Deep Dive — Cloudflare & Apple add Privacy to Secure DNS with ODoH
Cloudflare, Apple, & hosting company Fastly have collaborated to create a new secure and private DNS specification that extends DNS over HTTPS (DoH). They’ve both released the spec, and released sample implementations of the various components in Ruby and Go.
The Problem to be Solved
DNS is a protocol for resolving human-friendly names into computer-friendly values of various kinds, including mapping internet domain names like
www.bartb.ie to IP addresses like
For the internet to work, lots and lots of DNS queries have to be resolved quickly, so the initial DNS implementation focused on efficiency above all else. This resulted in three big shortcomings:
- no authenticity — when you got an answer, there was no way to know whether or not it had been altered in transit
- no confidentiality — all DNS queries and responses were in plain text, everyone between the client and server (like your ISP) could see everything being looked up
- no anonymity — the server could see who was asking the questions.
We’ve been slowly picking off each of these problems one-by-one. DNSSEC allows the owners of domains to digitally sign their DNS records so clients can validate the answers they receive, proving that they haven’t been tampered with. In other words, DNSSEC provides authenticity (for the still small number of important domains that use it at present).
DoH (and DoT, DNS over TLS) added encryption between the client and the DNS server doing the resolving, removing the ability of the networks between client and server to see the DNS queries. This dealt with most of the confidentiality problem — only the two end-points could see the data in plain text, everyone in between, ISPs included, could only see the existence of an encrypted connection between client and server.
DoH was a huge step forward, but has one key shortcoming — the server still knows everything. DoH provides confidentiality while the queries are in transit, but the end-point of the encrypted connection still knows both the question being asked and, who’s asking. In other words, when you choose to use a DoH DNS provider like Google (188.8.131.52) or CloudFlare (184.108.40.206), they get to see every DNS query you make, and you are trusting them not to abuse that massive amount of very revealing information about you.
DoH’s lack on anonymity is compounded by the fact that there aren’t many DoH providers ATM, so those few providers that are in use are getting to see a lot of data, providing a very tempting target for attackers, and a very strong temptation to service providers!
ODoH to the Rescue! (Privacy with Anonymity)
What CloudFlare & Co. have done is add an additional layer to DoH to provide anonymity by arranging it in such a way that no party in the transaction (other than the client) know both who as asking and what their asking for, that knowledge gets split across two parties, so one knows who is asking, but not what they’re asking, and the other what is being asked for, but no by whom.
This extended protocol has been dubbed Oblivious DoH or ODoH.
With DoH you have a client that asks DNS questions, and a server that answers those questions, and the client and server communicate securely over HTTPS.
ODoH adds an extra party into the mix, an ODoH Proxy, and an extra layer of end-to-end encryption. With DoH a user only has to configure the server they want to use, with ODoH the client has to choose both a server and a proxy.
To send an ODoH query a client starts by encrypting their question with the server’s public key, this means only the server can decrypt the question. Rather than sending this question to the server, the client sends the question to the proxy, which then forwards the query on to the desired server. The proxy can’t see what is being asked because it doesn’t have the proxy’s private key. The server can decrypt the question, but it doesn’t know who the client is, just which proxy passed the question on to them.
As long as there is no collusion between the proxy and the server, ODoH DNS queries are both private and anonymous! For this reason, we’ll want to always use separate organisations for our chosen proxy and server.
While CloudFlare have configured 220.127.116.11 to act as an ODoH server, we can’t start getting the benefits of ODoH until we have some trust-worthy proxies to choose from, and until our browsers, OSes, and/or routers support the protocol. For now, this is a very promising technology, but it’s not ready for daily use by regular peeps just yet. I wouldn’t be surprised to see the likes of Firefox rolling this out quite quickly though. Many of us could well be using ODoH by this time next year!