Image for post
Image for post

Adding Custom DNS over HTTPS Resolvers to DNSCloak

DNSCloak is an open-source DNSCrypt and DNS over HTTPS (DoH) client for iOS, which gives users the ability to encrypt their DNS requests through the use of an on-device VPN profile.

While highly configurable, its user interface can be unintuitive to less tech-savvy users and doesn’t easily allow users to add custom DoH resolvers, apart from the default “public-resolvers” list that the DNSCrypt project provides.

Before diving in, it’s important to understand that while there is a lot of nuance to DNSCrypt and DoH, these two DNS protocols essentially achieve the same goals: They both provide users with the ability to encrypt all DNS traffic to the users’ desired upstream provider(s), while preventing DNS hijacking, spoofing, and eavesdropping by 3rd parties.

The development of these DNS protocols is exciting. However, unlike Android 9 which has built-in support for DNS over TLS (another protocol with similar goals), iOS unfortunately does not allow users to easily enable any form of encrypted DNS ( but may in the future). Thus, DNSCloak fills the gap for iOS users to start benefitting from these protocols today.

This guide will walk you through setting up DNSCloak to connect to any public resolver that supports DoH.

Adding a Custom Resolver

DNSCloak provides a “Config Editor” which allows you to “override or add any dnscrypt-proxy option.”

Image for post
Image for post

You can learn more about the various configuration options from the example configuration file in dnscrypt-proxy’s code repository. But, if you scroll all the way to the bottom you’ll find a [static.'myserver'] section along with a stamp property. This stamp is for adding your resolver's DNS stamp, an encoded string that contains all the required information needed to connect to an encrypted DNS resolver. You can think about stamps as QR code, but for DNS.

Generating a Stamp

Some providers will provide you with a DNS stamp pre-made for you. If your provider does this, great! You can skip ahead to the next section. At the time of writing this post, CZ.NIC is the only provider listed on privacytools.io that doesn’t provide their users with a DNS stamp for their DoH resolver on their website, making adoption a bit more difficult. Thankfully however, we can create a DNS stamp ourselves.

To generate a DNS stamp, DNSCrypt hosts a DNS stamp calculator (which you can also download, compile, and run offline) that we can fill out with the information from our DNS provider. We’ll be using CZ.NIC’s information as an example to generate our stamp.

We will need to know three things about the DoH resolver you choose:

Browse to CZ.NIC’s webpage-there is an English language option at the top of the page-and scroll down to “How to turn on DNS-over-HTTPS (DoH)” and note the URL (in this case, https://odvr.nic.cz/doh).

Next, find the IPv4 addresses of the DoH resolver in any of the Windows, macOS, or Linux setup sections, and copy one of them (in this case, 193.17.47.1 or 185.43.135.1).

Image for post
Image for post

Now we can paste what we’ve gathered into the stamp calculator:

Image for post
Image for post

We’ll find that the DNS stamp is sdns://AgMAAAAAAAAACzE5My4xNy40Ny4xAAtvZHZyLm5pYy5jegQvZG9o.

Adding Resolvers to DNSCloak

Now that we have a DNS stamp generated, we can copy and paste our new configuration into the bottom of DNSCloak’s Config Editor, like so:

[static.'CZ.NIC-193.17.47.1']
stamp = 'sdns://AgMAAAAAAAAACzE5My4xNy40Ny4xAAtvZHZyLm5pYy5jegQvZG9o'
Image for post
Image for post

Select the checkmark icon in the top right corner to save your configuration, and it should be good to go!

Image for post
Image for post

Get connected, and we can finally validate DNSCloak is working as expected by visiting DNSLeakTest.com:

Image for post
Image for post

Adding Cloudflare’s Resolver for Firefox

Another public DoH resolver that we may want to use is Cloudflare’s public resolver for Firefox which has a stricter logging policy than Cloudflare’s default resolver.

We can generate a stamp with this information:

Image for post
Image for post

You can now paste the following stamp we generated into DNSCloak’s Config Editor and start using the resolver.

[static.'Cloudflare Resolver for Firefox']
stamp = 'sdns://AgUAAAAAAAAABzEuMS4xLjEAGm1vemlsbGEuY2xvdWRmbGFyZS1kbnMuY29tCi9kbnMtcXVlcnk'
Image for post
Image for post
Image for post
Image for post

Summary

Keep in mind that encrypted DNS won’t hide the host name (for example, blog.privacytools.io) of the sites you visit from your ISP due to SNI*.

If you’re looking for anonymity, you should use Tor Project’s Onion Browser (but be aware of its limitations). On the other hand, if you simply want to hide your browsing history from your ISP, you should look into self-hosting a VPN with Outline or using WireGuard (if supported) or Passepartout with a VPN provider you are willing to trust with your browsing history instead.

But for additional security and increased privacy from 3rd parties, encrypted DNS is a great place to start.

* At the time of this post, encrypted SNI is available for testing only in Firefox Nightly, and will hopefully become integrated with other browsers and platforms in the near future.

Originally written by nitrohorse and published at https://blog.privacytools.io on September 3, 2019.

PrivacyTools

You are being watched, privacytools.io

The PrivacyTools Team

Written by

This account is publishing posts from PrivacyTools team members to https://medium.com/privacytools — Managed by @JonahAragon.

PrivacyTools

You are being watched, privacytools.io provides services, tools and knowledge to protect your privacy against global mass surveillance. We are mostly syndicating interesting content from blog.privacytools.io and write.privacytools.io here.

The PrivacyTools Team

Written by

This account is publishing posts from PrivacyTools team members to https://medium.com/privacytools — Managed by @JonahAragon.

PrivacyTools

You are being watched, privacytools.io provides services, tools and knowledge to protect your privacy against global mass surveillance. We are mostly syndicating interesting content from blog.privacytools.io and write.privacytools.io here.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store