Cloudflare proposes a new DNS standard built with Apple to help close a blind spot of internet privacy initiatives (via TechCrunch). The protocol is called Oblivious DNS over HTTPS (ODoH), which is intended to help anonymize the data sent to a website before you even make it. If that would help you with your overall net privacy, they’ll discuss in a second, but first, we need to explain how standard DNS functions and what Cloudflare has added.
DNS allows its users to use the web without recalling every site’s IP address that they want to visit. Although humans can readily grasp names such as “theverge.com” or “archive.org,” machines often use IP addresses to channel their requests over the internet. This is where DNS comes in: when a computer asks a DNS server to convert a name like “theverge.com” to the real IP of the domain as one type in the name of a website. The DNS server will send it back, and the computer will be able to load the site.
If anyone is worried about privacy, he/she might have found that this device lets someone who operates the DNS server know about any website they visit (and keep track of it). Usually, that server is run by their ISP, and nothing stops them from selling that knowledge to advertisers. This is the concern with ODoH that Cloudflare and co are looking to resolve.
The protocol operates by inserting a proxy server between the DNS server and an individual. The proxy serves as a go-between, submitting your requests and returning their replies to the DNS server without ever letting it know who requested the information.
However, only adding a proxy server takes the issue up to one level: if it has the request and knows that you have submitted it, what stops it from having its log of sites you have visited?
That’s where the “DNS over HTTPS” (DoH) portion of ODoH comes in. DoH is a norm that has been around for a few years, but it’s not very popular. To guarantee that only the DNS server can read the requests, it uses cryptography. By using DoH, then routing it via a proxy server, one ends up with a proxy server that can’t read the request and a DNS server that can’t say where it came from.
This leaves the question:
Will all this secure your privacy in reality? It does mean that the DNS server won’t be able to maintain a list on whatever pages an individual is accessing, so if they’re trying to conceal the surfing information from your ISP, ODoH probably won’t be enough. All of your other traffic is already routed by ISPs, so just covering your DNS does not deter them from creating a profile of you.
The fact of the matter is that by setting up a single tool, keeping anonymous online is not something you can do. It’s a way of life that can genuinely be unattainable in the real world. With that said, anonymizing your DNS requests as the technology becomes available is a stone to add to your privacy shield.
Cloudflare has also added the option to take ODoH requests to its DNS service 1.1.1.1, although you will have to wait for it to be enabled by the browser or OS, which may take a while. Firefox may also be the one to watch for ODoH if you are anxious to use the new protocol: its CTO says the team is “excited to see it starting to take off and looking forward to experimenting with it.”
