DNSCloak is an open-source DNSCrypt and DNS over HTTPS (DoH) client for iOS, which gives users the ability to encrypt their DNS requests through the use of an on-device VPN profile.

While highly configurable, its user interface can be unintuitive to less tech-savvy users and doesn't easily allow users to add custom DoH resolvers, apart from the default "public-resolvers" list that the DNSCrypt project provides.

Before diving in, it's important to understand that while there is a lot of nuance to DNSCrypt and DoH, these two DNS protocols essentially achieve the same goals: They both provide users with the ability to encrypt all DNS traffic to the users' desired upstream provider(s), while preventing DNS hijacking, spoofing, and eavesdropping by 3rd parties.

The development of these DNS protocols is exciting. However, unlike Android 9 which has built-in support for DNS over TLS (another protocol with similar goals), iOS unfortunately does not allow users to easily enable any form of encrypted DNS (but may in the future). Thus, DNSCloak fills the gap for iOS users to start benefitting from these protocols today.

This guide will walk you through setting up DNSCloak to connect to any public resolver that supports DoH.

Adding a Custom Resolver

DNSCloak provides a "Config Editor" which allows you to "override or add any dnscrypt-proxy option."

You can learn more about the various configuration options from the example configuration file in dnscrypt-proxy's code repository. But, if you scroll all the way to the bottom you'll find a [static.'myserver'] section along with a stamp property. This stamp is for adding your resolver's DNS stamp, an encoded string that contains all the required information needed to connect to an encrypted DNS resolver. You can think about stamps as QR code, but for DNS.

Generating a Stamp

Some providers will provide you with a DNS stamp pre-made for you. If your provider does this, great! You can skip ahead to the next section. At the time of writing this post, CZ.NIC is the only provider listed on privacytools.io that doesn't provide their users with a DNS stamp for their DoH resolver on their website, making adoption a bit more difficult. Thankfully however, we can create a DNS stamp ourselves.

To generate a DNS stamp, DNSCrypt hosts a DNS stamp calculator (which you can also download, compile, and run offline) that we can fill out with the information from our DNS provider. We'll be using CZ.NIC's information as an example to generate our stamp.

We will need to know three things about the DoH resolver you choose:

  1. IP address
  2. Host name
  3. Path

Browse to CZ.NIC's webpage—there is an English language option at the top of the page—and scroll down to "How to turn on DNS-over-HTTPS (DoH)" and note the URL (in this case, https://odvr.nic.cz/doh).

Next, find the IPv4 addresses of the DoH resolver in any of the Windows, macOS, or Linux setup sections, and copy one of them (in this case, 193.17.47.1 or 185.43.135.1).

Now we can paste what we’ve gathered into the stamp calculator:

  • IP address: 193.17.47.1
  • Host name: odvr.nic.cz
  • Path: /doh

We’ll find that the DNS stamp is sdns://AgMAAAAAAAAACzE5My4xNy40Ny4xAAtvZHZyLm5pYy5jegQvZG9o.

Adding Resolvers to DNSCloak

Now that we have a DNS stamp generated, we can copy and paste our new configuration into the bottom of DNSCloak’s Config Editor, like so:

[static.'CZ.NIC-193.17.47.1']
stamp = 'sdns://AgMAAAAAAAAACzE5My4xNy40Ny4xAAtvZHZyLm5pYy5jegQvZG9o'

Select the checkmark icon in the top right corner to save your configuration, and it should be good to go!

Get connected, and we can finally validate DNSCloak is working as expected by visiting DNSLeakTest.com:

Adding Cloudflare’s Resolver for Firefox

Another public DoH resolver that we may want to use is Cloudflare’s public resolver for Firefoxwhich has a stricter logging policy than Cloudflare’s default resolver.

We can generate a stamp with this information:

  • IP address: 1.1.1.1
  • Host name: mozilla.cloudflare-dns.com
  • Path: /dns-query

You can now paste the following stamp we generated into DNSCloak’s Config Editor and start using the resolver.

[static.'Cloudflare Resolver for Firefox']
stamp = 'sdns://AgUAAAAAAAAABzEuMS4xLjEAGm1vemlsbGEuY2xvdWRmbGFyZS1kbnMuY29tCi9kbnMtcXVlcnk'

Summary

Keep in mind that encrypted DNS won’t hide the host name (for example, blog.privacytools.io) of the sites you visit from your ISP due to SNI*.

If you’re looking for anonymity, you should use Tor Project’s Onion Browser (but be aware of its limitations). On the other hand, if you simply want to hide your browsing history from your ISP, you should look into self-hosting a VPN with Outline or using WireGuard (if supported) or Passepartoutwith a VPN provider you are willing to trust with your browsing history instead.

But for additional security and increased privacy from 3rd parties, encrypted DNS is a great place to start.

* At the time of this post, encrypted SNI is available for testing only in Firefox Nightly, and will hopefully become integrated with other browsers and platforms in the near future.