4 minutes reading time (840 words)

Privacy Cookbook - Chapter 2.2 - DNSCloak

dnscloak
DNSCloak is like NextDNS and is an app which runs as a VPN protocol (but only on iOS).


It is actually not a VPN as such but a connection for your DNS resolver. DNScloak lets you select a DoH or DNSCrypt connection to many services that are listed with a description, location etc.
Some of these DNS resolvers have build in adblocker and most (but not the Cloudflare inclusive ones) are clean and have no logs.



DNSCloak, however, can do more then just connect to a DNS service and encrypt your traffic. It has a build-in local adblocker so essentially a Pi-hole on your iOS device.



It appears to be way more complex than it actually is.

Basically, click on the menu at the top left corner, find Blacklists & Whitelists, enable the Blacklists and click Pick Blacklist file



This file needs to list domains only, so you can't just use a link and download the list but need to make one yourself and in the following format:


example.com
=example.com

*adult*
ads.*
ads*.example.com

ads*.example[0-9]*.com



DECENTRALIZE.TODAY is happy to share such a list with you, It is not the daily drive list we use ourselves as we are blocking way too many services for most users, but it has a nice list of trackers and bad apple domains that we believe need to be blocked.
We will share this list in chapter 3 of the Privacy Cook together with a ‘How to’ guide and lists for the Pi-hole (which enables you to ).



Whitelists can be done in the same way as Blacklists, this ensures that those designated domains will always be allowed to pass through your firewall.



In Advanced options, you can skip the accessibility check, which won’t wait for the resolver, and help with captive networks.
However, this can cause the app to stall from time to time so we leave it closed as the default setting.



You can disconnect upon sleeping or when the device is not in use (but still on), this will help preserve battery life, but we keep that unchecked as well since you really need protection around the clock.



Strict mode overrides iOS behavior to fallback to the default system resolvers, we choose to have this checked as you do not want any leaks occurring from your phone or iPad.



WiFi exemption is an interesting feature if you have a WiFi with an pi-hole set up.
Just enter your Wifi network and it won’t use the ‘VPN’. (once again this is not a VPN, it just creates a local VPN to protect all your apps and not just the browser).



Ipv4-only

This fits in most cases and it is more private than the IPv6 which we block with the next click



TCP Only

We have this off, it is usually slower than UDP and although TCP might usually be more stable, the slower connectivity doesn’t make it worth using.



Ephemeral keys

DNSCrypt: Creates a unique key for every single DNS request. This improves privacy, but also has a massive impact on the CPU usage. We have this off.



Disable TLS session tickets

DoH: Disable TLS session tickets - increases privacy but also latency, we have this off.



Enable cloaking

Cloaking returns a predefined address for a specific name. In addition to acting as a HOST File, it can also return the IP address of a different name. It will also do CNAME flattering.

Example map entries (one entry per line)


example.com 10.1.1.1

www.google.* forcesafesearch.google.com

www.bing.com strict.bing.com

www.google.* startpage.com



Enable Forwarding

Route queries for specific domains to a dedicated set of servers


example.com 9.9.9.9

example.net 80.241.218.68



You can also find

Resolvers usage rules

Log that shows you the logs of the DNSCrypt-proxy activity (we have this off)



Log DNS queries, (we have this on) as it shows you the traffic in and out of your phone.



Log NX queries (we have this on)

Logs queries for non existing zones.
Those queries can reveal the presence of malware, broken or obsolete applications and devices signaling their presence to 3rd parties.



General options
Connect On Demand (we have this on!)



Show VPN icon (we have this on)



Cache responses (we have that on)

Enable a basic DNS cache to reduce outgoing traffic

The list of resolvers is extensive and you can probably find a really good one close to your location resolver, just ensure that you don’t use any resolver with Cloudflare involved.



Once you have your resolver up & running check it out at https://www.dnsleaktest.com/ to see your ISP and if Cloudflare is present.
If you do, change the server and double check your settings.



The beauty of DNSCloak is that you can actually run a VPN next to it. Unfortunately, not OpenVPN or Wireguard but you can use IKEv2 at the same time, we also recommend protonvpn, if you would like to run it this at the same time.



We will cover VPN protocols and setups and even how to make your own hosted VPN in the cloud in the next chapter of the Privacy Cookbook.

 

Comments (0)

Rated 0 out of 5 based on 0 voters
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest. Sign up or login to your account.
Rate this post:
Attachments (0 / 3)
Share Your Location