Simple questions: CloudFlare DNS-over-TLS

jedisct1 · April 30, 2018, 2:33pm

A list of available resolvers will be displayed. Make sure that only “Cloudflare” is checked.

Click your network card in order to enable it for your WiFi (or Etherhet) network.

Done. You’re using Cloudflare with DNS-over-HTTPS.

matteo · April 30, 2018, 2:51pm

He already has DNSCrypt installed, which uses DNS-over-TLS, he was interested in trying DNS-over-HTTPS using Cloudflare’s implementation.

jedisct1 · April 30, 2018, 3:07pm

Simple DNSCrypt fully supports DNS-over-HTTPS.

matteo · April 30, 2018, 3:27pm

I didn’t know it was available using DNSCrypt, but still it could keep everything under Cloudflare’s CLI

decopi · April 30, 2018, 3:31pm

@jedisct1… that’s great!
I am very grateful for your fantastic help, here at Cloudflare’ forum and also at your GitHub. I did enjoyed our conversation yesterday, your teachings, article you sent me… thanks for all your patience and attention.
DNSCrypt is amazing! Congratulations for such nice work.
Thank you again!

decopi · April 30, 2018, 3:32pm

@matteo ,

Thank you for your nice step-by-step tutorial. This was exactly what I needed yesterday. I am glad you agree a bit with me about the CloufFlare tutorials. I recognize I am not an Einstein’ DNS. But Cloudflare’ tutorials are unclear, steps are skipped (specially for Windows), logic is confused etc.

Anyway, thank you again for your tutorial.
As you read from @jedisct1, it seems that DNSScrypt will do all the job with Cloudflare DNS.
However, tomorrow I will give a chance to your tutorial. Tomorrow I will test your tutorial. I will uninstall DNSCrypt, and I will see if your tutorial works for me.
I will be back here with my results.

Thank you again!

matteo · April 30, 2018, 3:45pm

The last time I checked DNSCrypt is actually a different protocol (https://en.m.wikipedia.org/wiki/DNSCrypt) than DNS-over-HTTPS, but I never looked into it a lot.

I was able to make DoH working easily using the guide (it’s not missing steps or confused on Linux if you know a little of terminal even though it could be consolidated a bit @cs-cf ), but on Windows it’s messier and all over the place.

Once you have it running on your computer you can point the other computers on your LAN to it and it should work just like that, assuming no firewall is blocking it.

jedisct1 · April 30, 2018, 7:41pm

DNSCrypt is a protocol, SimpleDNS Crypt is an app. An app that implements both the DNSCrypt protocol and DNS-over-HTTPS (and maybe other secure protocols in future versions).

matteo · April 30, 2018, 7:51pm

Gotcha! Though he has always mentioned only DNSCrypt, don’t know his actual setup.

decopi · April 30, 2018, 8:58pm

@matteo,

DNSCRypt is a “specification” (https://github.com/jedisct1/dnscrypt-proxy).
I have an app named “SimpleDNSCrypt”: It is the most friendly way to use DNSCrypt. It takes seconds to be installed and makes DNSCrypt 100% functional. Everything is almost 100% automatic. In my own words, the app SimpleDNSCrypt is the GUI for DNSCrypt.
According to @jedisct1, it is enough to run the app SimpleDNSCrypt in order to have Cloudflare DNS-over-HTTPS. There is no need to install Cloudflare software, Argo tunnel, neither command lines, nothing. The app SimpleDNSCrypt just need to have Cloudflare chosen as resolver. That’s all.
I knew this fact only today, thanks to @jedisct1. This was the most simple and elegant answer/solution to all my questions.
But considering that Cloudflare seems to be the fastest DNS in the World (at least in my region), I believe this info about DNSCRypt+Cloudflare DoH will be very important for all DNSCrypt’ users (thousands). So @matteo, feel free to be in contact with @jedisct1, in order to add this info at the Cloudflare tutorials.

Also @matteo and as I said in my previous comment, I will test your tutorial.
I will uninstall SimpleDNSCrypt, I will follow your tutorial, and I will test Cloudflare DoH pure, without SimpleDNSCrypt.
I want to see if differences appear, I want to compare performance, RAM, CPU, internet speed etc.
I will post here the result of your tutorial.

matteo · April 30, 2018, 9:11pm

From Wikipedia (DNSCrypt - Wikipedia): DNSCrypt is a network protocol designed by Frank Denis and Yecheng Fu, which authenticates Domain Name System (DNS) traffic between the user’s computer and recursive name servers.

Well, I actually never used the application Simple DNSCrypt, but since you never mentioned it and I didn’t know it supported DoH I offered my alternative that is Cloudflared. Will keep it in mind.

Neither of us is with the Cloudflare Team, but @cs-cf has already looked into it.

Do not expect an improvement in internet speed though, that doesn’t change based on DNS. I am curios about the other parameters though! Thanks!

decopi · May 1, 2018, 10:25pm

Hi @matteo ! As promised, I am back with the results of your tutorial.

I hope that at point 2, by “home directory” you meant “user folder”. Anyway, no major difficulties until point 5, everything went “ok” with your tutorial. However, when I ran “.\Cloudflared.exe” this was the result:

PS Z:\Cloudflared> .\Cloudflared.exe
INFO[0000] Applied configuration from C:\Users\Decopi.Cloudflared\config.yml
INFO[0000] Build info: {GoOS:windows GoVersion:go1.9.1 GoArch:amd64}
INFO[0000] Version 2018.4.8
INFO[0000] Flags map[proxy-dns:true]
INFO[0000] Adding DNS upstream url=“https://1.1.1.1/dns-query”
INFO[0000] Adding DNS upstream url=“https://1.0.0.1/dns-query”
INFOINFO[0000] Starting DNS over HTTPS proxy server [0000] Cloudflared will not automatically update when run from the shell. To enable auto-updates, run Cloudflared as a service: https://developers.cloudflare.com/argo-tunnel/reference/service/
addr=“dns://localhost:53”
INFO[0000] Starting metrics server addr=“127.0.0.1:1985”

And nothing happened after this screen. It was not frozen, it was waiting something.
Then I tested adding 127.0.0.1 at Windows IPV4, and the previous screen continued with this result:

e[31mERROe[0m[1379] failed to connect to an HTTPS backend “https://1.1.1.1/dns-query” e[31merrore[0m=“failed to perform an HTTPS request: Post https://1.1.1.1/dns-query: x509: certificate signed by unknown authority”

However, internet connection was working, and at dnsleaktest.com showed Cloudflare as DNS.
I tested nslookup, and the result was:

PS C:\WINDOWS\system32> nslookup google.com
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: google.com
Addresses: 2800:3f0:4001:80a::200e
172.217.30.78

PS C:\WINDOWS\system32> nslookup -vc -class=chaos -type=txt id.server
Server: localhost
Address: 127.0.0.1

*** localhost can’t find id.server: Query refused

Then I went to point 6 in your tutorial. (.\Cloudflared.exe service install).
After Windows restarting, I checked and Cloudflared.exe service was automatically started. However, no internet connection. Only after restarting .\Cloudflared.exe, the internet connection was back and “ok” (working with Cloudflare as DNS). Only when \Cloudflared.exe is active, the internet connection works.

That is all I can inform you.

If you want me to change or to test something different, I will remain waiting your commands.

Thanks anyway @matteo

matteo · May 1, 2018, 10:30pm

I have seen this in other discussions, but I really don’t know what could cause that issue… @cs-cf help!

This seems strange as well, are you sure that Simple DNSCrypt is not running? Cloudflare’s DNS should reply here.

decopi · May 1, 2018, 10:32pm

I tested in a clean computer, no SimpleDNSCrypt (DNSCrypt) at all.

matteo · May 1, 2018, 10:35pm

Are there additional DNS servers set in network settings? If the second query fails due to the SSL error, it should not answer even in the first case.

decopi · May 1, 2018, 10:39pm

Windows IPV4 by default was set to “automatically obtain DNS”. I manually changed to 127.0.0.1, and nothing more. No additional DNS.
Also as I mentioned, I tested with dnsleaktest.com, and Cloudflare is the unique DNS that appears.

matteo · May 1, 2018, 10:42pm

It seems really strange, probably someone from the engineering team that worked on Cloudflared should work with you and take a look. Any help with that @ryan and @cs-cf (sorry for the double mention)?

cs-cf · May 1, 2018, 11:12pm

My guess is you can’t actually connect to 1.1.1.1. Taking everything out of the equation and using a machine which doesn’t have Simple DNSCrypt configured can you visit http://1.1.1.1 ?

You might check the normal troubleshooting steps here:

And also try both

nslookup -class=chaos -type=txt id.server 1.0.0.1
nslookup -class=chaos -type=txt id.server 1.1.1.1

matteo · May 1, 2018, 11:16pm

Incredibly in all this replies we never actually verified that… But if he was connection to Cloudflare’s DNS via DNS-over-TLS, shouldn’t the be the same IPs?

cs-cf · May 1, 2018, 11:19pm

You mean DoH right? I think it actually uses a different IP address. We were piloting that service months before we announced 1.1.1.1. So unless we updated something post release my guess is it points to another Cloudflare IP.