Cloudflare is proposing a new DNS standard it created with Apple that is intended to help close a blindspot in internet privacy measures. The protocol is called Oblivious DNS over HTTPS (ODoH), and it’s intended to help anonymize the data that is sent before you even make it onto a website. Regardless of whether that will assist you with your general net security is something we’ll handle in a second, on the whole, we need to see how ordinary DNS works, and what Cloudflare has added.
Fundamentally, DNS lets us utilize the web without recollecting the IP address of each webpage we want to visit. While we people can undoubtedly comprehend names like “timebulletin.com”, PCs use IP addresses to route their requests across the internet instead. This is the place where DNS comes in: when you type in a site’s name, your PC asks a DNS server (normally run by your ISP) to translate a name like “timebulletin.com” to the site’s actual IP. The DNS worker will send it back, and your PC can load the site. (There are WAY more steps in this process, however, this essential stream is all we’ll require to know to comprehend ODoH.)
In case you’re worried about security and privacy, you may have seen that this system lets whoever runs the DNS server think about (and monitor) each site you’re visiting. Generally, it’s your ISP running that server, and nothing is preventing them from offering that information to advertisers. This is the issue Cloudflare and co are hoping to solve with ODoH.
The protocol works by presenting a proxy server between you and the DNS server. The proxy goes about as a go-between, sending your requests to the DNS server, and conveying its reactions back while never telling it who mentioned the information.
Simply presenting a proxy server, however, is just moving the issue up to one level: if it has the request, and realizes you sent it, what keeps it from making its own log of websites you visited? That is the place where the “DNS over HTTPS” (DoH) some portion of ODoH comes in. DoH is a standard that has been around for a few years, however, it isn’t very widespread. It uses encryption to guarantee that only the DNS server can read your requests. By utilizing DoH, at that point directing it through a proxy server, you end up with a proxy server that can’t read the request and a DNS server that can’t tell where it came from.
This leaves the question: Will this really secure your privacy? It implies that the DNS server won’t have the option to keep a log of which websites you explicitly are visiting, yet in case you’re planning to hide your browsing data from your ISP, ODoH (or comparable technologies, similar to DNSCrypt’s Anonymized DNS) most likely won’t sufficiently be. ISPs still route the entirety of your other traffic, so hiding your DNS may not keep them from building a profile of you.
The reality of the situation is that remaining private online isn’t something you can accomplish by setting up a single tool. It’s a lifestyle that actually might be absurd in reality. So, anonymizing your DNS requests is a block to add to your privacy divider when the technology opens up.
Cloudflare has just added the ability to take ODoH requests to their 126.96.36.199 DNS service, however, you may need to stand by until your browser or OS support it, which could take some time (DoH, for instance, was approved in 2018, and is just on by default in the US version of Firefox). In case you’re anxious to use the new protocol, Firefox may be the one to look for ODoH, as well: its CTO says the team is “excited to see it starting to take off and are looking forward to experimenting with it.”