Cloudfare, along with Apple and Fastly, have developed a new DNS (Domain Name System) standard that can potentially make it difficult for internet service providers (ISP) from tracking what websites their users visit. In a blog post, the companies unveiled the Oblivious DNS (ODoH) protocol, that will will add a layer of encryption to shield the DNS queries not just from interception by external actors but also by ISPs.
A bit of background on how websites work: When a user enters a website address (say medianama.com) into a browser, a DNS resolver converts the text to machine-readable IP address (ISPs decide which DNS resolvers are used on their networks, which users seldom change). In a simple set-up, the DNS queries are not encrypted, meaning both the DNS resolver, and third parties who may intercept them, can read them. There are newer protocols like DNS-over-HTTPS (DoH) and DNS over TLS (DoT), which prevent interception, modification and redirection by third parties. However, the concern of resolvers being able to read DNS queries still remains.
The ODoH will supposedly address this concern. Along with adding a layer of encryption to the queries, it will add a proxy layer between users and the target website. This will, according to Cloudflare, ensure that (i) the DNS resolvers will only know what website is being requested (ii) while only proxies know the identity of the user. Due to the encryption layer, the proxy itself will have no visibility into the DNS messages. Only the intended target website can read the query. The company also announced that PCCW Global, SURF and Equinix have been brought on as partners for the ODoH launch.
Cloudflare claims that the ODoH will not result in downgraded performance, in spite of the addition of a proxy layer. The additional cost of a proxied query and response was less than 1 millisecond in most cases, the company claimed.
Nick Sullivan, Cloudflare’s head of research, told TechCrunch that a few partners are already running proxies, allowing for early adopters to use ODoH through Cloudflare’s existing (126.96.36.199) DNS resolver. However, the publication speculated the ODoH will gain mass adoption only after it is certified by the Internet Engineering Task Force.