Cloudflare and Apple made a new DNS protocol to protect your data from ISPs


Cloudflare is proposing a new DNS standard it developed with Apple that’s designed to help close a blindspot in my (and I’m sure many others’) internet privacy measures (via TechCrunch). The protocol is called Oblivious DNS over HTTPS (ODoH), and it’s meant to help anonymize the information that’s sent before you even make it onto a website. Whether that will help you with your overall net privacy is something we’ll tackle in a second, but first, we need to understand how regular DNS works, and what Cloudflare has added.

Basically, DNS lets us use the web without having to remember the IP address of every site we want to visit. While we humans can easily understand names like “theverge.com”, or “archive.org,” computers use IP addresses (like 207.241.224.2) to route their requests across the internet instead. This is where DNS comes in: when you type in a website’s name, your computer asks a DNS server (usually run by your ISP) to translate a name like “theverge.com” to the site’s actual IP. The DNS server will send it back, and your computer can load the site. (There are WAY more steps in this process, but this basic flow is all we’ll need to know to understand ODoH.)

If you’re concerned about privacy, you may have noticed that this system lets whoever runs the DNS server know about (and keep track of) every website you’re visiting. Usually, it’s your ISP running that server, and there’s nothing stopping them from selling that data to advertisers. This is the problem Cloudflare and co are looking to solve with ODoH.

The protocol works by introducing a proxy server between you and the DNS server. The proxy acts as a go-between, sending your requests to the DNS server, and delivering its responses back without ever letting it know who requested the data.

Just introducing a proxy server, though, is only moving the problem up one level: if it has the request, and also knows you sent it, what keeps it from making its own log of sites you visited? That’s where the “DNS over HTTPS” (DoH) part of ODoH comes in. DoH is a standard that’s been around for a couple years, though it isn’t very widespread. It uses encryption to ensure that…

Source…