Cloudflare launches privacy-protecting DNS service

If you’ve been offline during the weekend you might have missed Cloudflare announcing a new privacy-oriented consumer DNS service, hosted at the following IP addresses: 1.1.1.1 and 1.0.0.1.

cloudflare dns service

With this launch the US-based Internet services giant has joined the likes of Google and IBM Security, who also offer free DNS resolution services as an alternative to using ISPs’ DNS resolvers or locally installed DNS servers.

The Cloudflare DNS Resolver

Cloudflare says that their DNS service is the fastest one available to users (and their claim has been confirmed by multiple parties), but the most important thing about it is that accepts connections under the DNS-over-HTTPS and DNS-over-TLS protocols, meaning that the connections are encrypted.

“What many Internet users don’t realize is that even if you’re visiting a website that is encrypted — has the little green lock in your browser — that doesn’t keep your DNS resolver from knowing the identity of all the sites you visit. That means, by default, your ISP, every wifi network you’ve connected to, and your mobile network provider have a list of every site you’ve visited while using them,” Cloudflare CEO Matthew Prince explained.

This information can be then sold on and monetized through ad targeting. In addition to this, ISPs’ DNS resolvers can be used to perpetrate online censorship (two years ago the Turkish government blocked Twitter by making the country’s ISP’s DNS resolvers block DNS requests for the domain in question).

“The insecurity of the DNS infrastructure struck the team at Cloudflare as a bug at the core of the Internet, so we set out to do something about it,” Prince shared.

“We began talking with browser manufacturers about what they would want from a DNS resolver. One word kept coming up: privacy. Beyond just a commitment not to use browsing data to help target ads, they wanted to make sure we would wipe all transaction logs within a week. That was an easy request. In fact, we knew we could go much further. We committed to never writing the querying IP addresses to disk and wiping all logs within 24 hours.”

For those who aren’t ready to trust these claims without independent confirmation, Cloudflare has retained an outside auditing firm that will audit their code and practices annually and publish a public report.

Those who, even after that, still don’t want to trust a third party with their private data will have to wait for the Oblivious DNS project to offer an alternative.

The goal of project, run by a team of researchers from Princeton University, is to ensure that no single party observes both the DNS query and the IP address or subnet that issued the query.

Additional information and reassurances

In the meantime, those who trust Cloudflare can easily set up this new DNS service – the instructions (for various computers, mobile devices, and other devices) are provided here.

Cloudflare has also published a privacy policy in which it explains what it will and will not do with the data they collect from the Cloudflare Resolver, as well as a Cloudflare / Firefox privacy policy that offers the same information regarding the data collected via the Cloudflare Resolver for Firefox (Mozilla has added support for the DNS-over-HTTPS protocol in a beta version of Firefox, but the Cloudflare service is not enabled by default.)

For more technical information about the setting up of Cloudflare’s DNS Resolver, check out this blog post.