Cloudflare Brings Privacy to Mobile Traffic With 1.1.1.1 DNS App

A new freely available mobile app aims to make it easier for users to benefit from DNS acceleration and privacy.

Cloudflare 1.1.1.1 Mobile

Cloudflare is extending its 1.1.1.1 DNS service with new mobile capabilities it announced on Nov. 11.

The 1.1.1.1 DNS service was first launched on April 1, providing a freely available service to help secure and accelerate DNS lookups. The initial service launch required users to make a change on their own desktop or mobile settings to enable the service. Now Cloudflare is looking to make it easier for mobile users to benefit from the 1.1.1.1 DNS service with a new mobile app.

"We didn't expect many people to be able to change their DNS manually," Matthew Prince, CEO of Cloudflare, told eWEEK. "With the app removing that limitation, we expect the increase to be dramatic.”

Most internet traffic from end users first generally looks up the IP address location of a given web domain via DNS. The 1.1.1.1 service promises users a faster DNS lookup than what they might be getting from their local ISP. Cloudflare has also added multiple security capabilities to help make DNS lookups more secure.

The 1.1.1.1 service competes against multiple similar efforts, including Google Public DNS service, Cisco's OpenDNS and the IBM-backed Quad9 (9.9.9.9).

1.1.1.1

Prince commented that since the launch of 1.1.1.1 in April, he has been surprised by how many users the service has had, though he declined to provide any specific numbers. In the initial launch, a limited number of routing issues with the 1.1.1.1 address caused it not to work everywhere. According to Prince, the 1.1.1.1 address had been misused for a long time.

"We are proud of the work we've done to help the internet community clean it up," he said. "Most of the issues were there because certain equipment manufacturers or networks use the 1.1.1.1 address for their own purposes, but this is resolved in most cases."

For the mobile app in particular, Prince said it figures out the IP address that is reachable, which could be one of 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111 and 2606:4700:4700::1001. 

"So, even when 1.1.1.1 address is blocked, the mobile app will still work if one of the other IP addresses are reachable," he said.

Privacy

A primary element of the 1.1.1.1 service is that it can help to improve privacy. DNS queries can easily be read by ISPs and network operators, which could be a potential privacy risk for end users. 

Cloudflare backs an effort known as Encrypted Server Name Indication (ESNI) that aims to help solve part of the DNS privacy challenge. Modern browsers send a piece of metadata in the browser header called Server Name Indication (SNI) that can reveal every site that a user visits, even when the user visits encrypted sites. Cloudflare announced its support for ESNI in September, providing a browser-based mechanism that can be used to secure SNI information.

"ESNI is half of what you need to keep a user’s internet browsing private," Prince said. "This is the other half."

The 1.1.1.1 service supports DNS over TLS as well as DNS over HTTPS, which are two methods for sending DNS queries over an encrypted tunnel. Prince explained that DNS runs at a lower level than ESNI, increasing the privacy of all the connections done on your device, including the web requests. He added that it's up to the web browser if it wants to connect with TLS and if it does use ESNI.

It's important to note that the 1.1.1.1 service is not a virtual private network) and does not provides an additional layer of encryption for web traffic. The mobile app can be used alongside a VPN app on iOS. However, Prince noted that the APIs provided by Android unfortunately don't allow it yet. 

"Using a personal VPN can increase your security if you don't use the app, don't have ESNI or are visiting a site not on Cloudflare," he said. "Our mission, however, is to make them unnecessary."

The 1.1.1.1 service also does not provide malware filtering, unlike some of its rivals in the DNS service space, including Quad9 and Cisco.

"We do not believe most consumers want a filtered or blocked DNS," Prince said. "Our first priority is to provide the fastest and most private service."

What's Next

Cloudflare has made the 1.1.1.1 service available to anyone, without cost. Prince said Cloudflare has the benefit of a homogeneous infrastructure all around the world, making supporting a service like 1.1.1.1 very affordable for his company.

"We make it faster each and every month," he said. "In fact, because of how caching works, each and every new 1.1.1.1 user makes it just a bit faster for all of their fellow users around the world." 

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.