Today, the security company and network Cloudfare announced a plan to stop your internet service provider from creeping on your web activity. Co-developed by engineers at Apple and Fastly, the Oblivious DNS-over-HTTPS (ODoH) standard works to decouple your IP address from your queries.
ODoH is billed as an improvement to the domain name system (DNS)—the process in web browsing that’s roughly analogous to your looking up a name in the phone book and retrieving that person’s number. When you type “Google.com” into an address bar, DNS is what translates that into Google’s IP address (22.214.171.124.)
By default, the DNS resolver is typically owned by your internet service provider, such as Comcast or Verizon or AT&T. The plan with ODoH is to insert one more step between the user and the DNS resolver. If you’re wondering why ODoH is “oblivious,” it’s because this additional step—a proxy—keeps the IP address of the user’s machine hidden from the resolver.
We don’t really know to what extent service providers use query information, one known application is advertising. (AT&T, for example, says that it may collect information like your age and gender and combine that with your use of their services to deliver ads.) Thanks to a bill Trump signed into law, ISPs don’t need your permission to track and sell that data, either. Although several ISPs have vowed to provide an opt-out option, that’s usually buried under a mountain of jargon. As the Electronic Frontier Foundation has pointed out some adtech companies admit that they collect data from unnamed telecoms. Perhaps that makes you uncomfortable, in which case, you’re one of the groups of people who might relish ODoH in the near future.
“The DNS ecosystem is one of the earlier parts of the internet, and it wasn’t designed with encryption or privacy in mind,” Cloudfare’s Head of Research Nick Sullivan told Gizmodo. “It was designed as kind of a control system for the internet.”
Cloudfare seems to view this less as a strike against ISPs, but moreso part of its larger mission to create a magna carta for the internet, like its cornerstone project 126.96.36.199, their own privacy-centric DNS resolver and directory. They point out in their announcement that hopefully this will make people feel more secure about using Cloudfare (similarly, it makes sense that Apple, which has spent all of recent memory branding itself as a privacy defender, would be interested).
Althought a few resolvers (188.8.131.52, 184.108.40.206, and 220.127.116.11) current accept ODoH requests, for now, it’s still mostly a dream. Cloudflare freely calls it an “emerging protocol,” and although its announcement today came with some major endorsements, it will need implementation on the browser- or device-side to pick up adoption beyond those with the technical skill to tinker with it.
That said, if you’re confident in your dev skills, Cloudflare open-sourced implementations in both Go and Rust.