Engineers from Apple and Cloudflare claim they have patched one of the biggest holes in internet privacy, thanks to a new protocol called Oblivious DNS-over-HTTPS.
According to a new report from TechCrunch, Regular DNS over HTTPS (DoH) is a relatively recently introduced protocol designed to keep third parties from being able to track sites that web surfers visit. DNS over TLS, or DoT, also aims to likewise prevent queries from being intercepted between a user’s computer and a DNS resolver. Recent versions of Firefox, iOS and more have made use of those protocols. But DoH and DoT haven’t been entirely without controversy.
“Until there is wider deployment among Internet service providers, Cloudflare is one of only a few providers to offer a public DoH/DoT service. This has raised two main concerns,” Cloudflare wrote. “One concern is that the centralization of DNS introduces single points of failure (although, with data centers in more than 100 countries, Cloudflare is designed to always be reachable). The other concern is that the resolver can still link all queries to client IP addresses.”
The new protocol called ODoH, or Dubbed Oblivious DNS-over-HTTPS works by wrapping a layer of encryption around DNS submissions that pass through a proxy server, the gateway between the user and the website they are visiting. TechCrunch breaks it down:
Here’s how it works: ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can’t see what’s inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with.
“What ODoH is meant to do is separate the information about who is making the query and what the query is,” said Nick Sullivan, Cloudflare’s head of research.
The encryption means the proxy can’t see the request but will shield the query from the resolver. Cloudflare head of research Nick Sullivan said it was designed to “separate the information about who is making the query and what the query is.”
Thankfully, the new protocol doesn’t seem to impact website load times. It’s a big breakthrough, but it may be a while before this tech hits the mainstream, with TechCrunch noting it could take months or even years before the protocol is added to browsers and operating systems.