0

I've read different articles about https://1.1.1.1/ and am confused since they conflict. A couple examples:

effectively making your traffic invisible to snoopers on your local network but not providing an anonymised connection to the sites you're accessing at the other end - https://www.wired.co.uk/article/cloudflare-1111-with-warp

Even though Cloudflare hides the questions you’re asking from the ISPs it can’t hide the answers. So this is not a meaningful privacy enhancement. - https://hightechforum.org/cloudflares-1-1-1-1-dns-does-nothing-for-privacy/

I will soon be living in a shared apartment where I don't control the wifi router. I don't trust the owner and don't want him to be able to see the content of my traffic or the URLs.

If the sites I visit use HTTPS (which seems to be the case for every site nowadays anyway), he'd never see the content, right? But he'd still normally be able to see the URLs visited.

I know that the standard recommendations (e.g. this answer) are to use a VPN and/or Tor.

But my internet connection will already be slow, and I'd love not to slow it down further by using those.

Will 1.1.1.1 hide my browsing history from the owner of my LAN router?

Ryan
  • 315
  • 4
  • 13
  • You've jumbled up so many concepts. "browsing history" is not "traffic" is not "DNS queries". And you've confused the 1.1.1.1 service with the *related service* "Warp". – schroeder Sep 27 '20 at 16:14
  • 1
    It is not clear what you refer to: using 1.1.1.1 as DNS resolver or using 1.1.1.1 as VPN (i.e. Cloudflare Warp). In the latter case see [this answer](https://security.stackexchange.com/a/238550/37315). – Steffen Ullrich Sep 27 '20 at 16:34
  • 1
    With regard to `But he'd still normally be able to see the URLs visited.`, this is incorrect. He would be able to see the FQDN, but not the entire URL. For example, if you visited `https://security.stackexchange.com/questions/238871/will-1-1-1-1-hide-my-traffic-from-my-landlords-router`, he would be able to see `security.stackexchange.com`, but not the rest of the URL – mti2935 Sep 27 '20 at 16:42
  • FWIW I have few issues with my VPN provider, I think you're mistaken about your expectations and you should get a VPN, especially for your mobile phone too. – Ed Daniel Sep 27 '20 at 18:47

2 Answers2

3

The sources you cite in your question suggest that you are confusing two different services offered by Cloudflare in the context of 1.1.1.1:

  • there is the traditional offer, which consists only of a DNS server available directly or with DNS over HTTP (DoH) or DNS over TLS (DoT).
  • and there is Cloudflare Warp, which is practically a VPN

With Cloudflare Warp all traffic is protected against sniffing by the landlord since all traffic between your system and Cloudflare is encrypted. See this answer for details.

With Cloudflare DNS instead there is much less protection. While the landlord can no longer get the contents of the DNS if encrypted DNS is used (i.e. DoT or DoH), the landlord can still extract sensitive information from other traffic. For example plain HTTP traffic is not protected at all. But even with HTTPS the target hostname can be extracted from the traffic in most cases. And the landlord can also see the IP addresses you connect to and deduce from this what sites you visit. The landlord might also do selective blocking of sites or services based on this visibility. With Cloudflare Warp instead none of this is visible to the landlord and no selective blocking is possible.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

If you use 1.1.1.1 with DNS over TLS or DNS over HTTPS, and you use it properly by preventing normal plaintext DNS traffic with a firewall, then it will hide DNS queries from your landlord.

What does this mean? Your landlord will still see the IP of the server your browser is talking to. He will not be able to see the URL. However, and this is a big however, he may be able to deduce what host the IP is by reverse DNS.

So, will 1.1.1.1 prevent your landlord from being able to deduce what sites you are visiting? Generally speaking, no.

Will 1.1.1.1 be able to prevent your landlord from being able to see the content of your web traffic? That is unrelated -- HTTPS prevents this, assuming you don't ignore any certificate errors.

Saustin
  • 311
  • 1
  • 10
  • Thanks! I don't yet understand "use 1.1.1.1 with DNSSEC or DNS over HTTPS, and you use it properly by preventing normal plaintext DNS traffic with a firewall" (I'd appreciate any hints if you have a moment), but it sounds like doing that would at least force my landlord to take the added step of looking up by reverse DNS each of the different IPs in my browsing history. So it makes it *harder* (but not impossible) for him to be nosy. I might be willing to risk it. – Ryan Sep 27 '20 at 16:28
  • Correct. Note that, if he is snooping web traffic, it might already be doing reverse DNS for him. However, if you want to use 1.1.1.1 with DNSSEC ("encrypted DNS") or DNS over HTTPS, you will want to prevent DNS leaks. Ideally, you could set up your own router with a DNSSEC DNS server. On that router, block outgoing port 53 UDP/TCP. Point your devices to the router, and they will all use secure DNS. Alternatively, you could rely on DoH (built into browsers) and block port 53 UDP/TCP with your software firewall on your devices. But I'm not sure what all that would break. – Saustin Sep 27 '20 at 16:35
  • 2
    @Saustin: *"... with DNSSEC ("encrypted DNS") ..."* - __DNSSec ist NOT encrypted DNS__. DNSSec protects only against manipulation of the answers but the questions and answers are in clear. Encrypted DNS is provided by DoH and DoT but not by DNSSec. – Steffen Ullrich Sep 27 '20 at 16:47
  • 1
    Good catch, I meant DNS over TLS. Thanks. – Saustin Sep 27 '20 at 16:53
  • SNI will reveal the exact sites (hostnames) you are visiting. – Esa Jokinen Sep 27 '20 at 18:01
  • Reverse DNS won't be very helpful for nearly anything that is going through a cloud provider and/or using virtual hosts. There also is encrypted SNI, but it seems slow to be used. – multithr3at3d Sep 28 '20 at 01:46