Apple engineers partner with Cloudflare to improve internet privacy

Posted:
in General Discussion edited December 2020
Engineers at Apple are working with Cloudflare and Fastly to create Oblivious DNS, a new standard that can make it harder to track a user's online activities.




While the Internet offers various privacy protection measures for its denizens, including encryption and VPNs, one of the areas that are more easily trackable is the Domain Name System. Effectively the address book for the Internet, DNS enables the use of domain names that link to specific website IP addresses, making the entire system more usable to humans.

However, the nature of DNS means it is sent and received between machines in cleartext, which is easily observed by third parties, making it a trackable item. Developments like DNS over HTTPS (DoH) make it harder for outside forces to change DNS queries to point to malicious sites, but it still makes it possible for user activities to be tracked.

In a bid to make DNS more private and less trackable, a group of engineers at Apple, Cloudflare, and Fastly have come up with Oblivious DNS over HTTPS (ODoH). By separating the IP address from the query, it offers the chance for DNS queries to be made safer as not all parties have access to both the IP or query at the same time.

How does ODoH work?

The system works by relying on both public key encryption and a network proxy sitting between the client and the DoH server. The query is encrypted by the client and dispatched to the DoH server via the proxy.

The DoH server is able to decrypt the query, produces an answer to it, encrypts that answer, and sends it back to the proxy, which then sends it back to the client.

In effect, the proxy is aware of encrypted messages between the client and the DoH server, but not the message content. Meanwhile, the DoH server knows the content of the message itself, but only the address of the proxy, not the client.

While it would be theoretically possible for the contents of the message and the address of the client to be combined if both the proxy and DoH server are owned by the same entity, a fundamental rule of it is that the proxy and DoH server do not collude at all.

In practice, this would largely consist of ensuring the proxy and DoH server are owned by different companies.

Cloudflare's graph showing the network response time for ODoH versus DoH and DoH over Tor.
Cloudflare's graph showing the network response time for ODoH versus DoH and DoH over Tor.


The addition of encryption and decryption, as well as a proxy, to a DNS query may cause some concern for users who want their DNS queries to operate as fast as possible. To head off those worries, Cloudflare claims its initial testing of ODoH configurations are actually quite promising.

According to the company, the additional encryption is "marginal" in its effect, with a time cost of less than 1 millisecond for 99% of queries.

When will ODoH be ready to use?

On Tuesday, Cloudflare and its partners, including PCCW Global, Surf, and Equinix have launched Oblivious DNS over HTTPS proxies, to encourage its further development and implementation, using Cloudflare's 1.1.1.1 DNS resolver. Test clients have been open-sourced, to allow interested parties to test it out for themselves.

While the existing effort is meant to refine the system further, it may be quite some time before it becomes usable by consumers. Despite Apple being involved in the project, it doesn't guarantee that it will appear in iOS, macOS, or Safari anytime soon.

The longest wait will be for it to be certified as a standard by the Internet Engineering Task Force, which will make it more attractive to developers to implement.

Comments

  • Reply 1 of 8
    Interesting since last week 1.1.1.1 stopped working on many people’s iPhones. Reviews in the App Store show many recent 1 star reviews, various iPhone models, on iOS 14. 
    williamlondonwatto_cobra
  • Reply 2 of 8
    Interesting since last week 1.1.1.1 stopped working on many people’s iPhones. Reviews in the App Store show many recent 1 star reviews, various iPhone models, on iOS 14. 
    It is interesting. I use CloudFlare's DNS on my router and use a PiHole for the DNS on individual devices and haven't noticed anything. Works like it always had.
    williamlondonwatto_cobra
  • Reply 3 of 8
    gatorguygatorguy Posts: 22,879member
    Interesting since last week 1.1.1.1 stopped working on many people’s iPhones. Reviews in the App Store show many recent 1 star reviews, various iPhone models, on iOS 14. 
    Have you tried using 1.0.0.1?
  • Reply 4 of 8
    rob53rob53 Posts: 2,515member
    I presume this or something like it might become a standard in the future. How will it affect our day to day operations? I know what DNS does but how will affect our normal use of the internet? Will it stop all tracking or just some of it. Will it cause issues with location services? 
    watto_cobra
  • Reply 5 of 8
    gatorguy said:
    Interesting since last week 1.1.1.1 stopped working on many people’s iPhones. Reviews in the App Store show many recent 1 star reviews, various iPhone models, on iOS 14. 
    Have you tried using 1.0.0.1?
    1.1.1.1 is an iOS/iPadOS app from Cloudflare that in addition to offering DNS, also offers VPN.  I'm not aware of any app named "1.0.0.1".  ;)
    watto_cobra
  • Reply 6 of 8
    gatorguygatorguy Posts: 22,879member
    nicholfd said:
    gatorguy said:
    Interesting since last week 1.1.1.1 stopped working on many people’s iPhones. Reviews in the App Store show many recent 1 star reviews, various iPhone models, on iOS 14. 
    Have you tried using 1.0.0.1?
    1.1.1.1 is an iOS/iPadOS app from Cloudflare that in addition to offering DNS, also offers VPN.  I'm not aware of any app named "1.0.0.1".  ;)
    Thanks! I did not realize he was referring to the app by that name rather than Cloudflare's DNS it is named after. 1.0.0.1 is the backup to 1.1.1.1
    edited December 2020
  • Reply 7 of 8
    dewmedewme Posts: 3,608member
    crawdad62 said:
    Interesting since last week 1.1.1.1 stopped working on many people’s iPhones. Reviews in the App Store show many recent 1 star reviews, various iPhone models, on iOS 14. 
    It is interesting. I use CloudFlare's DNS on my router and use a PiHole for the DNS on individual devices and haven't noticed anything. Works like it always had.
    How's the uptime on Cloudflare compared to Google? I used Cloudflare for a while when it first appeared on the scene and had a number of interruptions, which led me back to alternatives. I settled on Google (8.8.8.8/8.8.4.4) after also trying OpenDNS because it seemed like the most consistently reliable and good enough performing DNS service that I could basically set and forget, i.e., totally hands-off. 

    Are you using a single PiHole for all of your devices? 
    edited December 2020
  • Reply 8 of 8
    dewme said:

    How's the uptime on Cloudflare compared to Google? I used Cloudflare for a while when it first appeared on the scene and had a number of interruptions, which led me back to alternatives. I settled on Google (8.8.8.8/8.8.4.4) after also trying OpenDNS because it seemed like the most consistently reliable and good enough performing DNS service that I could basically set and forget, i.e., totally hands-off.
    I have 1.1.1.1 set as the exclusive DNS on my MBP. No other addresses. Haven't had any problems.

    The funniest experience I had with 1.1.1.1 was when a know-it-all IT consultant who helps set up the systems at work noticed I had 1.1.1.1 set on the Windows PC on my desk. He had no idea what it was. I told him that's Cloudflare's DNS service. He tried to tell me it's offshore stuff, not really Cloudflare's and it's dangerous to use that. The following week, Firefox debuted DNS over HTTPS, defaulting to the "dangerous" 1.1.1.1.
    watto_cobra
Sign In or Register to comment.