Oblivious DNS standard promises improved privacy
Oblivious DNS is a new proposed DNS standard that has been co-authored by engineers from Apple, Fastly and Cloudflare to improve privacy during DNS operations.
DNS is a fundamental cornerstone of the Internet as it translates domain names, e.g. ghacks.net, into IP addresses that computers use. Whenever you connect to a site on the Internet, DNS is needed.
DNS involves a client device, e.g. a user PC, and a DNS server. The server may be operated by the user's Internet Service Provider, but it is also possible to change it to another provider as it may result in better performance and privacy.
The introduction of encrypted DNS standards, DNS over HTTPS and DNS over TLS, protect DNS traffic against third-parties listening in. DNS traffic alone is valuable as it includes all destinations a user visits when using the Internet.
While DNS traffic is encrypted if one of the encryption standards is used, it is still the case that the DNS provider has access to the IP address of the device the user uses and all the destinations. The proposed standard ODoH (Oblivious DNS over HTTPS) promises to change that.
Basically, what ODoH does is add a proxy to the requests that sits between the client device and the DNS provider.
Traffic flows through the proxy and that results in improved privacy.
- The DNS provider communicates only with the Proxy and not the client. In other words, the DNS provider sees the proxy IP but not the IP of the user device.
- The Proxy sees the user IP as it communicates directly with it, but it has no information on the DNS request as it is encrypted.
ODoH adds another level of encryption to the DNS message itself to ensure that the proxy cannot read it. Cloudflare has published a detailed overview of Oblivious DNS that provides additional technical details. The research paper Oblivious DNS over HTTPS (ODoH): A Practical Privacy Enhancement to DNS provides additional details.
Cloudflare ran benchmarks to determine the performance cost of ODoH. It compared the performance to DoH and concluded that there is a cost, but that it is marginal.
Cloudflare's DNS Resolver 126.96.36.199 supports ODoH already; the company has open sourced implementations, Support may come to Firefox in the future, as confirmed by Eric Rescorla, CTO of Firefox.
Oblivious DNS separates a device's IP address from its DNS queries. That is a good thing as it prevents that DNS providers link IP addresses to DNS queries.
Now You: what is your take on Oblivious DNS?Advertisement