SecureMac, Inc.

Apple and Cloudflare develop a more private Internet protocol

December 14, 2020

Apple and Cloudflare have teamed up to build a better Internet protocol. Known as ODoH, the new protocol is designed to enhance privacy by making it harder for third parties to see what users are doing online.

Apple and Cloudflare develop a more private Internet protocol

Apple and Cloudflare have teamed up to build a better Internet protocol. Known as ODoH, the new protocol is designed to enhance privacy by making it harder for third parties to see what users are doing online.

ODoH stands for Oblivious DNS-over-HTTPS. There’s clearly a lot to unpack in that name, but don’t worry, we’re going to take it step by step! In this article, we’ll tell you about ODoH, try to answer some common questions about the technology, and say what it all means for the future of privacy.

What is DNS?

To understand what ODoH is, what it’s doing, and why it matters, you first need to know what happens when you go online — and why this can be a problem for user privacy.

Every time you type a website’s domain name into your web browser, the domain name has to be converted to the site’s numeric IP address (e.g. example.com > 107.170.200.240) so that the correct web server can be reached.

Your computer doesn’t know the IP address of every website on the Internet, so it has to ask first: by sending a lookup request to a Domain Name System (DNS) server that maintains authoritative records of which domain names correspond to which IP addresses.

How does DNS affect privacy?

DNS servers are typically maintained by Internet Service Providers (ISPs) and by large web infrastructure companies like Google and Cloudflare, among others. Therein lies the problem: every time you go to a website, some third party — usually your ISP — knows exactly what website you’re trying to visit, because you just asked them to send you the site’s IP address!

From a privacy perspective, this is far from ideal, and if your ISP retains logs of their users’ DNS lookup requests, this effectively creates a secret history of your Internet activity.

The fact that ISPs are often involved in the handling of DNS requests is one of the main reasons that people use VPNs (more on this later); it is also the cause of a common VPN privacy issue known as a DNS leak

What is DNS-over-HTTPS?

ISPs having access to your DNS requests is bad enough, but there’s an even bigger problem with standard DNS: the lookup requests themselves are unencrypted, and this means that they can be seen by network snoops and hackers.

In a worst-case scenario, a bad actor might even be able to intercept and alter the response that the DNS server is trying to send to your computer, and thus redirect you to a malicious website.

In order to make DNS safer, something called DNS-over-HTTPS (DoH) was developed. DoH uses the secure HTTPS protocol to encrypt DNS lookup requests so third parties can’t view or interfere with them.  

What is ODoH?

DNS-over-HTTPS is much safer than regular old DNS, but it still allows a third party (your ISP, a service like Cloudflare or Google, or your VPN) to see what sites you’re visiting.

ODoH is intended to fix this limitation by anonymizing DNS lookup requests so that the DNS server doesn’t know which IP address is asking it for information.

According to the Cloudflare technical brief, this will be accomplished by using a proxy server, which is basically just an intermediate server that takes network traffic from one IP address and forwards it on to a different IP address (note that this is not the same thing as a VPN; see this article for an explanation of the difference between proxies and VPNs)

How does ODoH work?

In the ODoH protocol, whenever your computer needs to send a DNS lookup request, it first encrypts the request using public key encryption, and then sends the encrypted request to a proxy server. Crucially, the proxy server is not controlled by the same entity as the DNS server: We’ll soon see why this is important.

The proxy server forwards the encrypted request to the DNS server, which translates the requested domain name into the proper IP address and then forwards an encrypted response back to you via the proxy server.

The use of public key encryption means that only the DNS server can read and respond to your DNS lookup request: the proxy server can see your IP address, but it can’t view the details of your request.

On the other hand, the use of an independent proxy server means that the DNS server can’t see your IP address: It can only see the proxy server’s IP address. In other words, it’s “oblivious” to the IP address sending the request … hence the name ODoH.

At any given time, you are the only participant in the DNS process who can see both your IP address and what website you’re requesting. The proxy knows who you are, but not what you’re doing; the DNS server knows what you’re doing, but not who you are!

Is ODoH available now?

ODoH is still in the development stage, but there have already been some encouraging signs about the future of this technology. ODoH has performed well in initial speed tests, and at least one major browser vendor (Firefox) has expressed enthusiasm for ODoH and said that they’re eager to experiment with the protocol.

Looking ahead, the next big step is to get ODoH recognized by the Internet Engineering Task Force (IETF), an organization that helps to define and promote open standards for the web, with an eventual goal of widespread adoption by the big web services, web infrastructure, and web browser companies.

Until then, the best way to protect your online privacy from your ISP and others is by using Tor or a reputable, no-logs VPN service. To learn more about these topics, check out our article on Tor, as well as our complete guide to VPNs for Mac users.

Get the latest security news and deals