I’ve been testing 220.127.116.11 for two days, and I think it’s great.
DNSCrypt supports DoH, and the Cloudflare DNS is already in their list of public resolvers.
dnscrypt-proxy is a great software to use as an alternative to
Installation instructions here.
Do you have a source detailing the usage of DoH? I couldn’t find anything…
It’s on the main website https://18.104.22.168
DNSCrypt does support DoH, and the Cloudflare DNS has been on their resolver list for some time now.
Direct link to developer pages: https://developers.cloudflare.com/22.214.171.124/dns-over-https/
(Afaik DoH should be preferred over DNS-over-TLS.)
I tried opening the website using the hostname (https://1dot1dot1dot1.Cloudflare-dns.com/) and it fails! I didn’t even try the direct IP…
There’s the main URL: https://Cloudflare-dns.com … but that redirects to https://126.96.36.199
1dot1dot1dot1.Cloudflare-dns.com is just the dns hostname:
❯ dig +short -x 188.8.131.52
Well, yesterday https://Cloudflare-dns.com didn’t redirect to nothing, so I tried the other one. Didn’t expect them to use just the IP, that’s all.
It’s not working for me, either. Neither is Dig @184.108.40.206
A response to my post on the blog was this:
Due to various reasons 220.127.116.11 does not work for fraction of the internet; We are working in fixing that. The issues involved include; Network filters; various devices that use 18.104.22.168 internally; etc. Stay tuned for followup blogs and for now use 22.214.171.124 or our IPv6 addresses 2606:4700:4700::1111, 2606:4700:4007::1001
if you traceroute to 126.96.36.199 @sdayman how far does it go? Does it escape your LAN?
It goes about two zones into Charter, ten miles away. 188.8.131.52 goes all the way through. L.A. to Minnesota to Virginia. That, uh, seems a long way away.
Yeah definitely some route optimizations still available. Getting it announced by some folks was fun… I’d recommend opening a ticket with Charter if they’re you ISP. I’m sure they will thank you for the heads up.
Just found out that DNSCrypt has been supporting the Cloudflare DNS for some time now. I always thought it was a different server. (Will edit the OP.)
You probably mean dnscrypt-proxy
It’s a bit sad that there was no mention of it to use DoH, especially since it works very well with Cloudflare, out of the box.
Yes! I’ll be adding a how-to for dnscrypt-proxy to the documentation shortly.
EDIT: It’s now published.
Do you have any mechanism that allows us to verify we set up DoH or DNS-over-TLS correctly?
Maybe something similar to nslookup -type=txt debug.opendns.com.
The response you get from such a query should be trusted just as you would trust an email with an attachment that says “open me, I’m totally not a virus”.
Anyway, you can run
./dnscrypt-proxy -resolve example.com. Among other things, it will return the “Resolver IP”. You can then check that this IP belongs to Cloudflare, for example on https://iptoasn.com
Another way, is to temporarily stop the proxy. It you can’t resolve anything any more, you were obviously using it, and your queries are not leaking through another path.
@mvavrusa Where can I find the how-to that you mention is now published?