Seriously… Would not this be better?
Other than the traffic routing aspect.
Cloudflare already offers DNS over HTTPS, that’s what the 1.1.1.1 app did before Warp came along, it was a local-only VPN that used them for encrypted DNS. Warp is a real VPN, just a weird one.
1 Like
Just not a vpn inside the network ? I use the Dns on my pc and stack my vpn on top of it. Which makes it limp at times. Some of this confuses me.
Encrypted DNS is one thing. You can always use even PiHole with cloudflare DNS-Over-HTTPS which has DNSSEC.
At the end of the day, it’s all about the question of who we trust.
Yeah, I flicked the HTTP/3 switch on my Cloudflare-protected sites earlier this week. Seems to work fine. I’m not sure if any browsers support it yet, Chrome may whitelist Google sites.
To anyone confused anew, this has nothing to do with 1.1.1.1 or Warp.
On iOS there is no way to set a custom DNS server on mobile data. So they have an app with a local VPN, that never leaves the device, and all it does is change your DNS server. Sucks that it’s necessary.
Android lets you change your DNS to whatever you want as of version 9, and natively supports DNS over TLS also, which is subtly different from DNS over HTTPS, just in case you weren’t sufficiently confused already. Suffice it to say DNS over TLS is perfectly fine too.
IOS does not natively support DNS over HTTPS, DNS over TLS, or DNScrypt.
Wanna be really confused? Here’s what I do. I have a pihole running inside LXC at home, connecting to the cloudflared DNS over HTTPS proxy, which then connects to 1.1.1.1. Then I VPN in to my home using Wireguard, which is setup to provision my pihole’s DNS server. So all my DNS is encrypted everywhere and I block ads on mobile too.
There’s also adguard home, which is kinda like pihole with DNS over HTTPS support built in. I’ve been playing around with it but haven’t replaced pihole yet.
1 Like
That is actually helpful…
I hope people don’t use it except when on untrusted networks. The beauty of the internet is how decentralized it is at its core, we don’t need more centralization.
1 Like
So I am not that far off on my thoughts on this…
The beginnings of a Cloudflare walled garden
That is somewhat my impression as well; though with how Google, Cloudflare, and presumably other hyperscalers and CDNs are using their private networks, it brings to mind more the way private shipping companies in the USA work in conjunction with USPS, where (as I understand it) at times the last mile delivery is done by USPS, despite being shipped by Fedex/UPS/DHL. Likewise it seems like the trend is to have a private network and/or caching servers such that you only really use the public internet for that last-mile delivery.
I am not familiar with how Cloudflare works on the server side, but I wonder if the plan is to also expand the use of that non-standard Neumob UDP protocol to talk to the backend servers; that could potentially add to lock-in on the server side.
I would much we just have money in general spent on better true internet bandwidth than all these caching/private-routing shenanigans which may or may not work.
DNS Encryption & Signing
I have not personally enabled DNSSEC on my domains yet, but as I understand it, it only verifies that a DNS zone is authentic, but does nothing to keep your DNS request secret.
Whereas DNS over TLS and DNSCrypt exist to actually keep the connection between a DNS client and server secret.
It sounds like DNSCurve is a predecessor of sorts?
DNS over HTTPS
DNS over HTTPS, however, sounds like a weirdly clunky over-complication of DNS over TLS. I have not yet read the specs of all four, but as far as I have heard, it sounds like DNS over HTTPS incorporates the overhead and complication of a using HTTP to better evade blocking. Though I wonder if that is really worth it; could not a censor merely block known IP ranges of DNS over HTTPS servers?
I remember reading about how Signal tried to get around this kind of blocking by using major VPS (“cloud”) providers, but even they require the hostname to be in cleartext and not longer permit domain fronting, so I don’t see how DNS over HTTPS could not be susceptible to similar blocking.