Enlarge
Getty Images
reader comments
124
with 80 posters participating
Share this story
Share on Facebook
Share on Twitter
Share on Reddit
For more than three decades, the Internet’s most key underpinning has posed privacy and security threats to the billion-plus people who use it every day. Now, Cloudflare, Apple, and content-delivery network Fastly have introduced a novel way to fix that using a technique that prevents service providers and network snoops from seeing the addresses end users visit or send email to.
Engineers from all three companies have devised Oblivious DNS, a major change to the current domain name system that translates human-friendly domain names into the IP addresses computers need to find other computers over the Internet. The companies are working with the Internet Engineering Task Force in hopes it will become an industry-wide standard. Abbreviated as ODoH, Oblivious DNS builds off a separate DNS improvement called DNS over HTTPS, which remains in the very early stages of adoption.
The way DNS works now
When someone visits arstechnica.com—or any other website, for that matter—their browser must first obtain the IP address used by the hosting server (which at the moment is 3.128.236.93 or 52.14.190.83). To do this, the browser contacts a DNS resolver that typically is operated by either the ISP or a service such as Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1. Since the beginning, however, DNS has suffered from two key weaknesses.
First, DNS queries and the responses they return have been unencrypted. That makes it possible for anyone in a position to view the connections to monitor which sites a user is visiting. Even worse, people with this capability may also be able to tamper with the responses so that the user goes to a site masquerading as arstechnica.com, rather than the one you’re reading now.
Advertisement
To fix this weakness, engineers at Cloudflare and elsewhere developed DNS over HTTPS, or DoH, and DNS over TLS, or DoT. Both protocols encrypt DNS lookups, making it impossible for people between the sender and receiver to view or tamper with the traffic. As promising as DoH and DoT are, many people remain skeptical of them, mainly because only a handful of providers offer it. Such a small pool leaves these providers in a position to log the Internet usage of potentially billions of people.
That brings us to the second major shortcoming of DNS. Even when DoH or DoT is in place, the encryption does nothing to prevent the DNS provider from seeing not only the lookup requests but also the IP address of the computer making them. That makes it possible for the provider to build comprehensive profiles of the people behind the addresses. As noted earlier, the privacy risk becomes greater still when DoH or DoT thins the number of providers to only a handful.
ODoH is intended to fix this second shortcoming. The emerging protocol uses e
Enlarge
Cloudflare
How it works
In a
blog post
introducing the Oblivious DoH, Cloudflare researchers Tanya Verma and Sudheesh Singanamalla wrote:
A work in progress
The post says that engineers are still measuring the performance cost of adding the proxy and encryption. Early results, however, appear promising. In one study, the additional overhead between a proxied DoH query/response and its ODoH counterpart was less than 1 millisecond at the 99th percentile. Cloudflare provides a much more detailed discussion of ODoH performance in its post.
Advertisement
So far, ODoH remains very much a work in progress. With shepherding from Cloudflare, contributions from Apple and Fastly—and interest from Firefox and others—ODoH is worth taking seriously. At the same time, the absence of Google, Microsoft, and other key players suggests it has a long way to go still.
What’s clear is that DNS remains glaringly weak. That one of the Internet’s most fundamental mechanisms, in 2020, isn’t universally encrypted is nothing short of crazy. Critics have resisted DoH and DoT out of concern that it trades privacy for security. If ODoH can convert the naysayers and doesn’t break the Internet in the process, it will be worth it.
Promoted Comments
switzer
wrote:
show nested quotes
Doesn't this just pass the ball from the DNS operator being able to identify you, to whoever runs the proxy being able to identify you? I mean, at some point, a computer has to match up your request with the response, and its just a matter of trust that that computer isn't ran by a bad actor...
No, because the request is encrypted so that only the DNS provider (target) can decrypt it. The proxy cannot and doesn't know what the request contains. But the provider doesn't know who sent the request since it came from the proxy.
However, this presumes that the proxy is being operated by someone other than the DNS provider. If both are under the same roof, then the proxy knows the source, and the DNS knows the query. By correlating records between both systems, it would still be possible to un-mask the requester.For this to work, it seems like the proxy and DNS provider would have to be in separate infrastructure, with privacy protections in place to ensure that the two never compare notes.Short of an open network of randomized proxies and provider paths, on the surface this seems like it's a step in the right direction, but not a privacy panacea -- certainly not until it has broad adoption, and implementation isn't consolidated in a small number of providers.
