Zit Seng's Blog

A Singaporean's technology and lifestyle blog

Yet Another DNS Doesn’t Make The Web Private

On 1 April, Cloudflare announced a new DNS service, one which they have described as the fastest, privacy-first consumer DNS service. That day is April Fool’s Day, but Cloudflare’s announcement assured us it is real, and to be sure, I tested and found a legit DNS service does exist at 1.1.1.1.

As I read Cloudflare’s announcement, I couldn’t help but question their motives, and how they fail to paint a fair, complete, picture for the general public to understand the issues they bring up.

First of all, they talk about their new DNS service as being the fastest. Is it really that fast? I can see that they based their data on testing by DNSPerf. I have no issue with DNSPerf per se, but it is important to understand what exactly is being tested. I don’t know how they do their tests, but I came up with my own, based on resolving a bunch of fresh domain names (i.e. randomly generated), against Cloudflare’s new DNS servers, as well as against those of Google’s. I tested from five different Internet locations. I found that Cloudflare’s DNS performed well, but those of Google’s were faster.

In fact, averaging out the query times in my tests, Cloudflare was about 80% slower than Google. My tests may not be very comprehensive, and definitely a far cry from DNSPerf’s work, but my results are enough evidence that Cloudflare’s DNS isn’t quite as fast as it’s been made out to be.

Unless, of course, Cloudflare meant the “fastest” to be read in conjunction with “privacy-first”. That brings me to the next point on privacy.

Cloudflare professes to be very concerned about privacy. Instead of Internet users depending on their many respective service providers, Cloudflare thinks it’s better for everyone to use their DNS service. At the individual level, perhaps you wouldn’t care that much between your ISP DNS or Cloudflare’s DNS, unless of course you are suspicious of your ISP’s privacy practices.

However, when I look at the global level, having Internet users all over the world use DNS servers controlled by one single organisation, that seems to more of a concern to me. Cloudflare tells us not to worry because they aren’t in the business of selling advertising or tracking users. Why should we believe them? What benefit is it to Cloudflare to provide DNS service to all Internet users for free?

If something is free, you’re probably not the customer. If you’re not paying for it, you’re probably the product.

Cloudflare tells you that your ISP can monitor your DNS activity and figure out, for example, every website that you’ve visited. That’s correct. They suggest that you switch to Cloudflare’s DNS to avoid monitoring and censorship by your ISP. That’s so wrong.

In the general case, your ISP can still monitor your DNS activity even if you switch to some other DNS server outside their control. It’s easy. All your traffic, including your DNS queries, still passes through their network. DNS queries are not encrypted, so it’s trivial for them to either reroute your DNS traffic or passively monitor them.

I appreciate that there’s more to DNS monitoring that requires a lengthier discussion, but one thing is very certain: if you thought simply that switching your DNS from your ISP to something else will prevent your ISP from monitoring your web-surfing activities, you are so completely wrong.

A part of Cloudflare’s announcement is about additional features they are offering with their new DNS service:  DNS-over-TLS and DNS-over-HTTPS, open standards which used together with DNSSEC will keep your DNS activities safe, private, and secure. These are cool new features. If you are a casual Internet user, did you for one moment think that you’ll be safer using Cloudflare because they’ve implemented these new features?

I’m sorry to tell you that your operating system, and your web browser, at this time, probably doesn’t support either of these new standards. DNS-over-TLS and DNS-over-HTTPS are really cool, but they don’t work for you right now. You could download and use the latest Firefox beta to use and enjoy the benefit of DNS-over-HTTPS, but strangely enough, Cloudflare did not even offer that bit of information.

They also fail to mention that this new DNS service, one that supposedly lets you escape from your ISP’s invasive monitoring, is also offered by numerous other providers, including a really big and well-known one, Google. Google’s public DNS service, at IP addresses 8.8.8.8 and 8.8.4.4, was announced in December 2009. Google also offers DNS-over-HTTPS to address concerns about security of DNS traffic.

Hence I’m left wondering, what is Cloudflare’s motivation here?

I like the idea of having more choices. Cloudflare is giving more choices, so that’s good. But they’re not solving a new problem that no one else has tackled. They’ve just merely launched yet another DNS service, like numerous others out there.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.