Recently, the US Congress put an end to an FCC regulation meant to strengthen privacy for Internet users. By doing so, they gave the green light to Internet service providers to collect their customers’ data without their consent.
Some states in the US are working on the enactment of their own ISP privacy. At the same time, private companies, nonprofits, and academics are developing technical workarounds that would make it increasingly difficult for ISPs to eavesdrop on their users.
As a result of the above efforts, two projects have recently emerged with the aim of improving the privacy of Internet users by upgrading the DNS—the address book of the Internet—to make it difficult for ISPs to pinpoint the web pages visited by their customers. In addition to that, the projects are also geared toward increasing Internet users’ security from hackers who attempt to hijack their web traffic.
Recently, Mozilla and Cloudflare launched a privacy solution that relies on a new version of DNS which is encrypted. In the meantime, Princeton researchers have put forward another adjustment to the DNS, intended to further conceal users’ online activity.
Plugging the Leak in the Internet’s Plumbing
The domain name system (DNS) translates easily memorized website addresses, such as VPNBase.com, to their numerical formats (IP addresses such as 172.267.5.196) that are understood by computers. When your phone connects to the Internet, or your computer connects to a public hotspot or your home router, you are automatically connected to the DNS server owned by your ISP. As a result, your ISP obtains a log of all the websites that you visit, a fact that many Internet users rightly find disturbing.
The good news is that you can connect the IP address of a different DNS server to the operating system of your phone or computer. For example, Google offers a free DNS service with the IP address 18.104.22.168. Many Internet users have found this service useful, especially when tyrannical regimes attempt to block connectivity by disrupting other DNS servers.
Other approaches currently used to try and circumvent the privacy vulnerability resulting from DNS include DNS Query Name Minimization and DNS over TLS. Unfortunately, these approaches are not fully effective in preventing ISPs and other parties from determining which IP addresses are requesting the addresses for certain websites. In other words, they do not solve the core privacy problem of DNS.
DNS Query Name Minimization works by preventing certain DNS servers from obtaining all the information about a DNS query. For instance, the authoritative DNS server for the entire *.com category would not obtain all the information about a request for, say, contacts.google.com, even though it would know that some google.com subdomain needs to be resolved by the client. The weakness of this approach is that certain DNS servers can still access data from an ISP’s customer.
The DNS over TLS approach involves encryption of DNS queries. The problem is that certain DNS servers must decrypt the initial query for them to resolve the client’s query. That leaves users vulnerable to privacy invasion.
For these reasons, Cloudflare has now launched a free DNS at IP address 22.214.171.124, specifically aimed at promoting online privacy. It has partnered with Mozilla to use the Firefox web browser to operate an encrypted connection. Cloudflare is among the most established delivery networks positioned between the open Internet and websites, ensuring that its clients’ website content is delivered faster and that the websites are safe from cyber attacks. It is important to note that the 126.96.36.199 IP address is not limited to Cloudflare users, it is available to other websites and users, as well.
Setting Up the Service
The first step is setting up your device to use DNS servers owned by Cloudflare. Instructional videos can be viewed on the company’s landing page for iOS, Android, MacOS, and Windows operating systems. This step alone will noticeably improve your online privacy. By not using DNS servers owned by your ISP, you are preventing it from automatically collecting data on the web pages that your device requests.
For improved online security, it will be necessary for you to set up an encrypted connection between your web app or browser and Cloudflare by using an innovative technology standard referred to as DNS over HTTPS. This new technology obfuscates the identity of the website you visit in a manner similar to the encrypted connection that shields your data exchange with the website of your bank. Among the major web browsers, Firefox is the first to offer this technology. It is, however, offered in the beta versions for Firefox, and not for the standard download version.
Crucially, the routing system operated by your ISP does need to know what websites you visit using your computer or phone. Therefore, it can still determine the IP addresses of the pages it delivers to your device, check which websites own those addresses and use the data to create your web-surfing profile. However, doing so would require more work than a cursory look at the logs from its DNS servers.
ISP and Governments Versus VPNs and Online Privacy Advocates like Cloudflare — Who Do You Trust?
The above technology, and others in the pipeline create new options for Internet users. On their part, Internet users need to decide where they would rather place their trust: in their ISPs, or other parties such as Cloudflare and VPN service providers who exist solely to ensure the protection of users’ data.
Critics of Cloudflare and VPN service providers accuse these enterprises of promoting free-speech absolutism that enables people with ill motives to use their services. However, VPN service providers and companies like Cloudflare continue to enjoy a positive image in the public for combating censorship and fighting for net neutrality. These companies play an indispensable role in protecting websites which feature politically dissenting and humanitarian content from the cyberattacks of vigilantes and overzealous government agencies.
Data security experts and online privacy advocates all agree that ISPs need to adopt privacy policies which guarantee that they will not collect, sell, or give away the data of their customers. To back up these policies, private companies should hire independent third-party auditors to confirm that they, in fact, do not keep records of their customers’ online activity that is facilitated by their servers. Granted, hiring third-party auditors is far from the perfect solution. Still, it adds to the credibility of the ISPs.
“So, what’s in it for Cloudflare?” you may wonder. According to Cloudflare CEO Matthew Prince, the company’s business model is not built around monetizing data collected from customers. Rather, Cloudflare’s reason for partnering with Mozilla on the project was to make the websites of its customers faster for Internet users who use Cloudflare’s DNS service. Analytics from DNSPerf show that the DNS servers operated by Cloudflare is the fastest globally.
It is certainly an advantage for content delivery networks to also operate the DNS. In addition to improving their service delivery, the fact that they do not benefit from collecting user data makes them the perfect intermediary to offer DNS services.
Nonetheless, if data security experts, online privacy advocates, and Internet users had their way, no one would even have the ability to decide which websites Internet users are visiting. Nick Feamster, a computer science professor at Princeton who specializes in networking technology, recently proposed a fix he christened “Oblivious DNS” which would keep everyone in the dark.
The workings of the technology are quite complex, but the short of it is that it employs an additional layer of encryption which separates the IP address of a user requesting a web page from the address of the page being requested by the user. It would be almost impossible for anyone to sniff out the connection between the two bits of information. Oblivious DNS is driven by the same philosophy behind the Cloudflare and Mozilla project.
It is important to note that the DNS-over-HTTPS technology used for the Cloudflare/Mozilla DNS service is not exclusive to them. It is a fast-evolving technological standard that can be adopted by anyone interested in improving the privacy of users on the vast Internet.
Interestingly, data security was not the driving force behind DNS technology, which is a few decades old. By default, all your DNS requests are sent through a connection that is not encrypted. This means that your ISP, the coffee shop you are browsing from, the hotel you’re staying in, and anyone sharing your connection can know all the websites you are visiting. So, hackers eavesdropping on the network can intercept your DNS queries and modify the results to redirect to a website you had no plans of visiting, such as a site that hosts malware.
DNS is one of the biggest Internet security leaks which data security experts, VPN service providers, and online privacy advocates have been trying to plug for the last two or three decades. DNS over HTTPS technology might just be what they need to finally achieve this noble goal. However, it is on you, the individual user, to keep yourself informed of the threats to your online privacy and emerging technologies that ensure no unauthorized parties can snoop in on your online activity.