Back in 2014 Cloudflare announced they would offer Universal SSL to all of their customers websites, even the freebie customers, essentially doubling the size of the encrypted web overnight. This also prompted other large platforms to follow suit, resulting in even deeper encryption penetration. Today they have gone one step further in enhancing online privacy by creating Privacy-First DNS.
Essentially they will offer to resolve DNS queries, supporting both https or TLS to ensure security, and commit not to write any transaction logs to disk, purging them from memory with 24 hours.
Google offers the popular 8.8.8.8 DNS resolver, they do allow DNS-over-https for security, but do not make the same commitments around transaction logs, and can obviously use the DNS query information for targeting adverts, their main source of income. Cloudflare have specifically said they will not use DNS query information for advert targeting, insisting they keep the logs for 24 hours to help with troubleshooting and monitoring abuse only.
Performance wise the Cloudflare DNS resolver has jumped straight to number one on dnsperf.com, returning results in around half the time of Google at circa 14ms.
Why do we care? Well most ISP’s point your router to their internal DNS resolver, this allows them to track your activity and if they are that way inclined cut off your access to certain sites, by not resolving a web address or pointing you towards a sinkhole. Improbable yes, but this was exactly what happened in Turkey 2014 when the government required all ISP’s to not resolve Twitter.com, in an attempt to rising quell dissent.
At the time protesters went around the city spray painting walls with the 8.8.8.8 DNS settings so that users could get back online. DNS manipulation is becoming a depressingly common tool for censorship on the internet.
Why release the new 1.1.1.1 DNS resolver service on April fools day, four ones, 4/1/2018, geeky rather than pranky.
Good job boys. More details here.