Oblivious DNS Deployed by Cloudflare and Apple

Over the past several years, our research group has been exposing the various privacy risks of Domain Name System (DNS) traffic and developing mechanisms to improve DNS privacy.

Briefly, the DNS is the Internet protocol that maps a domain name like uchicago.edu to an Internet address, such as 34.200.129.209. The DNS has been used for many purposes over the years beyond simply Internet name lookups. For example, it has been used to implement so-called DNS-based blocklists which are critical to fighting spam and malware; additionally, monitoring DNS itself has become critical to many aspects of Internet security, as the presence of malware or infection on a network can be the first indication of compromise.

Unfortunately, the DNS also carries privacy risks: In 2016, we demonstrated that DNS queries can reveal information about the devices connected in your home. In 2017, we showed how DNS queries could allow an observer to determine which websites a user was visiting—even if the user was using a VPN or Tor. In particular, our research found that 40% of Tor’s exit nodes by bandwidth were using Google public DNS to resolve DNS queries, thus giving Google significant visibility into the traffic on the Tor network, across all users.