Just a few days ago Cloudflare announced that in partnership with APNIC, as they’re rolling out a new “privacy-first” DNS resolver – the 22.214.171.124. As an alternative to Google’s DNS (the famous 126.96.36.199 and 188.8.131.52), Cloudflare boasts speed and privacy as the main pillars of their offer.¹ In short, “we’re faster and we’re not Google” is their selling point, and they’re not the first ones to run on the “because we’re not Google” slogan.
I tested out 184.108.40.206 on my router and machines and I honestly cannot comment on the speed factor – I did not run any tests and I’m not here to question the speed claims. However, the nature of DNS is what got me interested. In particular – it’s inherent insecurity.
Whether you’re using your ISP’s default, Google’s or now Cloudflare’s DNS – the security and privacy problem of DNS as a service still persists.
Let’s dig in.
First, as DNS servers are responsible for translating a easily recognizable URL address into an IP address, they will always be the central point which will see the origin of the IP and the destination. This makes the DNS servers an excellent behavior tracking tool, even if not coupled with any additional information.
While Google and several other providers claim that they delete their DNS logs 24 hours after the service is used, nowhere do we have a proof of that.² Moreover, Google’s DNS has been operating without any audit for years. Only Cloudflare announced that they will let KPMG audit their DNS operations – a first in 2018.
If you are using the default ISP-provided modem or router, chances are that you’re using your ISP’s DNS servers to resolve your URL queries. However, keep in mind that your ISP most likely does not have a legal or contractual obligation to delete, anonymize or obfuscate the DNS query log or behavioral data gathered on you. In fact, many ISPs are happy to sell your data to the highest bidder at anytime.3
You may think – I’ll just switch to an open-source or smaller DNS provider! While that’s definitely a logical choice privacy-wise, it may not necessarily be a secure one.
With smaller, open-source DNS servers, you don’t know who is providing you with the service, for which reasons, and what’s their security guarantee.
As I mentioned above, DNS servers in their basic function resolve URLs into IPs. For example, my website waluszko.net resolves to 220.127.116.11. Therefore, as I’m typing in the URL of this address (or clicking on a link somewhere from the web) I’m putting my trust into a specific DNS server to properly translate “waluszko.net” into 18.104.22.168.
However, what’s preventing someone from making a copy of my website at another IP address and forwarding all your requests for waluszko.net to a different IP? Well… nothing.
And this is precisely how phishing attacks work. Their operations are simple:
a.) make a copy of your bank’s website,
b.) get you to log-in to the fake website,
All-in-all, it’s difficult to point out which is better: trusting 22.214.171.124 or any other provider not to sell your data (keep in mind, Facebook’s SEO in 2009 claimed that “Facebook will never sell your information without your consent”).⁴
At least Cloudflare is opting in for a yearly audit by KPMG – so that’s good. In addition, there’s some comfort in the fact that Cloudflare’s main business model is not based on advertising or personal data mining (in comparison to Google, for example).
At the same time, using an open-source or less-well-known DNS provider is a bit risky, unless we know who provides the service, why they’re doing it, how the service is funded and how secure it is. After all, “if it’s free, you are the product”.
Last, but not least, is awareness of any potential data breaches. I would imagine that someone hacking Cloudflare’s DNS might cause a huge media sensation – therefore you might be aware of the leak or phishing attacks if they happen. Small, unknown DNS providers getting hacked? …that will probably not be in your morning news. And perhaps that’s yet another reason to look into utilizing 126.96.36.199.
Option #3 is running your own DNS servers, if you’re up to the challenge.
- https://www.cnbc.com/2018/03/21/facebook-ceo-mark-zuckerbergs-statements-on-privacy-2003-2018.html, http://dailycaller.com/2018/03/27/zuckerberg-in-2009-facebook-will-never-sell-your-information/