Cloudflare engineers, Apple and the Fastly distribution network have created the ODoH protocol (Oblivious DoH), which is a major change in the domain name system current that translates user-friendly domain names into IP addresses that computers need to find other computers.
Businesses are working with the Internet Engineering Task Force (IETF, an organization that develops and promotes Internet standards) in the hope that it will become a global standard.
About ODoH
Oblivious DoH relies on a separate DNS enhancement called DNS-over-HTTPS (short for DoH), which is still in its early stages of adoption.
First, it is important to put the elements in their context. DNS is a database that connects a descriptive name, such as www.domain.com, to a series of computerized numbers, called an IP address.
When performing a "search" in this database, the web browser can find websites on your behalf. Due to the initial design of DNS decades ago, browsers that performed DNS lookups for websites (including https: //) they had to perform these searches without encryption.
Because there is no encryption, other devices on the way they can also collect (or even block or modify) these dates. DNS lookups are sent to servers that can spy on your website's browsing history without notifying you or publishing a policy on what to do with that information.
When the Internet was created, this type of threat to people's privacy and security was known, but not yet exploited. Today, we know that unencrypted DNS is not only vulnerable to spying, it is also exploited, and industry players have come to the rescue so the Internet can move to safer alternatives.
To do this, browsers have chosen to perform DNS lookups over an encrypted HTTPS connection. This will hide your browsing history from attackers on the network, prevent the collection of data by third parties on the network that connects your computer to the websites that you visit.
Thus, the DNS-over-HTTPS protocol was born which provides the ability for web browsers to hide DNS queries and responses in normal-looking HTTPS traffic to make a user's DNS traffic invisible. At the same time, it compromises the ability of third party network watchers (such as ISPs) to detect and filter their customer traffic.
How does Oblivious work?
ODoH is an emerging protocol under development at the IETF, it works adding a layer of public key encryption as well as a proxy network between DoH clients and servers, such as 1.1.1.1.
According to Cloudflare, the combination of these two additional elements ensures that only the user has access to both DNS messages and their own IP address at the same time.
The target decrypts the requests encrypted by the client, through a proxy. Also, the objective encrypts the responses and sends them back to the proxy. The standard says that the target may or may not be the resolver.
The proxy does what a proxy is supposed to do, ya that transfers messages between the client and the target.
The client behaves as it does in DNS and DoH, but differentiates itself by encrypting the queries for the target and decrypting the responses from the target. Any client that chooses to do so can specify a proxy and target of their choice.
Together, the added encryption and proxy provide the following safeguards:
- The target only sees the proxy request and the IP address.
- The proxy has no visibility into DNS messages, it does not have the ability to identify, read or modify the request sent by the client or the response returned by the target.
- Only the intended target can read the content of the request and produce a response.
These three guarantees enhance customer privacy while maintaining the security and integrity of DNS queries.
Source: https://blog.cloudflare.com