Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,194
30,136


Cloudflare has today announced that it has developed a new internet protocol, in collaboration with engineers from Apple and Fastly, focused on privacy (via TechCrunch).

cloudflare-logo-dark.jpg


The protocol, dubbed "Oblivious DNS-over-HTTPS," or "ODoH," makes it more difficult for internet service providers to know which websites users have visited.

When visiting a website, browsers use a DNS resolver to convert web addresses into machine-readable IP addresses to locate where the page is located. However, this is an unencrypted process and ISPs can see the DNS query and conclude which websites their users have visited. Internet service providers are also able to sell this information to advertisers.

Innovations such as DNS-over-HTTPS, or DoH, have added encryption to DNS queries. While this may dissuade bad actors who may wish to hijack DNS queries to point victims to malicious websites, DNS resolvers are still able to see which websites are being visited.

ODoH decouples DNS queries from individual users, so the DNS resolver cannot know which websites have been visited. This is achieved by encrypting the DNS query before passing it through a proxy server. This way, the proxy cannot see the query and the DNS resolver cannot see who originally sent it.

"What ODoH is meant to do is separate the information about who is making the query and what the query is," said Cloudflare's head of research, Nick Sullivan.

Page loading times and browsing speeds are said to be "practically indistinguishable" when using the ODoH protocol, according to Sullivan.

However, ODoH is only able to ensure privacy when the proxy and the DNS resolver are not controlled by the same entity. This means that ODoH will depend on companies offering to run proxies, otherwise the "separation of knowledge is broken."

While a few unnamed partner organizations are already running proxies, allowing early adopters to use ODoH using Cloudflare's 1.1.1.1 DNS resolver, the vast majority of users will have to wait until the technology is directly baked into browsers and operating systems.

Though it will likely first need to be certified as a standard by the Internet Engineering Task Force, considering that Apple was directly involved in developing the technology, it is not unreasonable to expect Apple to be among the first to integrate it in the future.

Article Link: Apple and Cloudflare Develop New Privacy-Focused Internet Protocol
 
Last edited:

a m u n

macrumors regular
Aug 14, 2018
219
2,458
Today we are announcing support for a new proposed DNS standard — co-authored by engineers from Cloudflare, Apple, and Fastly — that separates IP addresses from queries, so that no single entity can see both at the same time.

 
  • Like
Reactions: MrDerby01

luvbug

macrumors 6502a
Aug 11, 2017
565
1,538
Getting closer every day!
And I *just* started using CF's WARP+ on my phone and Mac yesterday! It's a user-space Wireguard VPN to CFs closest edge presence to you, with dns resolved on their super-fast DNS 1.1.1.1. LOVE IT!
EDIT: WARP+ goes beyond what this article is about, btw, and is available today.
 

Helmlein

macrumors member
Sep 25, 2009
55
34
DNS resolution is something that should be implemented for the OS, not in the browser. The browser in turn can query the OS resolver library. Therefore: thanks but no thanks. Better implement those in the OS resolver library, so ALL applications can benefit.

And businesses will know how to configure their MITM-proxies to prevent (O-)DoH or DoT anyway; this will just help the likes of BlueCoat.

H.
 

370zulu

macrumors 6502
Nov 4, 2014
344
293
You have to trust the resolver and if you have content filtering in use that uses DNS based filtering, this is not a good thing. That said, I have found cloudflare to be very fast and secure. Since I do use content filtering and ad blocking, I use pihole with unbound and it has been great.
 

Unsupported

macrumors 6502a
Jul 23, 2020
705
749
a land far, far away...
Who TF is "Fastly"?

I have one of their cookies (fastly.net), or data, stashed on my iPhone and I cannot delete it no matter how many times I try to in Settings - Safari - Advanced - Website Data!
 

patimages

macrumors newbie
Feb 18, 2015
26
7
Hello,
As far as I understand, big sure offer DoH but no encrypted SNI (which defeats the purpose). Anyone managed to get encrypted SNI to work using Safari : Firefox offers it within the browser, safari would require a profile (system wide approach) but I don't manage to encrypt SNI when using Safari and after installing a profile. FYI: This can be tested here : https://www.cloudflare.com/ssl/encrypted-sni/
Anyone managed ?
Thanks !
 

locovaca

macrumors 6502
May 14, 2002
427
1,222
Iowa
You have to trust the resolver and if you have content filtering in use that uses DNS based filtering, this is not a good thing. That said, I have found cloudflare to be very fast and secure. Since I do use content filtering and ad blocking, I use pihole with unbound and it has been great.
Yup, and now we’re running into the issue of apps and devices that ignore DNS servers offered up by your router and instead hardcode Google or others so they can defeat DNS based add blockers. This is just another attempt to keep ads working under the guise of “security.”
 

Helmlein

macrumors member
Sep 25, 2009
55
34
That doesn’t protect you from your ISP’s eyes and selling your browsing data. Ali and Bob in tech support still know you’re into dwarf domination cosplay.
Technically correct; however, the most talkative devices are possibly the television sets and Smarthome-IoT-boxes. On top of that, a large part of Internet connections are used by more than one person. So in my case (I've got an internal DNS server anyway, but the ISP still sees the DNS queries the server passes on) that would be a family of four, a Samsung TV (big mess!), some game consoles.

I'm not sure if the resulting profile is really worth a lot, at least not commercially....:)

H.
 

oneMadRssn

macrumors 603
Sep 8, 2011
5,958
13,938
I wonder how this will affect PiHole setups in the future.

I recently installed PiHole on my home network and it's been a very eye-opening experience. The amount of requests all these smart devices and various apps put out is amazing.

I know it is very unpopular around here, and I've been raged-against on this forum, but I think having metered internet connections where we pay per GB or MB would really incentivize all smart device manufacturers and app developers to be as efficient as possible with data, and be best in the long run.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.