Apple, Cloudflare Join Forces To Encrypt DNS

from the long-overdue dept

Each time you visit a website, your browser interacts with a domain name system (DNS) resolver that converts web addresses to an IP address understood by the machines along your path. Historically however this traffic exchange isn't encrypted, making it possible for your broadband provider or another third party to monitor your browsing data based on your DNS queries. DNS inventors in the 80s didn't really bet on a future where all DNS queries would be tracked, monetized, or weaponized by third parties.

Experts for a while have been arguing (including here at the Techdirt Greenhouse policy project) that it's important that we start encrypting these pathways to bring a little more security and privacy to the equation. Companies like Mozilla have been at the forefront of implementing "DNS over HTTPS," a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. Recently, even Comcast (a company that's no stranger to monetizing your online habits) joined Mozilla's efforts to take the idea mainstream.

But even DNS over HTTPS (DoH) doesn't fully thwart DNS resolvers from seeing your browsing activity. Enter a new joint effort from Cloudflare and Apple, who say they have joined forces to back a new internet protocol dubbed ODOH, based in turn on existing research out of Princeton (pdf). Cloudflare explains how it works this way:

"ODoH is an emerging protocol being developed at the IETF. ODoH works by adding a layer of public key encryption, as well as a network proxy between clients and DoH servers such as 1.1.1.1. The combination of these two added elements guarantees that only the user has access to both the DNS messages and their own IP address at the same time."

The changes shouldn't add any perceptible latency to browsing speed, but should notably improve user and overall internet security. A good thing in a country that still doesn't seem to think even a modern, simply privacy law for the internet era is necessary to protect the security of the internet and public safety. But as Zack Whitacre at TechCrunch notes, steps still need to be taken to ensure no single party controls both the DNS resolver and proxy:

"A key component of ODoH working properly is ensuring that the proxy and the DNS resolver never “collude,” in that the two are never controlled by the same entity, otherwise the “separation of knowledge is broken,” Sullivan said. That means having to rely on companies offering to run proxies."

Cloudflare told TechCrunch that several partner organizations are already running proxies, allowing for folks to give the system an early spin if they use Cloudflare's security-focused 1.1.1.1 DNS resolver. Everybody else will need to wait until the new protocol comes standard as part of your OS or browser, which depends on how long it takes for the Internet Engineering Task Force to finalize the proposal. That could take months or years, but in a world where your every waking online movement is increasingly tracked and monetized, it should be a welcome shift whenever it finally drops.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dns, dns over https, doh, encrypted dns, odoh
Companies: apple, cloudflare


Reader Comments

Subscribe: RSS

View by: Thread


  • identicon
    Anonymous Coward, 11 Dec 2020 @ 1:47pm

    First Mozilla and Comcast, Now Cloudflare (or Cloudfare) and Apple.
    Surprising, but anything can happen.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Dec 2020 @ 11:50pm

      Re:

      Mozilla uses cloudfare to provide it's service.

      So it's not really an improvement. More like Cloudfare is becoming the main DNS provider for many web browsers, and every member of the Five Eyes is currently getting agents in position.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Dec 2020 @ 6:20pm

    Hmm

    While this looks good on the surface I've seen way too many problematic behaviors from cloudflare.

    An interesting write up I found of some of them: https://www.devever.net/~hl/cloudflare

    ODoH works by adding a layer of public key encryption,

    Um... isn't that the "DoH" part? Reading past the bluster it sounds like they are just adding a proxy. Which in and of itself doesn't sound bad, however cloudflare being in control of proxys doesn't sound like a good idea.

    Also with the way TLS works, I wouldn't be too surprised if a cloudflare controlled proxy was able to hijack your requests. If cloudflare has access to a trusted CA, they would be able to forge a certificate. Of course there are ways to resist forged certs (cert pinning for example). But simply waiting to launch the attack at/near the certificate expiration/change over point would make it more successful.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Dec 2020 @ 4:00am

    Away with client public key

    Sending client pubkey is unnecessary and even risky. They swear not to pass on the client IP address, but they just create another identifier: client pubkey serves that case perfectly. That's the risky part. It's unnecessary, because client could have just sent a key for symmetric encryption, which would have the nice side effect of reducing server resource requirements.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Dec 2020 @ 4:06am

      Re: Away with client public key

      but in a world where your every waking online movement is increasingly tracked and monetized, it should be a welcome shift whenever it finally drops

      The pubkey serves as the perfect advertising ID. Currently the spec does not specify lifetime of the key. To thwart the risks, it would need to be recreated periodically.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Dec 2020 @ 11:59pm

        Re: Re: Away with client public key

        Encrypting DNS isn't a very good security enhancement. If anything it just makes compromise that much easier.

        Get everyone using the same provider and you can gain a lot of info:

        1) Block the provider and see who's smart enough to get local DNS working. Refer them to active monitoring.

        2) Those that aren't, will complain loudly and get the feature disabled / gutted due to user friendliness issues.

        3) While the service is up and running get agents in there to monitor / backdoor everything, while everyone else assumes they are safe due to the service's marketing.

        4) ???

        5) Profit.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Dec 2020 @ 11:12am

      Re: Away with client public key

      It's unnecessary, because client could have just sent a key for symmetric encryption, which would have the nice side effect of reducing server resource requirements.

      Umm do you know how symmetric/asymmetric encryption even works? Sending the symmetric key (while not using asymmetric encryption to do so/or derive the key) is tantamount to having a clear connection.

      Further more. the client could regularly regenerate its asymmetric key, it could be once a day, once a month, or even once for every transaction. Then it wouldn't be much of an identifier at all.

      reply to this | link to this | view in chronology ]

  • icon
    TheForumTroll (profile), 13 Dec 2020 @ 6:36am

    It's only PR.... and monopoly.

    Apple is doing a lot these days for "privacy". What most seem to miss is that what is actually going on is Apple closing down every avenue of data collection that isn't going though Apple's own ad service to force everyone's hand. It is an abuse of market-position and should be stopped. Apple is in no way more pro-privacy than for example Facebook or Google is. Yet since Apple have fans, not users, it is cool instead of scary.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.