Apple and Cloudflare team up to encrypt DNS
of long awaited department
Every time you visit a website, your browser interacts with a Domain Name System (DNS) resolver which converts web addresses to an IP address understood by machines along your path. Historically, however, this traffic exchange has not been encrypted, allowing your broadband service provider or other third party to monitor your browsing data based on your DNS queries. The inventors of DNS in the 1980s weren’t quite betting on a future where all DNS queries would be tracked, monetized, or militarized by third parties.
Experts have argued for some time (including here at the Techdirt Greenhouse policy project) that it’s important that we start encrypting these pathways to bring some more security and privacy to the equation. Companies like Mozilla have been at the forefront of implementing “DNS over HTTPS,” a major security upgrade to DNS that encrypts and masks your domain requests, making it more difficult (but not impossible) to see which websites a user is visiting. Recently, even Comcast (a company that’s no stranger to monetizing your online habits) joined Mozilla’s efforts to mainstream the idea.
But even DNS over HTTPS (DoH) doesn’t completely prevent DNS resolvers from seeing your browsing activity. Enter a new joint effort by Cloudflare and Apple, who say they have joined forces to support a new internet protocol dubbed ODOH, which in turn is based on existing research from Princeton (pdf). Cloudflare explains how it works this way:
“ODoH is an emerging protocol under development at the IETF. ODoH works by adding a layer of public key encryption, as well as a network proxy between clients and DoH servers such as 18.104.22.168. The combination of these two added elements ensures that only the user has access to DNS messages and their own IP address at the same time. ”
The changes should not add noticeable latency to browsing speed, but in particular should improve overall user and internet security. A good thing in a country that still doesn’t seem to think that a modern and simple privacy law in the internet age is necessary to protect internet security and public safety. But as TechCrunch’s Zack Whitacre notes, steps still need to be taken to ensure that neither party controls both the DNS resolver and the proxy:
“A key part of the proper functioning of ODoH is to ensure that the proxy and DNS resolver never ‘team up’, in the sense that the two are never controlled by the same entity, otherwise ‘separation knowledge is broken, “Sullivan said. That means having to rely on companies offering to execute proxies.”
Cloudflare told TechCrunch that several partner organizations are already running proxies, which allows people to get the system up and running quickly if they use Cloudflare’s security-focused 22.214.171.124 DNS resolver. Everyone will have to wait until the new protocol is standard in your operating system or browser, which depends on how long it will take the Internet Engineering Task Force to finalize the proposal. It could take months or years, but in a world where your every online move is increasingly tracked and monetized, this should be a welcome change whenever it finally falls.
Thanks for reading this Techdirt post. With so much competing for attention these days, we really appreciate your giving us your time. We work hard every day to bring quality content to our community.
Techdirt is one of the few media that is still truly independent. We don’t have a giant company behind us, and we rely heavily on our community to support us, at a time when advertisers are less and less interested in sponsoring small independent sites – especially a site like ours that does not want to put his finger on his reports. and analysis.
While other websites have resorted to pay walls, registration requirements, and increasingly annoying / intrusive advertising, we’ve always kept Techdirt open and accessible to everyone. But to continue this way, we need your support. We offer our readers a variety of ways to support us, from direct donations to special subscriptions and cool products – and every little bit counts. Thank you.
– The Techdirt team
Filed under: DNS, DNS on https, doh, encrypted DNS, odoh
Companies: apple, cloudflare