How Cloudflare DNS Helps Solve 4 Big DNS Privacy Risks
Pinterest Whatsapp
Advertisement

In April 2018, Cloudflare released a new security tool. Called 1.1.1.1, it’s a consumer DNS address that anyone can use for free. It can help increase DNS security, improve users’ privacy, and potentially even speed up your network connection.

But how does it work? How do you use it? And which DNS privacy risks can it help improve? Let’s take a closer look.

The Problem With DNS and Privacy

The Domain Name System (DNS) is often called “the internet’s phonebook.” It’s the technology responsible for linking the domains we all use every day (e.g. makeuseof.com) with the IP address of that site’s web server.

Of course, you could enter a site’s IP address and you would still end up at its homepage, but text-based URLs are much easier to remember, hence why we use them.

Unfortunately, DNS technology comes with many privacy issues. The issues can undermine your online safety, even if you take all the usual precautions elsewhere on your system. Here are some the worst privacy issues associated with DNS.

1. Your ISP Is Watching

Because of the way DNS works, it acts as a log of the websites you visit. It doesn’t matter whether the site you’re visiting uses HTTPS—your ISP, mobile carrier, and public Wi-Fi providers will still all know exactly which domains you have visited.

Worryingly, since mid-2017, ISPs in the United States are allowed to sell their customers’ browsing data for financial gain. Indeed, the practice is common around the world.

Ultimately, your browsing history is helping vast corporations make money. It’s why you should always use a third-party DNS provider 4 Reasons Why Using Third-Party DNS Servers Is More Secure 4 Reasons Why Using Third-Party DNS Servers Is More Secure Why is changing your DNS a good idea? What security benefits does it bring? Can it really make your online activities more secure? Read More .

2. The Government Is Watching

Like ISPs, authorities can also use your DNS log to see what sites you’ve been visiting.

If you live in a country which takes a less-than-tolerant approach to political opponents, LGBTQ activists, alternative religions, and so on, visiting sites of that nature could land you in trouble.

Sadly, your DNS lookup history could reveal your private beliefs to entities who will potentially clampdown on you as a result.

3. Snooping and Tampering

You are also at risk from DNS’s lack of “last mile” encryption. Let’s explain.

There are two sides to DNS: Authoritative (on the content side) and a recursive resolver (on your ISP’s side). In broad terms, you can think of DNS resolvers asking the questions (i.e., “where can I find this site?”), and authoritative DNS nameservers providing the answers.

Data moving between the resolver and the authoritative server is (theoretically) protected by DNSSEC. However, the “last mile” —the part between your machine (called the stub resolver) and the recursive resolver—is not secure.

Sadly, the last mile provides plenty of opportunities for snoopers and tamperers.

4. Man-in-the-Middle Attacks

When you browse the web, your computer will frequently use DNS data that’s cached somewhere on the network. Doing so can help to reduce page loading times.

However, the caches themselves can fall victim to “cache poisoning.” It’s a form of man-in-the-middle attack What Is a Man-in-the-Middle Attack? Security Jargon Explained What Is a Man-in-the-Middle Attack? Security Jargon Explained If you've heard of "man-in-the-middle" attacks but aren't quite sure what that means, this is the article for you. Read More .

In simple terms, hackers can take advantage of vulnerabilities and poor configurations to add fraudulent data to the cache. Then, the next time you try and visit the “poisoned” site, you’ll be sent to a server controlled by the criminal.

The responsible parties can even replicate your target site; you might never know you’ve been redirected and accidentally enter usernames, passwords, and other sensitive information.

This process is how many phishing attacks take place.

How Does 1.1.1.1 Help?

The new 1.1.1.1 service from Cloudflare can remedy many of the privacy issues related to DNS technology.

The company spent a long time talking to browser developers before the service went public and developed its tool in accordance with their recommendations.

1. No Tracking, No Data Storage

Firstly, Cloudflare has made a commitment never to track its DNS users or sell advertising based on their viewing habits. To strengthen consumer confidence in its statement, the company has vowed to never save IP address queries to disk and promised to delete all DNS logs within 24 hours.

In practice, it means your DNS history will stay out of the hands of ISPs and governments. There won’t even be a record with Cloudflare for them to request access to.

2. Cutting-Edge Technology

When you type a URL and hit Enter, almost all DNS resolvers will send the entire domain name (the “www,” the “makeuseof,” and the “com”) to the root servers, the .com servers, and any intermediary services.

All that information is unnecessary. The root servers only need to direct the resolver to .com. Further lookup queries can be initiated at that point.

To combat the issue, Cloudflare has implanted a wide range of both agreed-upon and proposed DNS privacy-protection mechanisms for connecting the stub resolver and the recursive resolver. The result is that 1.1.1.1 will only send the bare amount of information necessary.

3. Anti-Snooping

The 1.1.1.1 service offers a feature which helps combat snooping on the last mile: DNS over TLS.

DNS over TLS will encrypt the last mile. It works by letting the stub resolver establish a TCP connection with Cloudflare on port 853. The stub then initiates a TCP handshake and Cloudflare provides its TLS certificate.

As soon as the connection is established, all communications between the stub resolver and the recursive resolver will become encrypted. The result is that eavesdropping and tampering become impossible.

4. Fighting Man-in-the-Middle Attacks

According to Cloudflare’s figures, less than 10 percent of domains use DNSSEC to secure the connection between a recursive resolver and an authoritative server.

DNS over HTTPS is an emerging technology that aims to help to secure HTTPS domains that do not use DNSSEC.

Without encryption, hackers can listen to your data packets and know which site you’re visiting. The lack of encryption also leaves you vulnerable to man-in-the-middle attacks such as those we detailed earlier.

How Can You Start Using 1.1.1.1?

Using the new 1.1.1.1 service is easy. We’ll explain the process for both Windows and Mac machines.

How to Change DNS on Windows

To change your DNS provider on Windows, follow the steps below:

  1. Open the Control Panel
  2. Go to Network and Sharing Center > Change Adaptor Settings
  3. Right-click on your connection and select Properties
  4. Scroll down, highlight internet Protocol Version 4 (TCP/IPv4), and click on Properties
  5. Click on Use the following DNS server addresses
  6. Enter 1.1.1.1 in the first row and 1.0.0.1 in the second row
  7. Hit OK

How to Change DNS on Mac

If you have a Mac, follow these instructions to change your DNS instead:

  1. Go to Apple > System Preferences > Network
  2. Click on your connection in the panel on the left-hand side of the window
  3. Click on Advanced
  4. Highlight DNS and press +
  5. Enter 1.1.1.1 and 1.0.0.1 in the space provided
  6. Click OK

And Remember to Always Use a VPN

More important than a good DNS, you should always use a strong VPN in the battle for online privacy.

All reputable VPN providers will also supply their own DNS addresses. However, sometimes you’ll need to manually update your DNS using the methods we detailed above. Failure to do so will result in a DNS leak.

But just because your VPN provider provides its own DNS addresses, you can still use Cloudflare’s addresses instead. In fact, it’s recommended; it’s very unlikely your VPN’s DNS will be as sophisticated or as robust as the new 1.1.1.1 service.

If you’re looking for a solid and reputable VPN provider, we recommend ExpressVPN, CyberGhost, or Private Internet Access.

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Warren
    April 28, 2018 at 7:14 am

    You for got to list the ipv6 servers. 2606:4700:4700::1111 and 2606:4700:4700::1001

    • Paul
      May 26, 2018 at 2:26 pm

      Thanks. That was my first thought after reading the article.

  2. Blasse
    April 16, 2018 at 8:04 pm

    You do realise it will not work the way you described due to lack of DNS-over-TLS implementation in Windows/OSX?

  3. dragonmouth
    April 16, 2018 at 7:17 pm

    I run NameBench regularly. Cloudflare has not shown up as one of the three fastest on any of the runs so far.

    I also use a HOSTS file to block undesirable sites. I am currently reviewing the latest (4/15/2018) hosts.txt provided downloaded from winhelp2002.mvps.org/hosts.htm . Cloudflare figures prominently as one of the companies to block.

    People who are using dynamic IP addresses on their routers have been blocked by Cloudflare from accessing sites. Cloudflare is working on the premise that since malware and attacks come from dynamic IP addresses, anyone with a dynamic IP address must be a hacker.

    • Baltazar
      April 22, 2018 at 5:05 pm

      Sorry, but where did you get the idea that "Cloudflare blocks dynamic IP addresses"? I'm writing this using 1.1.1.1 on Windows and just to test your comment, I set my router to the default, ISP - provided dynamic IP address. No problems whatsoever. I also run a small web server on a Linux box - same network - no problems having its domain name resolved via Cloudflare.
      I also use the mvps hosts list (as it comes with uBlock origin) and can't really see the connection - tracking and adware sites marked as "Cloudflare" are blocked, whether I use 1.1.1.1, 8.8.8.8, OpenDNS or my ISP's DNS servers.
      I'm posting this as an actual question, not some kind of attack - I couldn't care less whose DNS servers I use, as long as they work (and my ISP's are much slower than CF, Google or some Level 3 that I have been using.

    • hal
      May 26, 2018 at 6:53 pm

      Ever tried using cloudflare via TOR? Captchas sometimes don't appear, and usually when they do you can't read them, or see them. Then the famous "checking your browser" page that says it will redirect in 5 seconds, quite right, it does, back to same page, and keeps doing so. The worst thing about this is that these people have known this for years. They have stated they would do something about it. They haven't. This sometimes happens on the clear web. I should not have to alter my browser settings to suit them. Terrible company, I would never use them. Perhaps if someone from cloudflare reads this they could tell us when they will finally sort this problem out.