Apple and Cloudflare have created a new Intenet protocol that should help improve user privacy and make it difficult for Internet Service Providers to snoop on their customers. The new protocol is dubbed Oblivious DNS-over-HTTPS (ODoH) and prevents the DNS resolver to know which website is a user visiting.
Although there is already DNS-over-HTTPS available for users, which adds encryption to DNS requests and makes DNS hijacking difficult, it does not disallow DNS resolvers from seeing a user’s requests for websites. Any DNS resolver can easily create a list of websites that a particular user visits which leaves behind a gaping hole in privacy.
What is ODoH and how does it work?
Created as a result of collaboration by Apple, Fastly, and Cloudflare, ODoH is short for Oblivious DNS-over-HTTPS. As per Cloudflare, ODoH will decouple the information about who is making the DNS request, and what is the DNS request. In layman’s terms, ODoH will make all DNS requests anonymous.
Technically, ODoH will add another layer of encryption to the DNS query, which will make it difficult for the DNS resolvers to understand which user is requesting which website. A proxy server will ensure that it separates website information from user information. To ensure that DNS resolver and proxy server never know who the user is, they will never be controlled by the same entity.
Cloudflare states that ODoH will guarantee the following:
- The target sees only the query and the proxy’s IP address.
- The proxy has no visibility into the DNS messages, with no ability to identify, read, or modify either the query being sent by the client or the answer being returned by the target.
- Only the intended target can read the content of the query and produce a response.
It is unclear if Apple will add this as a default option for iPhone, iPad, and Mac users. Google already supports Private DNS on Android which also adds a layer of security to disallow ISPs and DNS resolvers from reading queries.
It might take sometime before it is adopted industry-wide and becomes a standard but until then, interested users can start using ODoH by using Cloudflare’s 18.104.22.168 DNS resolver.
You can read the complete technical details over at Cloudflare.