Oblivious DNS-over-HTTPS offers privacy enhancements to secure search protocol
ODoH is said to improve user privacy without compromising performance
Security engineers come up with an experimental protocol that promises greater privacy in the operation of DNS, the Internet equivalent of a phone book.
Oblivious DNS-over-HTTPS (ODoH) describes a protocol that allows clients to hide their IP addresses from DNS resolvers through proxies relaying encrypted DNS-over-HTTPS (DoH) messages.
The approach creates a configuration that means no server is aware of both a client’s IP address and the content of DNS queries and responses – a significant privacy advantage.
RELATED A guide to DNS-over-HTTPS – how a new web protocol aims to protect your privacy online
The experimental protocol was developed outside of the Internet Engineering Task Force (IETF), but with input from engineers from Apple, Cloudflare, and Fastly.
A detailed technical overview of the experimental protocol, which its developers hope will attract large-scale experimentation and interoperability, was released last week.
In response to a question from The daily sip On use cases for the technology, one of the authors of the ODoH technical paper highlighted current deployments with Apple’s iCloud Private Relay (PDF) and Cloudflare.
According to Cloudflare, the ODoH protocol improves user privacy while aiming to “improve the overall adoption of encrypted DNS protocols,” but without compromising performance and user experience on the Internet.
How does Oblivious DNS over HTTPS work?
Oblivious DNS-over-HTTPS works by adding a layer of public-key encryption, as well as a network proxy between DNS-over-HTTPS clients and servers.
The IETF Oblivious HTTP Application Intermediation (OHAI) Working Group, where the technology is being developed as a standard, offers insight into how engineers would like to develop and refine Oblivious DNS-over-HTTPS.
Keep up to date with the latest DNS security news
Cricket Liu, chief DNS architect at Infoblox, acknowledged the privacy advantage that ODoH offers consumers while warning that the technology could thwart the functioning of security controls found in many enterprise environments. .
Liu said The daily sip: “I think the basic idea behind Oblivious DNS makes sense from a consumer privacy perspective: you launder the request and source IP address through a series of proxies, the first of which sees the IP address of the requester and the second sees the request himself.
“From a business perspective, however, this poses the same challenges as DoH and perhaps more, because using an external Oblivious DNS proxy would leave IT organizations blind to what employees are doing.”
The protocol source code is publicly available, so anyone can try ODoH or run their own ODoH service.
YOU MIGHT ALSO LIKE GhostTouch: Hackers Can Access Your Phone’s Touchscreen Without Even Touching It