Simple questions: CloudFlare DNS-over-TLS


#1

Hi, please two simple questions:

  1. I read that CloudFlare suports DNS-over-TLS only on port 853.
    How do I configure Windows 10 in order to work with CloudFlare on port 853?
    Does modem/router also need different settings?

  2. I am using DNSCrypt.
    Do I still need DNSCrypt if I use CloudFlare DNS-over-TLS?
    How do I configure DNSCrypt in order to work with CloudFlare on port 853?

Thank you!


#2

Windows 10 doesn’t support DNS-over-TLS directly, you must use a third party tool like DNSCrypt that performs lookups using DNS-over-TLS/DNS-over-HTTPS.


#3

Thanks @matteo for your answer.

As I mentioned in my previous comment, I already have DNSCrypt.
Sorry, but your answer is not 100% clear to me (I am newbie at both DNSCrypt/CloudFlare subjects). So please, let me ask again:
Is DNSCrypt already enough for me? (I am using with CloudFlare).
Or do I need to do something else? Please, can you help me here step by step?

Thanks!


#4

DNSCrypt is the main way to support DNS-over-TLS on Windows 10, as I said and it’s already using DNS-over-TLS. It is fine to use DNSCrypt. If you want to change to DNS-over-HTTPS you can use Cloudflare’s implementation which is maintained in-house without the need to depend on third-party applications.


#5

Thanks again @matteo ! Now is getting clear to me. Thank you for your patience.

Last question: Based on your experience/knowledge, which one is better or least bad? DNSCrypt + CloudFlare? Or CloudFlare DNS-over-HTTPS (without DNSCrypt)? Or is it possible to use both DNSCrypt + CloudFlare DNS-over-HTTPS?

Thanks!


#6

It doesn’t change much, they are different implementations, one is via HTTPS (for the possible eavesdropper it’s just like a standard HTTPS request, could be identified only via the IP, but who knows if it’s for the webpage or not?) the other is a different protocol on a specific port that can be blocked.

For the actual privacy is basically the same, they can’t be intercepted or falsified as they would fail.


#7

@matteo I was trying to test CloudFlare DNS-over-HTTPS.
I read the link you sent me (thank you).
However, sorry for my ignorance, I only found there instructions for Linux.
I have Windows 10.
Please, how can I test CloudFlare DNS-over-HTTPS in Windows 10?
Thanks


#8

They are linked in the first point:


#9

@matteo,

Following instructions, I successfully installed CloudFlared, did the login in my browser, enter several websites etc.

However, I am looking for a kind of global automatic solution, for all my computer communications, all my browsers and all the websites I visit.
Is there a way to have CloudFlare DNS-over-HTTPS working for every traffic communications in Windows 10? (independently on browsers, websites etc)

I installed CloudFlared as service, but it is not working.

Yes, I confess it is difficult for me to understand the CloudFlare explanations. But is not only me. We are here 10 friends, two of them have solid IT knowledge, and no one can understand CloudFlare written instructions.

I apologize for my/our ignorance.
Please, can you help in a kind of step by step?

Thanks


#10

If you want a good nerd project, there’s this:
https://scotthelme.co.uk/securing-dns-across-all-of-my-devices-with-pihole-dns-over-https-1-1-1-1/


#11

Thanks @sdayman ,

The question is, without Pi-hole, is there a simple way to have CloudFlare DNS-over-HTTPS working in my computer for every traffic communications in Windows 10? (independently on browsers, websites, apps etc)?

Or CloudFlare DNS-over-HTTPS works only trough a browser, entering websites one by one?


#12

I have never tried following the Windows instructions. I easily installed it on Linux/macOS, though.

You can follow @sdayman instructions and put on a Raspberry Pi DNS Server in your LAN.

Will try and get back to you tomorrow as it’s currently 2AM here…

You can simply set localhost as DNS server in the network settings.


#13

@sdayman and @matteo thank you both.

I am not interested in Pi-hole. Thank you again.

Please, help me if you know how to install CloudFlare DNS-over-HTTPS in Windows 10, as a global service, for all computer traffic communications, automatically working for every browser, website, app etc.

Thank you


#14

There you go.

localhost is 127.0.0.1


#15

Hi @matteo,

I was already using 127.0.0.1 for DNSCrypt.
I have no problem with DNSCrypt. It is easy to install and to use. And it is working globally, for every traffic communication in my computer.

However, was you @matteo who introduced me to CloudFlare DNS-over-HTTPS. And I decided to test it.
The problem is that tutorials at CloudFlare are 90% focused on Linux and MacOS. Not to mention the tech language. It is very, very, very difficult for average users (like me).

So, again (sorry to repeat), thank you but I have no interest at this moment in Pi-hole or similar. And changing localhost to 127.0.0.1 does not allow me to test CloudFlare DNS-over-HTTPS.

Please, help me if you know how to install CloudFlare DNS-over-HTTPS in Windows 10, as a global service, for all computer traffic communications, automatically working for every browser, website, app etc.

Thank you


#16

You need to disabile DNSCrypt to test cloudflared. They will be on the same local port.

I believe the commands work the same if you use the Windows PowerShell… Again I will try and get back to you.

The language is not really difficult, you need to simply follow the steps.

Just a question, if DNSCrypt works for you and it doesn’t create a single problem: why change it if you are having trouble following the steps?


#17

Thanks for your answer @matteo.

I already uninstalled DNSCrypt in order to test CloudFlare DNS-over-HTTPS.
And I already used 127.0.0.1 (without DNSCrypt installed) in order to test CloudFlare DNS-over-HTTPS… sadly nothing changed, it didn’t worked.

The language may not be difficult for you. But it is for average users like me. But is not just the tech language. The logic of the tutorials is terrible. As I said, most of the explanations prioritize Linux/MacOs, without explaining how to do the same at Windows. Not to mention that I have no interest in reading tons of explanations about Linux/MacOs. The tutorials are not segmented by OS! A nightmare!

The link you sent me (thank you) was just a small chapter of the procedure. It is a lot of stuff to read and steps to follow in order to test CloudFlare DNS-over-HTTPS. Very annoying.

The reason I want to test CloudFlare DNS-over-HTTPS is:
First, because you introduced me the option, I did my homework, read a little, an it seems promising.
Second, I use Firefox, and Firefox use DNS-over-HTTPS. I want to test performance effects etc.
Third, DNSCrypt is excellent. But if by using CloudFlare DNS-over-HTTPS I can avoid processes or executables, then I prefer that… the less executables, the better.

I confess you that I want to quit on CloudFlare DNS-over-HTTPS… a nightmare to test.
And I will stay with DNSCrypt.
I will just wait for help here at the forum. If I don’t find an easy way to test CloudFlare DNS-over-HTTPS… I will quit on it.


#18

I tried following the Windows instructions, I’m kinda agreeing with you, there a bunch of errors and missing steps (you could fix them @ryan or @cscharff, if you need help in that ask) that you can maybe find, but not in a single place.

The following steps may be done using a simple command prompt, but I will be using the Windows PowerShell since it’s simpler and has a better autocomplete.

Here are the step-by-step instructions (you may have already done some of these):

  1. install cloudflared by downloading and extracting the .zip downloaded from here at the bottom of the page.
  2. create a config file in your home directory under ./.cloudflared/config.yml
    PS: attention that the file, it may have .txt appended at the end, you will have to fix it by performing this in the folder mv .\config.yml.txt .\config.yml.
    PS: note that the proxy-dns-upstream isn’t really needed because they are the default, but doesn’t hurt.
proxy-dns: true
proxy-dns-upstream:
 - https://1.1.1.1/dns-query
 - https://1.0.0.1/dns-query
  1. using the PowerShell (run as Administrator) go the folder of the cloudflared executable. Use the cd command to do so, cd .. is used to go up a directory, use TAB to autocomplete.
  2. Run the following command:
.\cloudflared.exe
  1. If the previous step did not give any errors (otherwise post me the error), close it and again using the PowerShell (run as Administrator) go the folder of the cloudflared executable.
  2. Run this command:
.\cloudflared.exe service install
  1. Restart the computer and set 127.0.0.1 as DNS.

Once the computer is started again, open the PowerShell or a Command Prompt and try performing an nslookup, ti should provide an answer. Post those here if you are unsure that everything worked, even though it should be clear.

nslookup google.com
nslookup -vc -class=chaos -type=txt id.server

#19

Thanks @matteo. I’ve created and internal task and linked to your instructions here. :slight_smile:


#20

If you also need help translating https://cloudflare-dns.com to Italian ask, no problems!