Working engineers a company Apple has teamed up with Cloudflare and Fastly to create Oblivious DNS, a new standard designed to make tracking users’ online activities harder.
While the Internet provides many privacy protection measures for users, including: encryption protocols and virtual private networks (VPNs), one of the things that are easy to track is the DNS (domain name system). The Domain Name System – which acts as an Internet address book – allows the use of domain names that are linked to the IP (Internet Protocol) addresses of a specified website, making the entire system more usable for ordinary users.
However, the nature of DNS means that it is sent and received between devices in clear text, which outside parties can easily notice, making it a traceable element. Developments such as DNS over HTTPS (also known as DoH) made it difficult for outside forces to change DNS queries to direct users to malicious sites, but still allowed user activities to be tracked.
In an effort to make DNS more private, and less trackable, a group of engineers at Apple, Cloudflare and Fastly came up with a new standard, Oblivious DNS over HTTPS – called ODoH. By separating the IP address from the query, ODoH provides an opportunity to make DNS queries more secure, as not all parties can access the IP address, or query at the same time.
The system operates by relying on both the public key encryption and the network proxy that exists between the client and the DoH server. The client encrypts the query, then sends it to the DoH server via proxy. The DoH server can decrypt the query, issue a response to it, encrypt that answer, and then send it back to the proxy, who will send it back to the client.
In fact, the agent is aware of the encrypted messages between the client and the DoH server, but not the content of the message. Meanwhile, the DoH server knows the content of the message itself, but only the proxy address, not the client.
And while it would theoretically be possible to combine the contents of the message and the client address if both the proxy server and the DoH server were owned by the same entity, the rule of thumb for this is that the proxy and the DoH server don’t collude at all. In practical terms, the process will ensure that the agent and the DoH server are owned by different companies.
It is noted that adding encryption and decryption, in addition to proxy, to a DNS query has caused some concern for users who want their DNS queries to work as quickly as possible. To address these concerns, She claims Cloudflare suggests that the initial testing of ODoH configurations is actually very promising.
According to the company, the auxiliary cipher is marginal in impact, with a time effect of just 1 millisecond for nearly 99 percent of queries.
Cloudflare and its partners such as PCCW Global, Surf, and Equinix today launched ODoH Agents to encourage further development and implementation, using Cloudflare’s 188.8.131.52 DNS Reseller. Test agents were made available to all to allow interested parties to test themselves.
While current efforts aim to significantly improve the system, it may take some time before consumers can use it. Even with Apple participating in the project, it is not guaranteed to use the standard in iOS, macOS or Safari anytime soon.