Cloudflare, Apple and others are backing a new way to make the internet more private | GeekComparison

Cloudflare, Apple and others are backing a new way to make the internet more private

For more than three decades, the main foundation of the Internet has posed privacy and security threats to the more than one billion people who use it every day. Now Cloudflare, Apple and the content delivery network Fastly have introduced a new way to solve that using a technique that prevents service providers and network snoopers from seeing the addresses end users visit or send email to.

Engineers from all three companies have come up with Oblivious DNS, a major change to today’s domain name system that translates human-friendly domain names into the IP addresses that computers need to find other computers over the Internet. The companies are working with the Internet Engineering Task Force in hopes that this will become an industry standard. Oblivious DNS, abbreviated as ODoH, builds on a separate DNS enhancement called DNS over HTTPS, which is still in the very early stages of adoption.

The way DNS works now

When someone visits, or any other website for that matter, their browser must first obtain the IP address used by the hosting server (currently it is or To do this, the browser contacts a DNS resolver usually maintained by the ISP or a service such as Google’s or Cloudflare’s However, since its inception, DNS has suffered from two major weaknesses.

First, DNS queries and the answers they return are unencrypted. That makes it possible for anyone to view the connections to check what sites a user is visiting. Even worse, people with this ability may also be able to tamper with the answers so that the user goes to a site pretending to be, instead of the one you are reading right now.

To remedy this weakness, engineers at Cloudflare and elsewhere developed DNS over HTTPS or DoH and DNS over TLS or DoT. Both protocols encrypt DNS lookups, making it impossible for people between the sender and receiver to view or tamper with the traffic. As promising as DoH and DoT are, many people remain skeptical about them, especially since only a handful of providers offer them. Such a small pool allows these providers to log the internet usage of potentially billions of people.

Which brings us to the second major shortcoming of DNS. Even if DoH or DoT are present, the encryption does not prevent the DNS provider from seeing not only the lookup requests, but also the IP address of the computer making them. This makes it possible for the provider to build up extensive profiles of the people behind the addresses. As noted earlier, the privacy risk becomes even greater when DoH or DoT reduce the number of providers to just a handful.

ODoH is intended to remedy this second shortcoming. The emerging protocol uses encryption and places a network proxy between end users and a DoH server to guarantee that only the user can access both the DNS request information and the IP address it sends and receives. Cloudflare calls the end user the client and the DNS resolver managed by the ISP or another provider as the target. Below is a diagram.

Cloud Flame

How it works

In a blog post introducing the Oblivious DoH, Cloudflare researchers Tanya Verma and Sudheesh Singanamalla wrote:

The whole process starts with clients encrypting their query to the target using HPKE. Clients obtain the target’s public key through DNS, where it is bundled into an HTTPS resource record and protected by DNSSEC. When the TTL for this key expires, customers request a new copy of the key as needed (just as they would for an A/AAAA record when that record’s TTL expires). Using a target’s DNSSEC-validated public key guarantees that only the intended target can decrypt the query and encrypt an answer (response).

Clients send these encrypted queries to a proxy over an HTTPS connection. Upon receipt, the proxy forwards the query to the designated target. The target then decrypts the query, produces a response by sending the query to a recursive resolver such as, and then encrypts the response to the client. The client’s encrypted query contains encapsulated key material from which targets derive the symmetric key to encrypt the response.

This response is then sent back to the proxy and then forwarded to the client. All communication is authenticated and confidential, as these DNS messages are end-to-end encrypted, despite being sent over two separate HTTPS connections (client-proxy and proxy-target). The message that otherwise appears as plaintext to the proxy is actually an encrypted mutilation.

A work in progress

The post says engineers are still measuring the performance cost of adding the proxy and encryption. However, the first results seem promising. In one study, the additional overhead between a proxy DoH query/response and its ODoH counterpart was less than 1 millisecond at the 99th percentile. Cloudflare offers a much more detailed discussion of ODoH performance in its post.

So far, ODoH remains a work in progress. With help from Cloudflare, contributions from Apple and Fastly – and interest from Firefox and others – ODoH is worth taking seriously. At the same time, the absence of Google, Microsoft and other key players suggests that there is still a long way to go.

What is clear is that DNS remains blatantly weak. That one of the most fundamental mechanisms of the internet, in 2020, is not universally coded is downright crazy. Critics have opposed DoH and DoT out of concern that it trades privacy for security. If ODoH can convert the naysayers and not break the internet in the process, it’s worth it.

Leave a Comment