Cloudflare touts privacy-friendly 1.1.1.1 public DNS service. Hmm, let's take a closer look at that

We'll share query data, but only with these really trustworthy researchers

Illustration of someone's privacy being invaded
You'll prise these hoodie hacker illustrations out of our cold dead hands

Updated Cloudflare has revealed a deal with regional internet registry APNIC to provide a possibly more privacy-conscious DNS resolver at a prestige network address, 1.1.1.1.

The biz contends DNS – which translates human-friendly domain names like theregister.com into numeric IP addresses, such as 159.100.131.165, used by software – lacks privacy protection. That largely undisputed claim has become more noteworthy since the US Congress last year dropped rules that prohibited ISPs from selling users' browsing data.

"Your ISP, and anyone else listening in on the internet, can see every site you visit and every app you use – even if their content is encrypted," the company says on its 1.1.1.1 website. "Creepily, some DNS providers sell data about your Internet activity or use it target you with ads."

Surveilling service providers might prefer the term "thoughtfully" rather than "creepily," based on the self-serving presumption that they're helping people with targeted ads.

What do we want? Privacy! When do we want it...

While not every ISP behaves in this way – San Francisco-based MonkeyBrains, for example, states,"[W]e do not inspect [internet] traffic and believe all users on our network are entitled to a private and anonymous interaction with the Internet" – enough do that Cloudflare's pitch could strike a chord among those looking to reduce dependence on the likes of Facebook and Google.

Cloudflare's 1.1.1.1 isn't primarily a website; it's a DNS lookup service that, when queried by browsers and other software, asks around to various servers where to find the authoritative name server to resolve a particular domain to a network IP address.

Ironically for a project predicated on privacy, Cloudflare is sharing DNS query data with APNIC Labs, a part of Asian registry APNIC, in exchange for the use of its 1.1.1.1 network address. The regional internet registry insists it wants to better understand the technical intricacies of DNS, in order to mitigate denial-of-service attacks and to optimize server communication.

The research relationship is set to run for at least five years, after which it may be renewed and APNIC will consider permanently allocating the 1.1.1.1 IP address – along with 1.0.0.1 – to Cloudflare.

Cloudflare also operates its DNS resolver through two IPv6 addresses: 2606:4700:4700::1111 and 2606:4700:4700::1001.

Bleedin' hell

APNIC Labs says it is aware how sensitive DNS query data can be and is committed to minimizing the possibility of data leaks, something Cloudflare had to deal with during last year's Cloudbleed vulnerability.

"We will be destroying all 'raw' DNS data as soon as we have performed statistical analysis on the data flow," APNIC Labs said in a blog post on Sunday.

"We will not be compiling any form of profiles of activity that could be used to identify individuals, and we will ensure that any retained processed data is sufficiently generic that it will not be susceptible to efforts to reconstruct individual profiles."

APNIC Labs says that it will also limit access to the data by its researchers and will abide by its non-disclosure policies.

Logging

In this Cloudflare's venture is similar to Google's Public DNS (8.8.8.8), which claims that it keeps some data for just 24 to 48 hours. Google, however, keeps other non-personally identifiable information for longer periods.

Sure enough, Cloudflare has positioned its DNS service as an alternative to Google's.

"Cloudflare's business has never been built around tracking users or selling advertising," said CEO Matthew Prince in a blog post. "We don't see personal data as an asset; we see it as a toxic asset."

Face Palm D'oh from Shutterstock

IETF protects privacy and helps net neutrality with DNS over HTTPS

READ MORE

The privacy afforded by Cloudflare's DNS service only blinds ISPs to a small portion of data travelling to and from a device – the DNS query.

Other protective elements have to be added to make a more plausible set of privacy armor.

Two of these, DNS-over-TLS (DoT), and DNS-over-HTTPS (DoH), are evolving protocols that Cloudflare's DNS resolver supports and have begun showing up in browsers. They prevent DNS queries from being logged by the user's ISP and complement other protocols like DNSSEC, which is used to verify the authenticity of domain records.

Cloudflare's system also supports "Query Minimization" (reduces data sent in DNS queries), and "Aggressive negative answers" (DNSSEC performance enhancement). Beyond that, a VPN can shield other data traffic from one's ISP, provided it's trustworthy.

The primary virtue of Cloudflare's DNS resolver, beyond not being run by Google, may be its speed. The company claims 1.1.1.1 has the fastest response time, averaging 14ms globally, using DNSPerf measurements. ®

Updated to add

Cloudflare CTO John Graham-Cumming got in touch to clarify that while APNIC will have access to DNS query data, it will not have access to logs of IP addresses of people sending in those queries.

PS: Cloudflare is rather enamored with Arm-compatible systems. Prince tweeted last month "why we're switching [from Intel processors] to Arm-based servers" with a photo showing a Qualcomm Centriq box drawing less power than an Intel x86 machine with, apparently, the same performance and workload.

It also published some initial findings here, and is understood to be considering shifting its production environment over to Arm.

Sponsored: Minds Mastering Machines - Call for papers now open




Biting the hand that feeds IT © 1998–2018