Cloudflare’s promises to make DNS more secure

On April Fools’ Day Cloudflare launched a new public DNS (Domain Name System) service using the memorable network address

Far from being a joke, the address and launch date look like clever marketing ( echoes the date 4/1, as well as Google’s DNS resolver and the Global Cyber Alliance’s – grist to the mill of the claim that internet users who use the service for DNS will see snappier performance compared to that offered by most ISPs. (Bad Packets tested from the UK, publishing its results on Twitter for anyone who’s interested in this topic.)

More significantly, Cloudflare used the launch to make the grand claim that will boost internet privacy:

Cloudflare wants to operate the fastest public resolver on the planet while raising the standard of privacy protections for users.

Privacy has been slowly bubbling up as a theme for DNS services for some time but Cloudflare’s makes this explicit.

In 2018, this is not without reason. In the UK, the Investigatory Powers Act 2016, requires ISPs to keep a year’s record of the websites customers have been visiting, while in the US ISPs are now allowed to monitor and sell their customer’s browsing behaviour to advertisers.

Both achieve this by monitoring DNS requests, the system through which internet domains understood by humans are resolved to the IP numbers used by computers.

ISPs can monitor DNS usage easily, in two ways: by running a DNS resolver and logging the requests it receives or, if customers choose to use somebody else’s DNS service, by reading the unencrypted DNS requests passing through its network.

Matthew Prince, Cloudflare CEO, explains:

What many internet users don’t realize is that even if you’re visiting a website that is encrypted – has the little green lock in your browser – that doesn’t keep your DNS resolver from knowing the identity of all the sites you visit.

How might, a resolver that will know the identity of the sites you visit, make a difference to this?

In several ways, Cloudflare says, starting with the fact that the company itself has promised not to monitor DNS queries made through its servers, wiping logs within 24 hours and not recording IP addresses.

That’s reassuring but doesn’t address the fundamental problem that even when a user submits DNS queries to it is still possible for ISPs to see which internet domains the user is visiting.

For that reason, Cloudflare is supporting a number of emerging DNS security standards, starting with something called DNS Query Name Minimisation.

Proposed to the IETF as RFC8198, the standard aims to minimise the amount of data passed upstream during DNS resolution.

Encrypted DNS queries

Significantly, will support emerging standards for encrypting DNS queries, DNS-over-HTTPS and DNS-over-TLS.

It’s still early days for these but what matters is that they both require support by browser makers and DNS services.

Bang on cue, Mozilla recently announced that it is testing DNS-over-HTTPS in Firefox in conjunction with – you guessed – Cloudflare. Google, meanwhile, started testing DNS-over-TLS on Android some time ago.

Not everyone is happy about Firefox sending DNS queries to Cloudflare (how can we be sure that we can trust Cloudflare?), but the same argument could be made about any security where the user must depend on the trustworthiness of a server.

The other way to encrypt DNS queries today is to use a VPN but that simply hides the DNS queries from your ISP and shares them with your VPN provider instead.

With HTTPS security establishing itself as the norm, it looks as if DNS is about to become the next big internet privacy battleground.