For more than three decades, the Internet’s most key underpinning has posed privacy and security threats to the billion-plus people who use it every day. Now, Cloudflare, Apple, and content-delivery network Fastly have introduced a novel way to fix that using a technique that prevents service providers and network snoops from seeing the addresses end users visit or send email to.
Engineers from all three companies have devised Oblivious DNS, a major change to the current domain name system that translates human-friendly domain names into the IP addresses computers need to find other computers over the Internet. The companies are working with the Internet Engineering Task Force in hopes it will become an industry-wide standard. Abbreviated as ODoH, Oblivious DNS builds off a separate DNS improvement called DNS over HTTPS, which remains in the very early stages of adoption.
The way DNS works now
When someone visits arstechnica.com—or any other website, for that matter—their browser must first obtain the IP address used by the hosting server (which at the moment is 22.214.171.124 or 126.96.36.199). To do this, the browser contacts a DNS resolver that typically is operated by either the ISP or a service such as Google’s 188.8.131.52 or Cloudflare’s 184.108.40.206. Since the beginning, however, DNS has suffered from two key weaknesses.