Hello, welcome to the Thursday, December 10th, 2020 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Well, to start out with, we do have an interesting proposal put forward by Cloudflare, Apple, and Fastly to make DNS over

HDPS even more anonymous.

As far as privacy goes, the weak point of DNS over HTTP was that the recursive resolver,

for example, Cloudflare, the company that you pick to terminate your DNS

over HTTP requests, was still able, theoretically, to log all of these requests and

associated with a particular user via the user's IP address. This new protocol, which goes by the acronym ODOH or oblivious DNS over H-DPS, does solve the problem

by routing the requests via a proxy.

Now, the trick here is that only the endpoint, so your recursive resolver, is actually able to decrypt the message.

So in addition to TLS, we actually have an encrypted payload.

The proxy is only forwarding it.

So the purpose of the proxy here is to lose information about the origin of the DNS request.

To make this all work, the client will first request a public key from the DNS Resolver,

then use that public key to encrypt the request, also include the client's public key with that

encrypted request. The proxy will just forward this encrypted message. The Resolver now is able

to decrypt the message using the private key that only the Resolver has, creates the response, encrypts it again,

using the public key that the client sent along with the request and pass the message back.

There is only sort of experimental implementations of this at this point. Interestingly, Apple

is cooperating with Cloudflare on this proposal,

so very likely we'll see this show up in Apple's operating systems in the future. Apple has been

...