Cloudflare's 1.1.1.1: an encrypted, privacy-protecting DNS service

Cloudflare, a company with a history of resisting surveillance and censorship orders (albeit imperfectly and sometimes with undesirable consequences) has announced a new DNS service, hosted at the easy-to-remember address of 1.1.1.1, which accepts connections under the still-novel DNS-over-HTTPS protocol, and which has privacy designed in, with all logs written only to RAM (never to disk) and flushed every 24 hours.

Not only does this prevent the kinds of routine surveillance practiced by your ISP (a surveillance that the GOP supercharged when they voted to rescind an order banning the sale of your data by your ISP); it also prevents minor annoyances like 404-jacking by ISPs that redirect your dead web links to their own money-making search services.

The anti-surveillance DNS service joins a host of free-speech-oriented services Cloudflare provides, including free DDoS mitigation for news organizations targeted by state actors and free SSL for all customers.

Cloudflare has thrown a lot of hardware and engineering at 1.1.1.1 and promises extremely high-speed, high-reliability service. I definitely trust Cloudflare more than I trust Spectrum, my ISP, who literally spam my physical mailbox daily with "upgrade" offers for cable TV with my internet service, and hijack all my 404s. I'll be switching my routers and my systems over to 1.1.1.1 this week.

But there's more. DNS itself is a 35-year-old protocol and it's showing its age. It was never designed with privacy or security in mind. In our conversations with browser, operating system, app, and router manufacturers nearly everyone lamented that, even with a privacy-first service like 1.1.1.1, DNS inherently is unencrypted so it leaks data to anyone who's monitoring your network connection. While that's harder to monitor for someone like your ISP than if they run the DNS resolver themselves, it's still not secure.

What's needed is a move to a new, modern protocol. There are a couple of different approaches. One is DNS-over-TLS. That takes the existing DNS protocol and adds transport layer encryption. Another is DNS-over-HTTPS. It includes security but also all the modern enhancements like supporting other transport layers (e.g., QUIC) and new technologies like server HTTP/2 Server Push. Both DNS-over-TLS and DNS-over-HTTPS are open standards. And, at launch, we've ensured 1.1.1.1 supports both.

We think DNS-over-HTTPS is particularly promising — fast, easier to parse, and encrypted. To date, Google was the only scale provider supporting DNS-over-HTTPS. For obvious reasons, however, non-Chrome browsers and non-Android operating systems have been reluctant to build a service that sends data to a competitor. We're hoping that with an independent DNS-over-HTTPS service now available, we'll see more experiments from browsers, operating systems, routers, and apps to support the protocol.

Announcing 1.1.1.1: the fastest, privacy-first consumer DNS service [Matthew Prince/Cloudflare]

Loading...