Improving DNS Privacy with Oblivious DoH

All: We changed the URL from <a href="https:&#x2F;&#x2F;techcrunch.com&#x2F;2020&#x2F;12&#x2F;08&#x2F;cloudflare-and-apple-design-a-new-privacy-friendly-internet-protocol&#x2F;" rel="nofollow">https:&#x2F;&#x2F;techcrunch.com&#x2F;2020&#x2F;12&#x2F;08&#x2F;cloudflare-and-apple-desig...</a> to the more detailed source, but you might want to read both.

The biggest and most consistent downside I see with these DNS enhancements is that it prevents filtering at the network level. Querying nameservers is being pushed into applications themselves to support these new features (such as Chrome and Firefox), which bypasses any system resolvers configured on the host. In most cases there is no way to signal from the network that it is not desirable to do this (Firefox being the sole exception). There also is no good way for enterprises to centrally manage these settings. DNS is a major source of information when doing threat hunting on a network and having that go dark is a big problem.<p>Enterprises aside, there has been a rise of people using solutions like pi-hole in their home networks to filter out traffic not just for ads, but known malicious domains, and telemetry trackers (which Apple does get filtered by, only calling them out specifically because they have an active interest in not being filtered like this).<p>Yes I think it&#x27;s also a problem that ISPs are snooping and selling this information, but I think that is a less severe problem than rampant malware infections and the excessive collection of online usage data in the telemetry systems present in every webapp, OS, mobile, or IoT device. This increases privacy in one place, while making it much harder to actively protect yourself from the more aggressive and invasive sources of data collection.

It bothers me how &quot;privacy&quot; has been redefined in recent years to mean &quot;encrypted&quot; and not &quot;surveillance-resistant&quot;. We keep building things that make more requests I can&#x27;t terminate locally, e.g. to a PiHole.<p>Never forget the lesson in &quot;Using Metadata to find Paul Revere&quot;: <a href="https:&#x2F;&#x2F;kieranhealy.org&#x2F;blog&#x2F;archives&#x2F;2013&#x2F;06&#x2F;09&#x2F;using-metadata-to-find-paul-revere&#x2F;" rel="nofollow">https:&#x2F;&#x2F;kieranhealy.org&#x2F;blog&#x2F;archives&#x2F;2013&#x2F;06&#x2F;09&#x2F;using-metad...</a>

This is a neat design, but, does this not just shift the issue of trust as to whether the proxy and the target are colluding:<p>&gt; <i>However, each of these guarantees relies on one fundamental property —</i> that the proxy and the target servers do not collude. <i>So long as there is no collusion, an attacker succeeds only if both the proxy and target are compromised.</i><p>I&#x27;m not sure how an end user would be expected to assess this any more than they could ascertain whether any particular DoH&#x2F;DoT provider is as trustworthy as they claim.

What a stark difference between Google and Apple&#x2F;Cloudflare.<p>Apple&#x2F;Cloudflare are working on privacy-friendly protocols that reduce the amount of information exposed to them.<p>At exactly the same time, Google is working on proxying browser traffic through them without any consents [1].<p>[1]: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25337995" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25337995</a>

Opened this post expecting to be hating on another power grab dressed up as protocol engineering, but this one seems to actively &#x2F;reduce&#x2F; the centralization of user data collection in DoH. Props to Cloudflare, I&#x27;m impressed.

Key bits from the Cloudflare blog <a href="https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;oblivious-dns&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;oblivious-dns&#x2F;</a><p>&gt; <i>The target [resolver] sees only the [DNS] query and the proxy’s IP address. The proxy has no visibility into the DNS messages, with no ability to identify, read, or modify either the query being sent by the client or the answer being returned by the target. Only the intended target [resolver] can read the content of the [DNS] query and produce a [DNS] response.</i><p>&gt; <i>The whole process begins with clients that encrypt their query for the target using HPKE. Clients obtain the target’s public key via DNS, where it is bundled into a [SVCB&#x2F;HTTPS] HTTPS resource record and protected by DNSSEC.</i><p>&gt; <i>Clients transmit these encrypted queries to a proxy over an HTTPS connection. Upon receipt, the proxy forwards the query to the designated target. The target then decrypts the query, produces a response by sending the query to a recursive resolver such as 1.1.1.1, and then encrypts the response to the client. The encrypted query from the client contains encapsulated keying material from which targets derive the response encryption symmetric key.</i><p>&gt; <i>...50% of the time ODoH queries are resolved in fewer than 228ms.</i><p>BTW, DNSCrypt supports &quot;oblivious&quot; encrypted DNS queries via what it calls <i>Anonymized Relays</i> <a href="https:&#x2F;&#x2F;github.com&#x2F;DNSCrypt&#x2F;dnscrypt-proxy&#x2F;wiki&#x2F;Anonymized-DNS" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;DNSCrypt&#x2F;dnscrypt-proxy&#x2F;wiki&#x2F;Anonymized-D...</a>

Until we get rid of SNI[1] in HTTPS for good there will still be providers (like my ISP) that do deep packet inspection on SNI and kill the connection right away if you happen to visit a forbidden site (and this was western Europe, yesterday, on a site behind CloudFlare)<p>[1] <a href="https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Server_Name_Indication" rel="nofollow">https:&#x2F;&#x2F;en.m.wikipedia.org&#x2F;wiki&#x2F;Server_Name_Indication</a>

Preventing the target resolver from seeing client&#x27;s IP address breaks GeoDNS. This is already a problem with 1.1.1.1 which doesn&#x27;t honour the EDNS client subnet extension.<p>Given generally DNS is just the start of an intereaction, usually followed by the connection directly between the client and intended destination, I don&#x27;t see what kind of snooping these privacy measures are there to prevent.

Interesting that apple is increasing its stake in privacy. On all their billboards and advertisements of course they like to present it as a boon to the customer. More importantly, I think it’s a negative for personal data hungry competitors while being relatively unrelated to Apples business

When you need a log-log plot to make the performance degradation not look so severe, you have issues...

If anyone wants the draft RFC:<p><a href="https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;draft-pauly-dprive-oblivious-doh-03" rel="nofollow">https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;draft-pauly-dprive-oblivious-doh...</a>

Do I understand this correctly that if DoH is implemented, none of the firewalls will be able to block the web sites? Including the pi-hole firewalls, as an example. If that&#x27;s the case, this situation can&#x27;t stand for long. Does this meant that the DoH would need to be extended to allow firewalls to decrypt it?<p>If not, here is a PaloAlto Networks blog advertising capability to block all DoH traffic, presumably at work [0]. It looks like you might not be able to use DoH at work, the way it currently stands. I wonder what would be the right solution?<p>[0] <a href="https:&#x2F;&#x2F;live.paloaltonetworks.com&#x2F;t5&#x2F;blogs&#x2F;protecting-organizations-in-a-world-of-doh-and-dot&#x2F;ba-p&#x2F;313171" rel="nofollow">https:&#x2F;&#x2F;live.paloaltonetworks.com&#x2F;t5&#x2F;blogs&#x2F;protecting-organi...</a>

I understand why Cloudflare wants this (marketing, as well as being able to serve their customer’s content through restrictions, thus making them more valuable to those customers),<p>but why does Apple want this?<p>My knee-jerk is that they want to further hide&#x2F;make unstoppable things like the Gatekeeper network checks, but there has to be more right?

Metadata privacy is very hard to solve and traffic analysis of non-Tor traffic is pretty accurate, which is also applicable to CDN traffic regardless of how well DNS is protected.<p><a href="http:&#x2F;&#x2F;ceur-ws.org&#x2F;Vol-1158&#x2F;paper2.pdf" rel="nofollow">http:&#x2F;&#x2F;ceur-ws.org&#x2F;Vol-1158&#x2F;paper2.pdf</a>

One should also note that, even if you use ODoH, eSNI and even Tor (or any VPN service), your ISP could still reliably fingerprint your web access activity at the source using deep learning with over 96% accuracy as shown in this study (<a href="https:&#x2F;&#x2F;distrinet.cs.kuleuven.be&#x2F;software&#x2F;tor-wf-dl&#x2F;" rel="nofollow">https:&#x2F;&#x2F;distrinet.cs.kuleuven.be&#x2F;software&#x2F;tor-wf-dl&#x2F;</a>).<p>So while ODoH is a good thing (and also recommended in this study which has shown the weaknesses of DoH&#x2F;DoT <a href="https:&#x2F;&#x2F;www.esat.kuleuven.be&#x2F;cosic&#x2F;publications&#x2F;article-3153.pdf" rel="nofollow">https:&#x2F;&#x2F;www.esat.kuleuven.be&#x2F;cosic&#x2F;publications&#x2F;article-3153...</a>) and is very similar to DNS over Tor with a DNS hidden service resolver (which Cloudflare also provides). It won&#x27;t prevent a skilled and motivated adversary from determining your activity and possibly apply censorship.<p>I would guess that a solution to mitigate these would be to use an hybrid solution of VPN over Tor (or Tor over VPN) while also using DNS over Tor or ODoH and eSNI.

Even better, IMO, would be if all targets were also proxies and a client could choose -- at &quot;query time&quot; -- any combination of (proxy, target) that they prefer.<p>If you wanted to go a step further, you can even allow &quot;chaining&quot; of proxies, such that the path a query takes might be, in an extreme example, similar to how Tor operates:<p><pre><code> Client -&gt; Proxy 1 -&gt; Proxy 2 -&gt; Proxy 3 -&gt; Target -&gt; Resolver </code></pre> --<p>Anyways, this is kinda sorta interesting, I guess, but honestly I&#x27;m more excited by and looking forward to the (hopefully!) eventual adoption and roll-out of &quot;DNS SVCB and HTTPS RRs&quot; [0] -- one of the other I-Ds (linked in the OP) on which ODoH is built -- and I suspect many other HN&#x27;ers will be as well (although I&#x27;d happily settle for SRV RR support in browsers).<p>--<p>[0]: <a href="https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;draft-ietf-dnsop-svcb-https-02" rel="nofollow">https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;draft-ietf-dnsop-svcb-https-02</a>

Why encrypt the first hop? Why isn&#x27;t this just plain DoH with a simple CONNECT forward proxy to 1.1.1.1, like Signal&#x27;s Giphy proxy [1]?<p>[1] <a href="https:&#x2F;&#x2F;signal.org&#x2F;blog&#x2F;signal-and-giphy-update&#x2F;" rel="nofollow">https:&#x2F;&#x2F;signal.org&#x2F;blog&#x2F;signal-and-giphy-update&#x2F;</a>

I&#x27;m wondering how they still get good performance with a proxy server in between, the plots seem quite close to each other (maybe because logarithmic?).<p>Also, not sure how useful the Tor comparison is, since Tor does 3 hops as opposed to their 1 so it would be a shame if it doesn&#x27;t beat that.

Serious question, why do we need ODoH at all? Isn&#x27;t a plain proxy good enough to achieve this? <a href="https:&#x2F;&#x2F;www.pcwrt.com&#x2F;2020&#x2F;12&#x2F;oblivious-dns-over-https-vs-doh-through-http-proxy&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.pcwrt.com&#x2F;2020&#x2F;12&#x2F;oblivious-dns-over-https-vs-do...</a>

So Google got sued by ISPs which lobbied an investigation by DOJ for trying to encrypt DNS: <a href="https:&#x2F;&#x2F;www.engadget.com&#x2F;2019-09-29-congress-doj-scrutinze-google-encrypted-dns.html" rel="nofollow">https:&#x2F;&#x2F;www.engadget.com&#x2F;2019-09-29-congress-doj-scrutinze-g...</a><p>Will ISPs be too scared to sue Apple and Cloudflare for this? Or are they giving them an out?

The basic idea makes sense to me and it&#x27;s great to see efforts to improve DNS privacy. However, I&#x27;m not really convinced by Cloudflare&#x27;s analysis of the processing overhead:<p>The blog post only discusses how the proxying and encryption affect latency but not the processing at the server. In contrast to plain DoH (or DoT), where only symmetric cryptography is used after the first set-up, ODoH requires asymmetric cryptography (which is several orders of magnitude slower) for <i>each individual request</i>. The &quot;less than 1ms&quot; that they claim for the 99th percentile is no problem for the client but it is a problem for the resolver. Asymmetric cryptography is also used for verifying DNSSEC responses, but this is only necessary for records that are not cached.<p>On the other hand, an ODoH resolver may require to set up and keep track of a lower number of TLS connections as the number of proxies is likely smaller than the number of clients.

I suspect that practical matters will interfere with widespread adoption of encrypted DNS.<p>In my state, Comcast is going to start charging heavy bandwidth users extra. After a few people get surprise bills, I suspect that lawmakers will require that internet providers break down a bill by application.

I&#x27;m surprised to see Cloudflare and Apple collaborating on privacy.<p>What does Cloudflare think of Safari&#x27;s new CNAME-cloaking detection to block cookies? <a href="https:&#x2F;&#x2F;webkit.org&#x2F;blog&#x2F;11338&#x2F;cname-cloaking-and-bounce-tracking-defense&#x2F;" rel="nofollow">https:&#x2F;&#x2F;webkit.org&#x2F;blog&#x2F;11338&#x2F;cname-cloaking-and-bounce-trac...</a><p>The reason I ask is because Cloudflare&#x27;s &quot;orange cloud&quot; DNS mitigates that protection because it prevents Safari from detecting the cloak. On the other hand, I haven&#x27;t run into many engineers who think CNAME-cloaking actually hurts privacy in light of Safari&#x27;s other efforts to partition local storage.<p>Does Cloudflare think it would be help privacy for Apple to know the final IPs behind orange cloud DNS?

I would love to see Firefox be an early adopter of this, regain market share and save us all from Chrome!

So, having read the blog post from Cloudflare I don&#x27;t understand why the proxy (needs to terminate|terminates) TLS.<p>I thought HTTPS proxying (or rather: Any TCP protocol) was a solved problem by the HTTP CONNECT verb or SOCKS proxies.<p>What am I missing?

In a nutshell: client encrypts to proxy, which decrypts &amp; removes client info, then asks resolver.<p>&gt; “What ODoH is meant to do is separate the information about who is making the query and what the query is,” said Nick Sullivan, Cloudflare’s head of research.<p>&gt; In other words, ODoH ensures that only the proxy knows the identity of the internet user and that the DNS resolver only knows the website being requested. Sullivan said that page loading times on ODoH are “practically indistinguishable” from DoH and shouldn’t cause any significant changes to browsing speed.

All security theatre while SNI is still universally deployed. Even then most IP blocks are static and easily correlated to source site.<p>A tor-like solution is the only real solution for this threat model

So I do wonder how such systems can be designed or implemented such that geoip systems can still work.<p>While I&#x27;m sure aws route53 and cloudflare&#x27;s own routing systems can handle this properly, Cloud isn&#x27;t quite the answer. Not every workload fits on the cloud (see: Discord, which runs on leased servers), and a system that breaks down if your rented datacenters aren&#x27;t in alignment with Cloud operating regions doesn&#x27;t make a great solution.

At what point should we just throw out IP out of the window and figure out something new ? OK maybe not IP since all hardware infrastructure is based on it, but the whole idea of associating services to publicly open ports on the target machine. I&#x27;m thinking connections should be encrypted at the operating system level and then services would plug in at some higher level in a way that cannot be detected by outside observers.

What&#x27;s the advantage of this over specifying a DoH provider (as we do today with plain DNS)?<p>Unfortunately I suppose the only way to really do that is with a resolv file (adlist&#x2F;blocklist) of DoH hosts (which exist) but instead of pointing to 0.0.0.0, point to &lt;preferred DoH&gt;.<p>Edit - d&#x27;oh! I see it now - that would mean DoH provider knows query and IP, whereas here the ODoH proxy knows your IP but not the query. Nice.

Why not DoT? And DoH is mum on http cookies: &quot;Determining whether or not a DoH implementation requires HTTP cookie support is particularly important because HTTP cookies are the primary state tracking mechanism in HTTP.&quot; <a href="https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;rfc8484" rel="nofollow">https:&#x2F;&#x2F;tools.ietf.org&#x2F;html&#x2F;rfc8484</a>

Is it not still possible to do a pi-hole kind of setup for DoH or ODoH? All you have to do is setup the server as a proxy for all http(s) connections on top of DNS connections and trust its cert on the client. If we can reliably block all ad networks with uBlock origin, picking out DNS requests from other http requests should be even simpler, right?

DNS privacy for DoH effectively means we all lose the ability to control what our devices are connecting to. In particular, we can&#x27;t block ads and trackers at the network level. The lack of fallback to regular DNS in the spec means we will choose between devices that track us while they work, or devices that are broken.

No discussion of DNS privacy should go without a link to Bert Hubert&#x27;s awesome talk on the subject: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=pjin3nv8jAo" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=pjin3nv8jAo</a>

<i>&gt; ODoH ensures that only the proxy knows the identity of the internet user and that the DNS resolver only knows the website being requested</i><p>Who is the proxy here, and who the DNS resolver?

The title of the article is really misleading. I though of a succesor to IPv6 and not DNS. It shouldn&#x27;t say &quot;internet protocol&quot;, thats technically not correct

&gt; Cloudflare is committed to end-user privacy.<p>Pretty crucial hyphen

Are ODOH resolvers by any disjoint partner available yet? The only one I see is the CF-owned and run one.

&gt; Sullivan said a few partner organizations are already running proxies, allowing for early adopters to begin using the technology through Cloudflare’s existing 1.1.1.1 DNS resolver.<p>In other words, in order to thwart efforts to make the internet anonymous , US companies are planning to takeover DNS for the vast majority of people.

I’m good with the Apple’s privacy-oriented stance. But I can’t stop to think what will happen when advertisers knock on Apple’s door trying to get their hands on the users’ data that one else can access. Is Apple going to sell it out for more profits?

Hilariously I see privacy invading advertisers loving this. No more DNS blocking ad traffic! And since it&#x27;s only a matter of time before Apple removes root access on their PCs, it puts them in complete control off what you see.

Can the proxies be (ab)used to proxy arbitrary HTTPS traffic?

This seems to require DNSSEC as a key function. @tptacek ?

This should be called DOHW, DNS over http made worse.

The more these big corporations involves in this process, the more we are gonna lose our privacy.<p>Centralization and too much power in certain amount of hands are the source of all evil.

Has Google produced any similar initiatives?

Probably better source, the blog post at Cloudflare: <a href="https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;oblivious-dns&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;oblivious-dns&#x2F;</a><p>See also: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25344220" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=25344220</a>

REMINDER: Research proves that it&#x27;s easy to correlate IP addresses in HTTP[S] connections with the domain you are connecting to with a very high success rate.<p>You can resolve the websites from the Alexa top 100k list and create a ipaddr -&gt; website map that will successfully apply to 90% of Internet traffic without ambiguity.<p>A lot of research papers also show how easy it is to fingerprint and detect a TLS handshake.<p>Assuming the SNI problem is going to be solved, the other problems are still here.<p>TL;DR: use Tor.

Sounds promising. Get back to me when it’s gotten to the RFC stage. A ready-made solution thrown over the wall like this, is rarely what is ultimately adopted.

Whats the point?<p>Governments subpoena the information or just block the protocol outright. ( or in China, get it delivered to their door by Apple )<p>Commercial parties have a bag full of tricks from fingerprinting to embeds on the page itself to track you.<p>Privacy seeking users are already tunneling their traffic.<p>That leaves script kiddies at Internet cafes. TLS kind of fixed that already so... Good work?

Misleading title. Apple devices are not anywhere near ready to utilize this dns protocol. Apart from that, yeah let&#x27;s shift our dns trust to one of the biggest data resolvers! The irony...<p>Encrypted dns might be already in use by government or military agencies, but they know too well the effects of cascading this tech down to the masses. They will never let this reach the public.

No hubris here at all.<p>But seriously, fuck this protocol and fuck every other BigCorp-sponsored protocol to remake the Internet. We the People Who Implement Protocols are too busy keeping the lights on to chase incremental, nice-to-have improvements.

I urge people to stop repeating Apple Advertising. Claims of privacy and security are debunked weekly. You put yourself at risk if you believe it.