Oblivious DNS over HTTPS (ODoH)

One of the oldest corner stones of the internet has been the domain name service (DNS). Those three little letters have saved us all from having to remember IP addresses and replaced them with fun host names (much easier to remember Google.com then Being one of the oldest protocols on the net it’s also one that has seen less change especially in the area of privacy and security. 

For those that don’t know, many DNS queries still travel the highways and byways of the internet in cleartext. Not only can someone see what host you are trying to look up but also that YOU are looking it up and like every other bit of data that can be collected about you on the internet your DNS queries have become one more piece of data that’s collected and monetized.

More recently the IETF has introduced some standards (DoH and DoT) that help protect your DNS queries from being intercepted, redirected, or modified. Which is great news for protecting your DNS queries on their way to the DNS resolver but don’t prevent your resolver (Usually run by your ISP) from mining your DNS queries and monetizing them.

To address this problem the good engineers at Cloudflare, Apple, and Fastly introduced a new DNS standard called Oblivious DNS over HTTPS (ODoH). At its core, the standard introduces a proxy into the DNS equation that helps separate the hostname from the querying IP address. The end result is that the DNS resolver only knows that someone is asking to resolve a hostname and the proxy only knows that you are asking to resolve some hostname but neither has the full picture. Privacy restored. Mind you, I’ve boiled things down substantially here so if you’re interested in the fine-grain details check out the Cloudflare blog post (link)

As with any other proposed standard, ODoH will take some time to make its way out into the world but I, for one, look forward to seeing it fully implemented and widely adopted.