DNSCrypt: great proxy alternative to cloudflared


#1

I’ve been testing 1.1.1.1 for two days, and I think it’s great.

DNSCrypt supports DoH, and the Cloudflare DNS is already in their list of public resolvers.

dnscrypt-proxy is a great software to use as an alternative to cloudflared-proxy.

Installation instructions here.


#2

Do you have a source detailing the usage of DoH? I couldn’t find anything…


#3

It’s on the main website https://1.1.1.1

screengrab

DNSCrypt does support DoH, and the Cloudflare DNS has been on their resolver list for some time now.

Direct link to developer pages: https://developers.cloudflare.com/1.1.1.1/dns-over-https/
(Afaik DoH should be preferred over DNS-over-TLS.)


#4

I tried opening the website using the hostname (https://1dot1dot1dot1.cloudflare-dns.com/) and it fails! I didn’t even try the direct IP…

Thanks!


#5

There’s the main URL: https://cloudflare-dns.com … but that redirects to https://1.1.1.1

1dot1dot1dot1.cloudflare-dns.com is just the dns hostname:

 ❯ dig +short -x 1.1.1.1
1dot1dot1dot1.cloudflare-dns.com.

#6

Well, yesterday https://cloudflare-dns.com didn’t redirect to nothing, so I tried the other one. Didn’t expect them to use just the IP, that’s all.


#7

It’s not working for me, either. Neither is Dig @1.1.1.1

A response to my post on the blog was this:

Due to various reasons 1.1.1.1 does not work for fraction of the internet; We are working in fixing that. The issues involved include; Network filters; various devices that use 1.1.1.1 internally; etc. Stay tuned for followup blogs and for now use 1.0.0.1 or our IPv6 addresses 2606:4700:4700::1111, 2606:4700:4007::1001


#8

if you traceroute to 1.1.1.1 @sdayman how far does it go? Does it escape your LAN?


#9

It goes about two zones into Charter, ten miles away. 1.0.0.1 goes all the way through. L.A. to Minnesota to Virginia. That, uh, seems a long way away.


#10

Yeah definitely some route optimizations still available. Getting it announced by some folks was fun… I’d recommend opening a ticket with Charter if they’re you ISP. I’m sure they will thank you for the heads up. :wink:


#11

Just found out that DNSCrypt has been supporting the Cloudflare DNS for some time now. I always thought it was a different server. (Will edit the OP.)


#12

You probably mean dnscrypt-proxy :slight_smile:

It’s a bit sad that there was no mention of it to use DoH, especially since it works very well with Cloudflare, out of the box.


#13

Yes! I’ll be adding a how-to for dnscrypt-proxy to the documentation shortly.
EDIT: It’s now published.


#14

Do you have any mechanism that allows us to verify we set up DoH or DNS-over-TLS correctly?
Maybe something similar to nslookup -type=txt debug.opendns.com.


#15

The response you get from such a query should be trusted just as you would trust an email with an attachment that says “open me, I’m totally not a virus”.

Anyway, you can run ./dnscrypt-proxy -resolve example.com. Among other things, it will return the “Resolver IP”. You can then check that this IP belongs to Cloudflare, for example on https://iptoasn.com

Another way, is to temporarily stop the proxy. It you can’t resolve anything any more, you were obviously using it, and your queries are not leaking through another path.