your patience!
Next question - if we’re going to install the DNSCloak app to add dnscrupt-proxy to the mix (and have it point exclusively to 1.1.1.1 as only resolver), can she skip installing cloudfare’s 1.1.1.1 app?
If yes, then again how would we check that all DNS lookups are going to 1.1.1.1 (encrypted) AND that it’s the closest Cloudflare 1.1.1.1 server as she moves around?

I used DNSCloak before the 1.1.1.1 app came out. It will also hit the nearest 1.1.1.1 data center. There’s no way around that, which is good.

Give this a try to see if DNS is encrypted: https://1.1.1.1/help

Edit: Yes, you can use DNSCloak only. That’s handy if 1.1.1.1 is blocked. The 1.1.1.1 app is just a very user-friendly way to do it.

1 Like

sdayman - great info and I just checked 1.1.1.1/help on my iPad (which never moves from my apartment in NYC). That’s a great link because it confirms the encryption and also shows which Cloudflare server.
Question - does Cloudflare’s 1.1.1.1 app for iPhone also encrypt the DNS lookups like DNSCloak, or does it just set the iPhone to send DNS queries to 1.1.1.1?

It’s definitely encrypted. Also in the Advanced Settings are Connection Options. You only have two choices: DoH or DoT, both encrypted.

sdayman - great news - i didn’t know that nine months ago when I put DNSCloak on my own stationary iPad and I will try the app soon.
On my home PCs (wired to Verizon FIOS), I am using SimpleDNSCrypt, which also adds the dnscrypt-proxy service to the PCs, and again I have it set to use 1.1.1.1 as only resolver. All tests are very good.
BUT is there a new Cloudflare 1.1.1.1 app that does the same thing for PCs?
I ask because SimpleDNSCrypt and the dnscrypt-proxy service are not easy enough to use for people who spend less time fussing with their PCs.and so I have not recommended them to friends.

Sorry, Cloudflare doesn’t have a Desktop app that does this, but I thought I heard they’re looking into this. The easy workaround is to use Firefox which supports it natively. I think Chrome’s Canary version supports it.

Didn’t know Firefox supported encrypted (DoH or DoT) DNS lookups natively. Where are its settings for that? (I use FF with security add-ons like NoScript and Disconnect.)
EDIT - I found the info - see, for example,
https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/

And for a great article about encrypted DNS lookups and dnscrypt-proxy, see
https://arstechnica.com/information-technology/2018/04/how-to-keep-your-isps-nose-out-of-your-browser-history-with-encrypted-dns/

1 Like

I use these two about:config flags. Mode 3 forces DoH only with no fallbacks.

sdayman - great volley here - almost as good as Wimbledon.
You’re the champ.

1 Like