Today, Cloudflare announced that it is working on a new version of DNS, in collaboration with engineers from Apple and Fastly. The new protocol — ODoH (Oblivious DNS-over-HTTPS) — makes it harder for third parties to track DNS queries by separating IP address from queries.
Before we dive deep on how ODoH works, let’s first understand the working of DNS. DNS, or Domain Name System, is the foundation of the internet. Every time you type in an address (e.g. www.iPhoneHacks.com), it is converted into an IP address (mostly by your ISP), by using a Domain Name System. DNS is more like a phonebook of the internet, which translates all the web addresses to its corresponding IP address.
But, it’s not as simple as it sounds. Anyone on the path between your request (to convert a web address to an IP address), can see both the query that contains the hostname (the website address) as well as the IP address attached to your device. While innovations such as DNS-over-HTTPS (or DoH), have improved the privacy of DNS queries, by adding a layer of encryption, malicious crawlers are still able to track which website a user visits.
The new protocol developed by Cloudflare, Apple and Fastly separates this query from the attached IP address so that no one can track both the things at the same time.
How Cloudflare ODoH Works?
ODoH works by adding a layer of public-key encryption, along with network proxy, between the host (your device) and the DNS resolving servers. The Target (look in the image above) decrypts the encrypted queries forwarded by the Proxy. Similarly, the target encrypts responses and returns them to the proxy. The proxy just acts as a ‘forwarder’ between the Target and the Client.
The only addition to basic DoH process is the addition of a proxy, in between the client and the resolver. This way, resolver now sees the IP address of the proxy, and not the client. And yes, everything is encrypted now, so the resolver and the client, both have to encrypt and decrypt a message before forwarding/receiving it. Cloudflare says the performance of the new protocol remains more or less the same, but they’ll have to refine the system a bit more before they can ship it.
This may sound more secure than other DoH providers, it actually is, but it works only when the proxy and the DNS resolver are not controlled by the same entity. ODoH is yet to be certified as a standard by the Internet Engineering Task Force, which means it may be some time before the companies can use this technology.[Via Cloudflare]