On April Fools’ Day Cloudflare launched a new public DNS (Domain Name System) service using the memorable network address 126.96.36.199.
Far from being a joke, the address and launch date look like clever marketing (188.8.131.52 echoes the date 4/1, as well as Google’s 184.108.40.206 DNS resolver and the Global Cyber Alliance’s 220.127.116.11) – grist to the mill of the claim that internet users who use the service for DNS will see snappier performance compared to that offered by most ISPs. (Bad Packets tested 18.104.22.168 from the UK, publishing its results on Twitter for anyone who’s interested in this topic.)
More significantly, Cloudflare used the launch to make the grand claim that 22.214.171.124 will boost internet privacy:
Cloudflare wants to operate the fastest public resolver on the planet while raising the standard of privacy protections for users.
Privacy has been slowly bubbling up as a theme for DNS services for some time but Cloudflare’s 126.96.36.199 makes this explicit.
In 2018, this is not without reason. In the UK, the Investigatory Powers Act 2016, requires ISPs to keep a year’s record of the websites customers have been visiting, while in the US ISPs are now allowed to monitor and sell their customer’s browsing behaviour to advertisers.
Both achieve this by monitoring DNS requests, the system through which internet domains understood by humans are resolved to the IP numbers used by computers.
ISPs can monitor DNS usage easily, in two ways: by running a DNS resolver and logging the requests it receives or, if customers choose to use somebody else’s DNS service, by reading the unencrypted DNS requests passing through its network.
Matthew Prince, Cloudflare CEO, explains:
What many internet users don’t realize is that even if you’re visiting a website that is encrypted – has the little green lock in your browser – that doesn’t keep your DNS resolver from knowing the identity of all the sites you visit.
How might 188.8.131.52, a resolver that will know the identity of the sites you visit, make a difference to this?
In several ways, Cloudflare says, starting with the fact that the company itself has promised not to monitor DNS queries made through its servers, wiping logs within 24 hours and not recording IP addresses.
That’s reassuring but doesn’t address the fundamental problem that even when a user submits DNS queries to 184.108.40.206 it is still possible for ISPs to see which internet domains the user is visiting.
For that reason, Cloudflare is supporting a number of emerging DNS security standards, starting with something called DNS Query Name Minimisation.
Proposed to the IETF as RFC8198, the standard aims to minimise the amount of data passed upstream during DNS resolution.
Encrypted DNS queries
Significantly, 220.127.116.11 will support emerging standards for encrypting DNS queries, DNS-over-HTTPS and DNS-over-TLS.
It’s still early days for these but what matters is that they both require support by browser makers and DNS services.
Bang on cue, Mozilla recently announced that it is testing DNS-over-HTTPS in Firefox in conjunction with – you guessed – Cloudflare. Google, meanwhile, started testing DNS-over-TLS on Android some time ago.
Not everyone is happy about Firefox sending DNS queries to Cloudflare (how can we be sure that we can trust Cloudflare?), but the same argument could be made about any security where the user must depend on the trustworthiness of a server.
The other way to encrypt DNS queries today is to use a VPN but that simply hides the DNS queries from your ISP and shares them with your VPN provider instead.
With HTTPS security establishing itself as the norm, it looks as if DNS is about to become the next big internet privacy battleground.
11 comments on “Cloudflare’s 18.104.22.168 promises to make DNS more secure”
Hope this lights up the fire to fix existing TLS’s SNI clear text domain name issue
If the ISP is not able to decrypt the DNS requests, won’t the ISP still know the IP address of every HTTP get?
They won’t know they’re GETs (for all that it would be a good guess) and won’t know which URIs the user was interested in because the HTTP requests are inside the encrypted TLS data stream. But they will indeed see all IP:PORT destinations, plus the setup packets for every TLS session.
http get is not encrypted.
I meant HTTP requests inside TLS. Probably should simply have written HTTPS.
Cloudflare will boost internet privacy… Why am I doubtful?
This also gives them a greater ability to censor the internet as well, which they’re apparently interested in doing, as they personally see fit. Now not only can they let sites die, they can stop you from even resolving their addresses! Nothing to see here, move along. As little as I trust Google, at least they’ve been consistent about not filtering DNS results. Can we trust a company like Cloudfare to do the same? Doubting it.
The counter argument is that without DNS over TLS, anyone (an ISP, say) can monitor or block sites. Can’t see that trusting Cloudflare makes that situation worse. Over time, it’s likely more DoT providers will appear – the technology is bigger than one company or browser.
Is Sophos going support dns over tls or https in the XG product?
Will Sophos also support DNS over TLS for their UTM products?
At the moment, the UTM products support DNS via UDP only, which precludes us supporting DNS over TLS right now. We’re looking into changing that, but AFAIK we haven’t decided any of the if/why/what/when questions yet, so I can’t tell you any more than that. HtH.