Cloudflare is proposing a new DNS standard it developed with Apple that’s designed to help close a blindspot in my (and I’m sure many others’) internet privacy measures (via TechCrunch). The protocol is called Oblivious DNS over HTTPS (ODoH), and it’s meant to help anonymize the information that’s sent before you even make it onto a website. Whether that will help you with your overall net privacy is something we’ll tackle in a second, but first, we need to understand how regular DNS works, and what Cloudflare has added.
Basically, DNS lets us use the web without having to remember the IP address of every site we want to visit. While we humans can easily understand names like “theverge.com”, or “archive.org,” computers use IP addresses (like 220.127.116.11) to route their requests across the internet instead. This is where DNS comes in: when you type in a website’s name, your computer asks a DNS server (usually run by your ISP) to translate a name like “theverge.com” to the site’s actual IP. The DNS server will send it back, and your computer can load the site. (There are WAY more steps in this process, but this basic flow is all we’ll need to know to understand ODoH.)
If you’re concerned about privacy, you may have noticed that this system lets whoever runs the DNS server know about (and keep track of) every website you’re visiting. Usually, it’s your ISP running that server, and there’s nothing stopping them from selling that data to advertisers. This is the problem Cloudflare and co are looking to solve with ODoH.
The protocol works by introducing a proxy server between you and the DNS server. The proxy acts as a go-between, sending your requests to the DNS server, and delivering its responses back without ever letting it know who requested the data.
Just introducing a proxy server, though, is only moving the problem up one level: if it has the request, and also knows you sent it, what keeps it from making its own log of sites you visited? That’s where the “DNS over HTTPS” (DoH) part of ODoH comes in. DoH is a standard that’s been around for a couple years, though it isn’t very widespread. It uses encryption to ensure that only the DNS server can read your requests. By using DoH, then routing it through a proxy server, you end up with a proxy server that can’t read the request, and a DNS server that can’t tell where it came from.
This leaves the question: Will all this actually protect your privacy? It does mean that the DNS server won’t be able to keep a log of which sites you specifically are visiting, but if you’re hoping to hide your browsing information from your ISP, ODoH (or similar technologies, like DNSCrypt’s Anonymized DNS) probably won’t be enough. ISPs still route all your other traffic, so just hiding your DNS may not keep them from building a profile of you.
The truth of the matter is that staying private online isn’t something you can achieve by setting up a single tool. It’s a lifestyle that honestly may be unobtainable in the real world (at least for me). With that said, anonymizing your DNS requests is a brick to add to your privacy wall when the technology becomes available.
Cloudflare has already added ability to take ODoH requests to their 18.104.22.168 DNS service, but you may have to wait until your browser or OS support it, which could take a while (DoH, for example, was ratified in 2018, and is only on by default in the US version of Firefox). If you’re anxious to use the new protocol, Firefox might be the one to watch for ODoH, too: its CTO says the team is “excited to see it starting to take off and are looking forward to experimenting with it.”