CloudFlare Announces Support For Privacy-Focused Oblivious DNS Over HTTPS Protocol
Domain Name Service (DNS) servers partially make up the internet's backbone as we know it. They allow anyone to plug a URL in and go to a website, as otherwise, we would have to know the IP address for every website. These servers also handle IP addresses from people trying to get to websites, which could be a privacy concern. To quell the concerns, CloudFlare plans to implement a new DNS standard called Oblivious DNS over HTTPS (oDoH) to ensure privacy through a “technical guarantee.”
When DNS first launched and with implementations that remain today, data is sent in plaintext over the internet to resolve a website with DNS servers. Thus, the Internet Engineering Task Force standardized a new form of DNS calls named DNS over HTTPS (DoH) and DNS over TLS (DoT). Both of these standards encrypt the DNS data going to and fro over the internet, which “prevent[s] queries from being intercepted, redirected, or modified between the client and resolver.” While the standards are great, it raises concerns of single points of failure and the possibility that CloudFlare can still see the DNS requests, but oDoH plans to take care of that.
Oblivious DoH (oDoH) is a new protocol that works by inserting a proxy between the end-user and the DNS, so the DNS can never associate IPs with requests. There will also be a layer of public-key encryption, and the “combination of these two added elements guarantees that only the user has access to both the DNS messages and their own IP address at the same time.”
The only issue that can now potentially come up with oDoH is a vulnerability to collusion between a proxy and a DNS provider, but that would be difficult at best. Also, with this new protocol, users will not likely have to trade privacy for performance, as CloudFlare notes. Through data collected in North America, the oDoH protocol performs about halfway between standard DoH protocol, at 146.1ms, and the DoH protocol over Tor, at 696ms.
At the end of the day, if all of this sounds like mumbo-jumbo, take away this: DNS companies are improving your privacy. Whether you think you need it or not, it is a good thing. Your internet browsing and patterns should be yours and yours alone, and CloudFlare is looking to ensure that.