January 17, 2021

Apple, Cloudfare Join Forces To Encrypt DNS

By Karl Bode
Each time you visit a website, your browser interacts with a domain name system (DNS) resolver that converts web addresses to an IP address understood by the machines along your path. Historically however this traffic exchange isn’t encrypted, making it possible for your broadband provider or another third party to monitor your browsing data based on your DNS queries. DNS inventors in the 80s didn’t really bet on a future where all DNS queries would be tracked, monetized, or weaponized by third parties.

Experts for a while have been arguing (including here at the Techdirt Greenhouse policy project) that it’s important that we start encrypting these pathways to bring a little more security and privacy to the equation. Companies like Mozilla have been at the forefront of implementing “DNS over HTTPS,” a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. Recently, even Comcast (a company that’s no stranger to monetizing your online habits) joined Mozilla’s efforts to take the idea mainstream.

But even DNS over HTTPS (DoH) doesn’t fully thwart DNS resolvers from seeing your browsing activity. Enter a new joint effort from Cloudflare and Apple, who say they have joined forces to back a new internet protocol dubbed ODOH, based in turn on existing research out of Princeton (pdf). Cloudflare explains how it works this way:

“ODoH is an emerging protocol being developed at the IETF. ODoH works by adding a layer of public key encryption, as well as a network proxy between clients and DoH servers such as 1.1.1.1. The combination of these two added elements guarantees that only the user has access to both the DNS messages and their own IP address at the same time.”

The changes shouldn’t add any perceptible latency to browsing speed, but should notably improve user and overall internet security. A good thing in a country that still doesn’t seem to think even a modern, simply privacy law for the internet era is necessary to protect the security of the internet and public safety. But as Zack Whitacre at TechCrunch notes, steps still need to be taken to ensure no single party controls both the DNS resolver and proxy:

“A key component of ODoH working properly is ensuring that the proxy and the DNS resolver never “collude,” in that the two are never controlled by the same entity, otherwise the “separation of knowledge is broken,” Sullivan said. That means having to rely on companies offering to run proxies.”

Cloudflare told TechCrunch that several partner organizations are already running proxies, allowing for folks to give the system an early spin if they use Cloudflare’s security-focused 1.1.1.1 DNS resolver. Everybody else will need to wait until the new protocol comes standard as part of your OS or browser, which depends on how long it takes for the Internet Engineering Task Force to finalize the proposal. That could take months or years, but in a world where your every waking online movement is increasingly tracked and monetized, it should be a welcome shift whenever it finally drops.

Source:: https://www.techdirt.com/articles/20201208/11470145843/apple-cloudfare-join-forces-to-encrypt-dns.shtml