Cloudflare claims its new DNS resolver will provide enhanced privacy for users, but it is unclear how much different...
the service will be from competing resolvers.
Cloudflare introduced its 126.96.36.199 DNS resolver service and immediately went on the attack against data collection practices by internet service providers (ISPs).
"By default, your ISP, every Wi-Fi network you've connected to, and your mobile network provider have a list of every site you've visited while using them," Matthew Prince, CEO and co-founder of Cloudflare, wrote in a blog post. He added that laws banning ISPs from selling that data have been revoked. "With all the concern over the data that companies like Facebook and Google are collecting on you, it worries us to now add ISPs like Comcast, Time Warner, and AT&T to the list. And, make no mistake, this isn't a U.S.-only problem -- ISPs around the world see the same privacy-invading opportunity."
But ISPs weren't Cloudflare's only target. On the official 188.8.131.52 DNS landing page, Cloudflare noted: "Creepily, some DNS providers sell data about your internet activity or use it [to] target you with ads."
Cloudflare did not directly mention which DNS providers engage in these "creepy" practices but promised it would be better.
"We committed to never writing the querying IP addresses to disk and wiping all logs within 24 hours," Prince wrote. "Cloudflare's business has never been built around tracking users or selling advertising. We don't see personal data as an asset; we see it as a toxic asset."
"Usually, the ISP supplies the resolver and then sells the traffic data to advertisers. Instead of routing through your ISP resolver, the 184.108.40.206 DNS resolver is running on every Cloudflare metal," Sullivan said. "Because Cloudflare provides DNS service for a DNS root server and for 7 million domains, DNS will be instant to resolve for most sites on the internet because the answers are sitting on the same service as the resolver."
However, Sullivan did not say how the Cloudflare resolver alone could meaningfully hide traffic from ISPs.
Comparing Cloudflare's 220.127.116.11 DNS to the competition
Despite Cloudflare's language against tracking practices of ISPs, it is also unclear if the 18.104.22.168 DNS resolver can completely mitigate that issue. Prince's blog post mentioned DNS-over-TLS and DNS-over-HTTPS, both of which are supported by the 22.214.171.124 DNS resolver, but did not directly connect those features to ISP privacy. Prince acknowledged that Google's DNS service was the only major resolver supporting DNS-over-HTTPS, but noted that "non-Chrome browsers and non-Android operating systems have been reluctant to build a service that sends data to a competitor."
"DNS inherently is unencrypted so it leaks data to anyone who's monitoring your network connection. While that's harder to monitor for someone like your ISP than if they run the DNS resolver themselves, it's still not secure," Prince wrote. "What's needed is a move to a new, modern protocol. There are a couple of different approaches. One is DNS-over-TLS. That takes the existing DNS protocol and adds transport layer encryption. Another is DNS-over-HTTPS. It includes security but also all the modern enhancements like supporting other transport layers and new technologies like server HTTP/2 Server Push."
However, experts have pointed out that "supporting" these transport security protocols is not the same as implementing, because both require implementation by the DNS client talking to the DNS resolver.
Shawn Webb, co-founder of HardenedBSD, security-enhanced fork of the FreeBSD operating system, noted that "if you don't use their DNS-over-TLS service, then you're still sending DNS queries and getting the responses back over plaintext," and some ISPs have been known to hijack those requests.
By using CloudFlare's DNS service, not only are you giving both your ISP and CloudFlare your DNS data, but any hop in between now.— Shawn Webb (@lattera) April 2, 2018
Additionally, Cloudflare's claim that its 126.96.36.199 DNS resolver does not permanently log IP addresses seems to be intended to differentiate its policies from competing DNS offerings, but when comparing it to the privacy claims in the Google's Public DNS FAQ, the language appears very similar.
"The temporary logs store the full IP address of the machine you're using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users. We delete these temporary logs within 24 to 48 hours," Google wrote in its privacy FAQ. "In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena. After keeping this data for two weeks, we randomly sample a small subset for permanent storage."
Google also promises it will not use its Public DNS to serve ads.
The APNIC in the room
Another piece of the data storage puzzle with 188.8.131.52 DNS is the research partnership between Cloudflare and the Asia Pacific Network Information Centre (APNIC) -- the regional internet registry that hands out IP addresses in the Asia-Pacific region and owns the 184.108.40.206 IP address.
The partnership is scheduled to last for five years at which point the two organizations will renew the partnership or APNIC may choose to "permanently allocate" the 220.127.116.11 address to Cloudflare.
However, while Cloudflare has been explicit about not storing traffic data for longer than 24 hours, APNIC was vaguer in its data storage timetable.
"We are committed to treat all data with due care and attention to personal privacy and wish to minimize the potential problems of data leaks. We will be destroying all 'raw' DNS data as soon as we have performed statistical analysis on the data flow," Geoff Huston, chief scientist at APNIC, wrote in its announcement. "We will not be compiling any form of profiles of activity that could be used to identify individuals, and we will ensure that any retained processed data is sufficiently generic that it will not be susceptible to efforts to reconstruct individual profiles. Furthermore, the access to the primary data feed will be strictly limited to the researchers in APNIC Labs, and we will naturally abide by APNIC's non-disclosure policies."