Cloudflare's 1.1.1.1 Service Launches on Android and iOS

harrymcc writes: Content-distribution network Cloudflare has introduced iOS and Android versions of 1.1.1.1, a free service which helps shield you from snoops by replacing your standard DNS with its encrypted (and speedy) alternative. The mobile incarnation of the PC service it launched last April, the apps don't require you to do anything other than downloaded and install them, give your device permission to install a VPN, and flip a switch -- making them approachable for the masses, not just geeks.

Re:

[Anonymous Coward]

You really should read the article. If you have your own DNS or your own VPN this is a downgrade to your opsec. Most people don't, and they do use the ISP's DNS servers (or the telco carrier's DNS) ... and here is where the Cloudflare service really makes a difference.

It doesn't "Hijack" anything. You either affirmatively choose to install it... or you don't. If you don't, nothing changes.

Try reading the article for comprehension. /.reader#734

Re:

[Anonymous Coward]

If you aren't blocking outbound DNS from everything but your authorized DNS servers on an enterprise network via your firewall, then you are grossly incompetent and oblivious to modern attack vectors.

And basic security principles like defense-in-depth.

Re: Cloudflare ROCKS!

[Zero__Kelvin]

I had a free beer. You are a moron.

Re:

[Anonymous Coward]

Hmn no. This service attempts to hijack my own dns. I have started blocking 1.1.1.1 on all my firewalls and routers. Both on company and personal machines.

Yes, I agree.

http://hightechforum.org/cloudflares-1-1-1-1-dns-does-nothing-for-privacy/

Re:

[Anonymous Coward]

From your own link, the 1.1.1.1 isn't much use without also using a VPN to encrypt the IP calling it. Which... they now have added to the app, as above.

Re: Cloudflare ROCKS!

[Zero__Kelvin]

You forgot "One dumb motherfucker called Anonymous Coward to ruin Slashdot" ... Good Job though all you worthless motherfuckers who couldn't be bothered to create an account and paved the way!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[andydread]

Yes internal hosts will fail. As them trying to "protect their privacy"

Guess what?? It won't work if a competent sysadmin blocks all outgoing DNS queries from the LAN except the DNS server on the LAN that they should be using.

So, what will happen when random employee installs said App?
Their internet on their mobile device will not work after installing the app and they will then remove it. Problem solved.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Cmdln Daco]

Aren't they a content-providing, aka DRM type delivery vehicle?

Re: Cloudflare ROCKS!

[bn-7bc]

As far as I know cf delivers any content their coustubers want them to (any legal content that is) the use of drm or not is the costumers Âchoice but then again I might be miss informed

Re:Cloudflare ROCKS!

[OneHundredAndTen]

Are you aware of the fact that Cloudflare has access to ALL of your DNS queries? If you do not trust your ISP, Google, etc., why would you trust Cloudflare?

Re:

[andydread]

[citation needed]

Re:

[Jane Q. Public]

Because of their TOS.

Read it.

Re:Cloudflare ROCKS!

[AmiMoJo]

Because most people have to trust someone with their DNS queries, especially when on mobile networks. Given a choice of unencrypted DNS queries to your scummy mobile provider's servers or encrypted ones to Cloudflare, you are probably better off with the latter.

At least Cloudflare can't tie up the request with cell location data and sell that information to nearby businesses.

Re:

[mshieh]

Because I have no idea who the ISP is when I travel.

If I'm at home, this is probably overkill.

If I use google without dnssec or dns-over-https, then it's easy to see which sites I visit.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Cloudflare ROCKS!

[bn-7bc]

Good point put until ipv6 is absolutly evrywhere we canâ(TM)t afford the ipv4 burn rate of having avry https site on their own ip esp niw that more and more browsers flash up scary messages if you try accessing anything over http.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Protect yourself from DNS attacks... apk

[Anonymous Coward]

Do not download this program for Linux or windows. I tried the Linux port and it opened up a command prompt and did a sudo rm -rf. I have no idea how it got my root password.

I then tried the windows version a couple days later. Same thing except I kept seeing deltree.

APK can not be trusted.

First off, he isn't an American. He is a foreign adversary living in the republic of congo. He makes his money from blood diamonds by using child labor.

Stay away from APK and all his software if you want a clean system. B

Re: Give your device permission to install a VPN

[bursch-X]

You downloaded an VPN app that now has the gall to ask to install a VPN - inconceivable.

I'll explain why the "vpn"

[gl4ss]

You need to insert the dns because you can't configure a custom dns on a gprs/2g/4g connection on phones. so what to do? well create a local vpn and intercept the dns there. the vpn doesn't need to "go" anywhere.

You cannot filter/block the dns requests otherwise on the phone itself. this situation sucks and is deliberate. this is a janky workaround to combat that.

This idea of doing filtering like this is years old. there's a bunch of apps like this on play store.

- on a related note, samsung for exam

They host the content

[Bite The Pillow]

If they host a lot of the content, they know what you're looking at. Now they know.. what you're looking at. Problem is what?

Re:

[sacrilicious]

You're not replying to another message, and your own message is confusing. Are you asking a question, being sarcastic, or pointing something out?

Sick of big companies snooping your dns?

[viperidaenz]

We have a simple solution!
Install this app and give Cloudflare permission to access all of your network traffic and you can use our DNS server!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Known Nutter]

You should try speaking in clear, concise, and complete sentences.

Re:Sick of big companies snooping your dns?

[viperidaenz]

I'm not sure what your point is, because you've failed at english.

But VPN apps get access to all network traffic on your phone. they're free to inspect the data and are responsible for routing it. That's just how VPNs work.
If you're worried about "big data" getting your data, I'm failing to see how freely giving it all to a "big data" company is going to help. Especially when the service they're offering is free. Someone is paying for it.

Maybe they want to analyse the data to find popular websites people use that don't go through Cloudflare services, so they can better target their marking to those site operators.

Re:

[gtall]

Precisely. Cloudfare must show some sort of profit for this "service". The only way I can see them turning one is monetizing the information running through their systems.

Re: Sick of big companies snooping your dns?

[bn-7bc]

Well consider thiscenario: en user usingcloudflares dns are trying ro get to content hosted by cloudflarw, thay query the dns for recoeds that probably ar atleas cached on the server, so they get a reply in 1 rtt and initiate aconnection to the nearestserver having that content. Net result for the end user they get the content even quicker than before ehe cf did just the hosting. Cf can say wedeliver first byte quickerthan ouer competition, that is agood thing when trying to get newcpstumers. Thecost for s

Re:

[viperidaenz]

or more likely, they'll present data showing connection times, time to first data, data throughput, failed connection attempts, etc for the customers they're trying to win over.
That network data can be provided by a VPN app.

Re:

[micheas]

I'm not sure how they plan on monetizing it. But, from talking to their salespeople that have been wanting me to pay $1,500 a month for their DNS service. I'd guess they are looking at this as a freemium offering. Where they will allow corporate users to have private DNS entries that are only available to their logged in users. And based on their pricing model, I'd guess that would be about $1k a month plus a per-user fee.

Re:

[AmiMoJo]

You don't have to use Cloudflare's VPN app if you don't trust it, you can just manually configure your DNS servers or use your own local VPN. DNS66 is open source and a good choice, as it also features ad blocking.

In any case, if they are leaking data back to Cloudflare somehow it would be trivial to spot and quickly get them banned from the Play Store. I'm sure someone will check.

Re:

[viperidaenz]

It would be trivial to hide data in the encrypted secure dns lookups the app is primarily designed to do.

Re:

[thegarbz]

We have a simple solution!
Install this app and give Cloudflare permission to access all of your network traffic and you can use our DNS server!

I'm ready to accept going with a new unknown than my god-fucking-awful-and-overtly-evil ISP.

No thanks

[Anonymous Coward]

This isn't protecting traffic from snooping, it's exposing traffic to Cloudflare. The same company which makes a business model out of holding other people's private TLS keys. The same company which refuses to stop serving known spammers. The same company which was breaking half the internet for Tor users.

Cloudflare is the kind of centralization we need to get away from.

Re:

[thegarbz]

This isn't protecting traffic from snooping, it's exposing traffic to Cloudflare. The same company which...

Yeah but you haven't mentioned anything about abusing customer data and selling it wholesale without even cursory anonymity to any 3rd party paying cash, so they sound like exactly the kind of company that I would prefer to hold my data instead of my mobile provider.

Re:

[AmiMoJo]

It's the lesser of two evils. If you use your ISP/mobile operator's DNS server then they have a record of every query you make, and the times you visited those sites thanks to deep packet inspection (DPI). At least this way the DNS lookups and the DPI data are kept separate and can't be trivially cross referenced.

The DPI data is getting less useful too, because due to services like Cloudflare and shared virtual servers in general it's become much harder to associate an IP address with a particular web site.

Re: Quad dns

[Anonymous Coward]

Fuck it, we are going with 5 DNS entries.

How do they make money on this?

[Anonymous Coward]

I'm curious about their altruism.

Re: How do they make money on this?

[Anonymous Coward]

I think it's more about vendor lock-in of sorts. The more and more people using anything from cloudflare the better for their business.

They also get a lot of statistics and data from millions/billions of DNS requests and metadata (what times are busiest for which regions, etc).

Re:

[LordHighExecutioner]

NSA

Re:

[Shaix]

Is there any actual proof of this? Or even any evidence at all to suggest it? Or is this just another tinfoil hat type of thing?

Re:

[AHuxley]

The "free" use of the internet by many people gives data on the internet in real time.
That better protects people in real time who pay for security products and services.

1.1.1.1?

[Freshly Exhumed]

How am I supposed to remember that IP address? If only there was a system to translate such IP addresses into more human-friendly names that are easier to remember...

Re:

[Cmdln Daco]

I agree. It's so archaic that they are using octal. Why can't they use hexadecimal or binary like the rest of us?

Re:

[fisted]

Whoosh

Ipv6 not secured

[bn-7bc]

This works only for ipv4 traffic (the vpn part) so if the network ypu connect to is dual stacked only 44 traffic will be secured and since most apps use ipv6 as defaulr when avalable a significant portion ofyour traffic will not use the vpn, how could cloudflare miss this? Itâ(TM)s not like these pople donâ(TM)t know about nerworking is it

Re: Ipv6 not secured

[Zero__Kelvin]

Please substantiate your claim that "Most apps use IPv6". Show your work, especially referring to the ISO model. (You fucking idiot)

Marketing

[DaMattster]

I use this on my Android 8.1 device simply because it's convenient. As for my home network, I run my own DNS servers so I really don't have to worry much about DNS traffic being snooped by my ISP. If I were so inclined, I could also run all of my home network traffic over a VPN to my own cloud servers. But this initiative by CloudFlare is nothing more than a gimmick to make money. Instead of your ISP selling your data, CloudFlare now gets the piece of the pie.

Isn't this just...

[mccrew]

Isn't this just trading in one snoop with a different snoop?