Oblivious DoH: Cloudflare supports new privacy, security-focused DNS standard
Cloudflare, Apple, and Fastly have co-designed and proposed a new DNS standard to tackle ongoing privacy issues associated with DNS.
On Tuesday, Cloudflare’s Tanya Verma and Sudheesh Singanamalla announced support for the new standard, which separates IP addresses from queries, a measure that, it is hoped, will mask requests and make it more difficult for users to be tracked online.
The Domain Name System (DNS), which has underpinned online architecture for years, in its basic form still sents queries without encryption. Therefore, anyone lurking on network paths between your device and DNS resolvers can view queries that contain hostnames — or website addresses requested — and IP addresses.
DNS over HTTPS (DoH) and DNS over TLS (DoT), were engineered to safeguard these paths through Internet Engineering Task Force (IETF) standardized DNS encryption, reducing the risk of queries being intercepted or modified — for example, by preventing attackers from redirecting users from legitimate domains to malicious addresses. Third-parties, such as ISPs, also find it more difficult to trace website visits when DoH is enabled.
DoH deployment is on the cards for many major browser providers, although rollout plans are ongoing. Now, Oblivious DNS over HTTPS (ODoH) has been proposed by Cloudflare — together with partners PCCW Global, Surf, and Equinix — to improve on these models by adding an additional layer of public key encryption and a network proxy.
Research conducted by Princeton University and the University of Chicago, “Oblivious DNS: Practical Privacy for DNS Queries,” (.PDF) published in 2019 by Paul Schmitt, Anne Edmundson, Allison Mankin, and Nick Feamster, provided the inspiration for the new standard proposal.
The overall aim of ODoH is to decouple client proxies from resolvers. A network proxy is inserted between clients and DoH servers — such as Cloudflare’s 22.214.171.124’s public DNS resolver — and the combination of both this and public key encryption “guarantees that only the user has access to both the DNS messages and their own IP address at the same time,” according to Cloudflare.
“The target decrypts queries encrypted by the client, via a proxy,” Cloudflare explained. “Similarly, the target encrypts responses and returns them to the proxy. The standard says that the target may or may not be the resolver. The proxy does as a proxy is supposed to do, in that it forwards messages between client and target. The client behaves as it does in DNS and DoH, but differs by encrypting queries for the target, and decrypting the target’s responses. Any client that chooses to do so can specify a proxy and target of choice.”
As a result, ODoH should ensure that only targets can view both a query and proxy’s IP address; read a query’s content or produce a response, and the proxy has no visibility into DNS messages.
Cloudflare says that as long as there is no “collusion” or compromise between proxies and target servers, attackers should not be able to interfere with connections.
Cloudflare is currently working with IETF on the standard and plans to add ODoH to existing stub resolvers, including cloudflared. It is important to note that ODoH is still in development, and the companies are currently testing performance across different proxies, targets, and latency levels.
An ODoH draft for the IETF has been published.
Test clients for the code have been provided to the open source community to encourage experimentation with the proposed standard. It can take years before support is enabled by vendors for new DNS standards, but Eric Rescorla, Firefox’s CTO, has already indicated that Firefox will “experiment” with ODoH.
“We hope that more operators join us along the way and provide support for the protocol, by running either proxies or targets, and we hope client support will increase as the available infrastructure increases, too,” Cloudflare says. “The ODoH protocol is a practical approach for improving privacy of users, and aims to improve the overall adoption of encrypted DNS protocols without compromising performance and user experience on the internet.”
In October, Cloudflare debuted API Shield, a free service that uses a “deny-all” setup to refuse incoming connections on API servers unless suitable cryptographic certificates and keys are provided.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0