Does 1.1.1.1 stop Session Hijacking on a network?

Hi all,

Does anyone know if using 1.1.1.1 stops session hijacking occurring over a WiFi network?

I’m assuming one of our home’s IoT devices is compromised and I’m wondering if 1.1.1.1 at every computer / phone endpoint would potentially solve this problem.

Thanks

I would assume no, since all you’re doing is changing which DNS server is used. But I would still recommend to use 1.1.1.2 to block malware on these devices, as this might break the malware if it doesn’t hardcode the IP address of its command & control server.

2 Likes

To expand on @Judge 's solution:

security.cloudflare-dns.com
1.1.1.2
1.0.0.2
2606:4700:4700::1112
2606:4700:4700::1002
Malware, Phishing

family.cloudflare-dns.com
1.1.1.3
1.0.0.3
2606:4700:4700::1113
2606:4700:4700::1003
Malware, Phishing,
Adult content 
2 Likes

Thanks Judge -

to clarify, even if the endpoint is using DNS over HTTPS, or DNS over WARP, the traffic still be intercepted / session hijacked from another device on the home network?

Thanks

How is the device hijacking or intercepting the session?

Unsure but it’s happening only over home wifi network.

Example 1: In web meeting, tab reloads out of nowhere, “I’m” still listed as a user in the meeting, and I click to log back in and now there are two of “me” in the room. When the attacker realized we noticed it, they dropped.

Example 2: I have HTTPS Everywhere installed and multiple sites that have HTTPS attempt to downgrade to HTTP, and after I accept the downgrade and click disable / proceed, the connection to the site is HTTPS.

Thanks

Update: Just noticed that the DNS on the VPN profile, that was installed from the 1.1.1.1 app for Android/Chrome OS, stated this as the DNS!!

I just updated the DNS to this in the profile

I’m assuming I wasn’t actually connected to 1.1.1.1 before, but now am.

Here are my debug results after the DNS update.

https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjAuMC4xIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTExMSI6Ik5vIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTAwMSI6Ik5vIiwiZGF0YWNlbnRlckxvY2F0aW9uIjoiUEhMIiwiaXNXYXJwIjoiTm8iLCJpc3BOYW1lIjoiQ2xvdWRmbGFyZSIsImlzcEFzbiI6IjEzMzM1In0=

192.0.2.3 is the local server for the app. Whereas for standard 1.1.1.1 the local server is 192.0.2.1. It’s not something that is irregular in any way from a security standpoint. {"isCf":"Yes","isDot":"No","isDoh":"Yes","resolverIp-1.1.1.1":"Yes","resolverIp-1.0.0.1":"Yes","resolverIp-2606:4700:4700::1111":"No","resolverIp-2606:4700:4700::1001":"No","datacenterLocation":"---","isWarp":"No","ispName":"Cloudflare","ispAsn":"13335"}

If you look at the above, which is the plaintext of the Base64 encoding used for the help logs you were asked to post, minus the location which I redacted. (Maybe CF would consider using something other than Base64 to encode the JSON, since location info (albeit the nearest data center to you not your actual location) is technically PII.)) Anyway, what you submitted says DoH was in use with IPv4, though 1.1.1.1/1.0.0.1 not the “family protection” DNS.