Cloudflare is hoping to boost consumer privacy, reduce the threat of man-in-the-middle attacks, and speed up the internet with a new free solution for securing domain name server traffic that uses the encrypted HTTPS channel.
On Sunday, the security focused content delivery network provider, Cloudflare, opened up a global Domain Name System (DNS) for consumers to run both DNS-over-TLS and DNS-over-HTTPS. The service is called 220.127.116.11. That is the IPv4 address for Cloudflare’s DNS resolver (along with 18.104.22.168).
“DNS itself is a 35-year-old protocol and it’s showing its age. It was never designed with privacy or security in mind,” wrote Matthew Prince, co-founder and CEO of Cloudflare in a blog post Sunday. “DNS inherently is unencrypted so it leaks data to anyone who’s monitoring your network connection.”
Cloudflare is joining the likes of Google, which introduced a similar service in November. The technology behind the service is a standard called Trusted Recursive Resolver via DNS over HTTPS, or DoH for short.
“Our goals with the public resolver are simple: Cloudflare wants to operate the fastest public resolver on the planet while raising the standard of privacy protections for users,” wrote Olafur Gudmundsson, director of engineering at Cloudflare, in a separate blog post on the 22.214.171.124 launch.
Currently, a user’s internet service provider is most often the only party privy to DNS requests made by a browser, primarily because the ISP alone is responsible for the routing of that request. Nearly everything a user does online begins with a DNS query. Its function is to map domain names (such as example.com) to the actual IP address of the server hosting a desired webpage.
DNS queries are sent in clear text (using UDP or TCP) and can reveal the websites a user visits, along with metadata such as a site’s name, when it was visited and how often. In other cases, when content filters are in place, DNS logs can capture user IDs or MAC addresses. And thanks to a loosening of privacy rules by lawmakers, now ISPs can share their users’ internet activity with third parties.
Privacy activists also note that DNS spy tools such as Morecowbell and QuantumDNS (PDF) have been used by governments for covert snooping.
For these reasons DNS is considered one of the leakiest aspects of the internet’s plumbing. Cloudflare, along with the Mozilla Foundation, Google and others, have been developing ways to make the DNS protocol more secure.
Last month, the Mozilla Foundation said it would soon be testing a DoH with a developers edition of the Firefox browser. The trial is separate from Cloudflare’s 126.96.36.199, despite the fact that Cloudflare is also part of the Mozilla trial.
These groups argue man-in-the-middle (MiTM) attacks often exploit the insecure nature of DNS via DNS Spoofing attacks or DNS Hijacking or DNS Poisoning. MiTM attacks involving DNS are when a hacker can abuse DNS servers to redirect webpage requests and return spoofed sites (or files) that appeared to be legitimate.
By putting DNS in an HTTPS encrypted channel the ISP (hotel or café Wi-Fi hotspot) can no longer eavesdrop on DNS queries. It also makes it harder for hackers to hijack or spoof DNS activity in order to leverage a MiTM attack.
Then there is the matter of efficiency and reliability. Cloudflare maintains that using a DNS resolver via an HTTPS request is more efficient and can shave up to 15 milliseconds off the time it takes to make DNS queries to render a webpage. Even more milliseconds can be shaved when Cloudflare acts as the authoritative DNS hosting service, Prince said.
DoH efforts, spearheaded by Mozilla, began in late 2016 informally. In July 2017, the Internet Engineering Task Force (IETF) met in Prague and began work on standardization of how DNS over HTTPS would work. Stakeholders have met several times since and the IETF Steering Group could approve a standard in around 4-to-8 weeks or ask for changes, according to those familiar with the process.
The current DNS over HTTPS “draft-04” is expected to leave the working group and be submitted to the IESG (the IETF Steering Group that reviews all Internet Engineering Task Force Standards) in April.
While many cheer the upsides of using the encrypted HTTPS channel to secure DNS traffic, there are some that caution that doing so trades one privacy and security problem with another. They argue, by routing traffic through a content distribution network management system (such as Cloudflare and others) they are creating new central repositories for DNS queries that could be hacked or used to mine personal identifiable information (PII) data.
In an interview with Threatpost last month, Cloudflare’s Prince said, “We are committed to not storing any DNS logs for the service for longer than 24 hours. We don’t write the source IP addresses to disc – which is the only data that could identify a customer. We have no interest in being a centralized repository for PII. Our business model is not advertising and it’s not about saving data.”