Together with companies such as Apple and Fastly, Cloudflare is developing a technique that makes it impossible to link DNS lookups to specific users. At the moment, DNS providers could still do this.

The company tries to solve the privacy problems of DNS. Normally, DNS lookups are sent over the internet without encryption. This makes it possible for every party in between the user and DNS server to see which websites a user is visiting.

DoH and DoT

With the introduction of DNS over HTTPS (DoH) and DNS over TLS (DoT), the DNS requests became encrypted. As a result, parties between users and DNS servers can no longer follow users’ requests, but DNS providers can still link lookups to users. After all, they receive an IP-address and a request. DNS providers are usually the users’ ISPs, but companies such as Google and Cloudflare host popular alternatives on IP addresses 8.8.8 and 1.1.1.1.

Oblivious DoH

Because not everyone trusts their DNS providers with this knowledge, Cloudflare wants to anonymise DNS further. That’s why the company came up with Oblivious DoH (ODoH). With this technique, a proxy server is placed between the user and the DNS server. In a blog post, Cloudflare explains how it works.

When the user sends a DNS request with ODoH, the encrypted request first arrives at the proxy. The proxy then sends the still encrypted DNS request to a DNS server, which now sees the proxy’s IP address instead of the user’s IP address. The DNS server encrypts the response and sends it back to the user via the proxy.

The result of these steps is that the proxy can only see that a specific IP address has requested a DNS lookup, but not which website it is specifically looking for. The DNS server does see this, but cannot see which user sent the lookup. This makes it theoretically impossible to link a user to specific DNS requests, provided that the proxy and DNS provider do not exchange data with each other.

Partners

Cloudflare has already announced a couple of partners to serve as proxies for the ODoH system. These are PCCW, SURF and Equinix. ODoH is open source and immediately available for users to experiment with.