Topic 1 Posts

dnscrypt

Custom DNS on iOS via DNSCrypt

ios, dnscrypt, dns |

DNSCrypt

In previous posts about adblockers and VPNs for iOS I covered all the pros and cons of both approaches. TLDR: on iOS adblockers help you only in the browser but barely improve your privacy, whereas VPNs do both well but at the expense of your Internet speed, both on cellular and Wi-Fi.

After going through blockers, I mentioned setting custom DNS servers as a mean of filtrating ads and trackers on the domain name level. And you can do that fairly easily on Mac, iOS and Android while being connected to the Internet via Wi-Fi but you can't do that on cellular.

...Actually there is a chance and it's called DNSCrypt. In short this is a way of communicating with a DNS server not via regular DNS protocols which your carrier and your mobile device don't let you adjust. The connection to a DNS server of your choice is established via HTTPS, so it's secure, and you can customize it. The only requirement is that your DNS provider of choice should support resolving domains via HTTPS (usually 443 port) in addition to the usual 53 DNS port.

Luckily, my 1.1.1.1 DNS server of choice (provided by CloudFlare) supports DNS queries via HTTPS as well. So the only thing I had to do is to install DNSCloak for iOS, find 1.1.1.1 in the supplied list of DNSCrypt-enabled DNS servers and push 'start'. That establishes a 'VPN' connection which is not actually VPN since it doesn't send all your traffic to another server, just the DNS queries. And as a result you get your ads and trackers filtered on a domain level, without the downside of speed decrease which all traditional VPNs have in common.

As a recommendation you can make your DNSCrypt connection to be more stable. To do that open Settings.app, then go to General -> VPN, tap the 'i' button next to 'DNSCloak' and then switch on 'Connect On Demand' at the bottom.

In case you have your own pi-hole DNS server facing the open Internet (which you should do carefully or don't do at all), or you know a public one you can trust - you can enable it in DNSCloak and have even more strict DNS filtering than Google or CloudFare provides. They are public DNS servers and they are more conservative on filtering out stuff not to accidentally block websites used by the general public (e.g. blocking Facebook's tracking 'like' buttons may block Facebook at all). But that doesn't mean your pi-hole DNS server of choice can't be more strict 🙂