Apple and Cloudflare Develop New Privacy-Focused Internet Protocol

[snakes-]

wireguard vpn solve privacy problems but 1.1.1.1 is fast i testet it, even in combination with wireguard.
But i like quad9 too, not all is encrypted there but this a good dns provider.

 

[Airforcekid]

What does the app do that just changing your device or router DNS to 1.1.1.1 doesn't do?

Is the app just if you want to pay for their Warp+ service?

Changing your DNS to 1.1.1.1 (I recommend 1.1.1.2 as it blocks malware) is still unencrypted you can use the app to configure DOH on your phone with or without warp. Basically the app allows you to encrypt just your DNS requests or your entire connection if you choose to use warp. Personally I use nextdns.io its way more configurable and has blocklists but any legitimate DOH provider is better than traditional DNS in both privacy and security.

 

[Airforcekid]

Suggestions?

Cloudflares app 1.1.1.1 is free if you use Warp while Warp+ has a cost. Its perfect for checking your email on open wifi etc it even allows Netflix etc so you can stream stuff safely at airports or hotels. It wont hide your location like other VPNs though but has a strong emphasis on security (Most paid VPNs are technically worthless for what they are advertised to do anyway.)

 

[Airforcekid]

Why am I not surprised to learn this:

Fastly - Wikipedia

en.wikipedia.org

"Fastly was founded in 2011. In September 2015, Google partnered with Fastly and other content delivery network providers to offer services to its users."

Google! ?

Instead of OpenDNS you might want to checkout www.nextdns.io if your not a fan of Google like me the blocklists are well worth it.

 

[Airforcekid]

How does using a VPN fit into this? My understanding is that by using an VPN, whilst you are preventing your ISP from seeing which websites you visit, you are entrusting that information to your VPN provider. Does this announcement have an bearing on using a VPN? TIA

That video may help VPNs are generally good for securing your data on open networks but on a typical home connection DOH or DNS over TLS should be enough.

 

[MacBH928]

I thought they already said DoH does not add much more privacy?

Will this work with DNS sinkholes(pihole) ?

 

[planteater]

Would the ISP not just be able to do reverse lookups to get past this?

 

[manu chao]

If you use your provider assigned DNS server, they can have a look at its log to see what you wanted to have resolved. That's the easiest setup for them. They know you wanted "www.helmlein.example" and the IP address the query came from, they match it with their subscriber IP table and then they got your name.

If you use your own DNS server (like PiHole or Unbound or whatever you may have set up), OR if you use one of the publicly available DNS services, your ISP needs to sniff the outgoing DNS queries, and while that's entirely possible (just catch everything with destination port 53), it's much harder for them. Also, the forwarded queries from a resolver DNS server don't look the same as the original ones from clients, but it's problem that can be solved.

If you use any of the DoT/DoH alternatives, your ISP sees an encrypted session to a known DoT/DoH server (possible on various ports). In turn, the DoH or DoT server needs to be trusted (e.g. Cloudflare says they keep no log at all).

If you use this new ODoH, many different users send their queries to a ODoH proxy which can't decrypt the queries but puts in its own IP, so not even Cloudflare ever sees the true IP the query came from. I have not yet read the respective papers, but the encryption is interesting in this one as the client needs to encrypt with something the target-server can decrypt, so will read up on that later. So in theory, you don't even need to trust either Cloudflare or the proxy.

I guess my understanding of DNS is too primitive. At its core, I thought my computer either ‘asks’ the ISP to be connected with a given IP address (if I specify my own DNS server preferences) or any request is directly forwarded to my ISP’s DNS server. In both cases my computer gets back an IP address and asks the ISP to be connected with it. At that point the only thing that is left to do for the ISP is to a reverse lookup.

 

[Airforcekid]

Would the ISP not just be able to do reverse lookups to get past this?

I guess my understanding of DNS is too primitive. At its core, I thought my computer either ‘asks’ the ISP to be connected with a given IP address (if I specify my own DNS server preferences) or any request is directly forwarded to my ISP’s DNS server. In both cases my computer gets back an IP address and asks the ISP to be connected with it. At that point the only thing that is left to do for the ISP is to a reverse lookup.

Yes and no if a website is hosted by a single server they can tell what you visited if its behind a CDN like cloudflare all they will see is the CDN's IP which could be millions of different sites. Even a site hosted on Google or AWS could possibly look like Google or amazon.com. Its not perfect privacy but it throws a wrench into the tracking. Your ISP could reach out to the CDN and request what site was accessed by an IP at a certain time but I seriously doubt outside of criminal cases this would happen it would be a waste for targeted advertising.

 

[Unsupported]

Instead of OpenDNS you might want to checkout www.nextdns.io if your not a fan of Google like me the blocklists are well worth it.

Thanks, I'll check it out. I don't actually use OpenDNS to block anything, just to avoid using my ISP's DNS servers.

 

[Tech198]

DNS resolution is something that should be implemented for the OS, not in the browser. The browser in turn can query the OS resolver library. Therefore: thanks but no thanks. Better implement those in the OS resolver library, so ALL applications can benefit.

And businesses will know how to configure their MITM-proxies to prevent (O-)DoH or DoT anyway; this will just help the likes of BlueCoat.

H.

Anything secure is good, but never force it..

If Safari does get it first, seems this would be a repeat of "once you enable 2FA, there is no way to disable it" Do't enforce this DNS on OS, Optional by browser.. that way you have more of a choice, hopefully (much like Mozila gves you HTTPS everywehere , but not enforce it )

as least the option is available with other complanies.... That's the only bit i hate abut Apple's method ... Everyone has a right to have privacy, or not....

 

[manu chao]

Yes and no if a website is hosted by a single server they can tell what you visited if its behind a CDN like cloudflare all they will see is the CDN's IP which could be millions of different sites. Even a site hosted on Google or AWS could possibly look like Google or amazon.com. Its not perfect privacy but it throws a wrench into the tracking. Your ISP could reach out to the CDN and request what site was accessed by an IP at a certain time but I seriously doubt outside of criminal cases this would happen it would be a waste for targeted advertising.

But wouldn’t there be an initial handshake with a server hosting, eg, cnn.com? Or do the DNS servers return already an IP address of servers belonging to the CDN?

 

[Dredd67]

If I have the choice if my local ISP sees my DNS queries or Google (or Cloudflare for that matter, or any DoH server or ODoh proxy (which technically should not be able to decrypt them)) sees my DNS queries, I'd prefer my local ISP any time. Your mileage may vary.

The problem here is that you just introduce one more instance you need to trust. And while I would also prefer to segregate my data traces as much as possible, the threat from my ISP is just not enough of a justification to choose yet another provider to rely on.

H.

I was referring to this :

 

[Bill Woodcock]

i like quad9 too, not all is encrypted there but this a good dns provider

When you say "not all is encrypted there," can you expand on what you mean? Quad9 was the first recursive resolver to offer DoT client-to-resolver encryption, and also supports DoH and DNScrypt, though those aren't recommended, for very different reasons. Like all recursive resolvers, Quad9 also supports Do53 unencrypted, but we don't recommend it.

 

[Airforcekid]

But wouldn’t there be an initial handshake with a server hosting, eg, cnn.com? Or do the DNS servers return already an IP address of servers belonging to the CDN?

Depends its possible to bypass a CDN but not likely as more and more websites use them to mitigate DDOS attacks etc. If you are using cloudflare DNS and the site is hosted on Cloudflare I would almost gurantee it going straight to the CDN. SNI determines the site you wanted to reach once you contact the CDN it is also historically unencrypted but Cloudflare has been working on that as well. Right now I think Firefox and Brave are the only two browser that support it though. https://www.cloudflare.com/learning/ssl/what-is-encrypted-sni/

 

[ryanflanders256]

Cool.

 

[wolfshades]

And I *just* started using CF's WARP+ on my phone and Mac yesterday! It's a user-space Wireguard VPN to CFs closest edge presence to you, with dns resolved on their super-fast DNS 1.1.1.1. LOVE IT!
EDIT: WARP+ goes beyond what this article is about, btw, and is available today.

Thanks for that. I went to CF’s site to look this up. Seems impressive. I may buy the service too - until the new protocol arrives.