DNSCloak is like NextDNS and is an app which runs as a VPN protocol (but only on iOS).
It is actually not a VPN as such, but a connection for your DNS resolver. DNSCloak lets you select a DoH or DNSCrypt connection to many services that are listed with a description, location etc. Some of these DNS resolvers have built-in adblockers and most (but not the Cloudflare inclusive ones) are clean and have no logs.
DNSCloak, however, can do more than just connect to a DNS service and encrypt your traffic. It has a built-in local adblocker so essentially a Pi-hole on your iOS device. It appears to be way more complex than it actually is.
Basically, click on the menu in the top-left corner, find Blocklists & Whitelists, enable the Blacklists and click Pick Blocklist files. This file needs to list domains only, so you can't just use a link and download the list, but need to make one yourself in the following:
format: example.com =example.com *adult* ads.* ads*.example.com ads*.example[0-9]*.com
privacy.do is happy to share such lists with you. It is not the daily drive list we use ourselves as we are blocking far too many services for most users, but it has a nice list of trackers and bad apple domains that, we believe, need to be blocked.
Allowlists can be done in the same way as Blocklists, this ensures that those designated domains will always be allowed to pass through your firewall. In Advanced options, you can skip the accessibility check, which won’t wait for the resolver, and help with captive networks.
However, this can cause the app to stall from time to time, so we leave it closed as the default setting. You can disconnect upon sleeping or when the device is not in use (but still on), this will help preserve battery life, but we keep that unchecked as well since you really need protection around the clock.
Strict mode overrides iOS behavior to fallback to the default system resolvers, we choose to have this checked as you do not want any leaks occurring from your phone or iPad.
Wi-Fi exemption is an interesting feature if you have a Wi-Fi with an Pi-hole set up.
Just enter your Wi-Fi network and it won’t use the ‘VPN’. (once again this is not a VPN, it just creates a local VPN to protect all your apps and not just the browser).
This fits in most cases and it is more private than the IPv6 which we block with the next click .
We have this off, it is usually slower than UDP and although TCP might usually be more stable, the slower connectivity doesn’t make it worth using.
DNSCrypt: Creates a unique key for every single DNS request. This improves privacy, but also has a massive impact on the CPU usage. We have this off and also disable TLS session tickets
DoH: Disable TLS session tickets – increases privacy but also latency, we have this off.
Enable cloaking: Cloaking returns a predefined address for a specific name. In addition to acting as a HOST File, it can also return the IP address of a different name. It will also do CNAME flattering.
Example map entries (one entry per line)
example.com 10.1.1.1 www.google.* forcesafesearch.google.com www.bing.com strict.bing.com www.google.* startpage.com
Enable Forwarding Route queries for specific domains to a dedicated set of servers
example.com 220.127.116.11 example.net 18.104.22.168
You can also find Resolvers usage rules Log that shows you the logs of the DNSCrypt-proxy activity (we have this off)
Log DNS queries, (we have this on) as it shows you the traffic in and out of your phone.
Log NX queries (we have this on) as it logs queries for non-existing zones.
Those queries can reveal the presence of malware, broken or obsolete applications and devices signaling their presence to 3rd parties.
Connect On Demand (we have this on!)
Show VPN icon (we have this on)
Cache responses (we have that on)
Enable a basic DNS cache to reduce outgoing traffic
The list of resolvers is extensive and you can probably find a really good one close to your location resolver, just ensure that you don’t use any resolver with Cloudflare involved.
Once you have your resolver up & running, check it out at https://www.dnsleaktest.com/ to see your ISP and if Cloudflare is present.
If you do, change the server and double-check your settings.