Cloudflare: Consumer Privacy is Priority 18.104.22.168
It wasn't an April Fool's joke or the usual cute media stunt pulled by tech companies every April 1st. Cloudflare's launch of its first consumer product — 22.214.171.124 - is real, and claims to be the "Internet's fastest, privacy-first consumer DNS service". The decision to launch on April 1 was a geeky play on the product's name having four 1's...4/1, get it?! It's not an unprecedented move since Gmail launched on the same day 14 years ago and look how that turned out.
DNS and Resolvers in the Blink of An Eye
Domain Name System (DNS) is the directory of the internet. Think of it as a phonebook and you're trying to call "John". On your phone, you have several people named John: John-AT, John-Ver and John-Com. You choose John-AT, call his number, wait to get connected and then speak to him. When you type a URL on your browser, say, example.com, "example" is the domain name (John) and ".com" (AT) is called Top Level Domain/TLD. TLDs (.com, .org, .edu, .gov) make sure you're reaching the right "John" at the right place. Every domain name has at least one corresponding IP address (phone number).
Every device that connects to the internet needs a DNS resolver. Resolvers use the IP address to figure out who to talk to in order to get you to the site you want. The first stop is to the root server to ask where to find the TLD ".com" then the resolver will ask ".com" where to find "example". From there, the domain name is sent to a Domain Name Resolver (DNR), located within individual ISPs or organizations and once the resolver has the final IP address, it returns the answer/shows the web page on your device. Think of it as the phone number identifying which network "John" belongs to and having an operator look for and call "John" directly and then patching you through. The whole process happens at a blink of an eye so you don't really notice it unless you get an error while accessing the page.
Now, when you connect to your ISP, a public wifi or to your mobile network, that ISP or network operator dictates what DNS resolver you use. The problem is that these DNS services are often slow and aren't as concerned about keeping your privacy. Even when you're visiting encrypted/secure web pages (https/green lock symbol), the DNS resolver still knows what sites you went on. By default, your ISP and every network you connected to, has a list of every website you visited — same way a telco has a copy of your phone logs.
In addition to the danger of having your information in DNS resolvers mined for advertising purposes, DNS can also be used as a tool for censorship, like when the Turkish government blocked Twitter in 2014. The country's ISPs DNS resolvers blocked DNS requests for twitter.com. People had to literally spray Google's DNS resolver 126.96.36.199 to help people get back online.
Is Cloudflare's 188.8.131.52 Really About Privacy First?
Cloudlfare isn't the first or only player on the field so they want something people can easily remember and "paint on a wall" — like Google's 184.108.40.206 or Quad9's 220.127.116.11.
Cloudflare's blog post, described how they got 18.104.22.168 through a partnership with Asia-Pacific Network Information Centre (APNIC), the Regional Internet address Registry (RIR) for the Asia-Pacific Region.
"APNIC's research group held the IP addresses 22.214.171.124 and 126.96.36.199. While the addresses were valid, so many people had entered them into various random systems that they were continuously overwhelmed by a flood of garbage traffic. APNIC wanted to study this garbage traffic but any time they'd tried to announce the IPs, the flood would overwhelm any conventional network."
"We talked to the APNIC team about how we wanted to create a privacy-first, extremely fast DNS system. They thought it was a laudable goal. We offered Cloudflare's network to receive and study the garbage traffic in exchange for being able to offer a DNS resolver on the memorable IPs. And, with that, 188.8.131.52 was born."
So basically, despite its "privacy-first" policy, Cloudflare will be sharing DNS query data with APNIC Labs for the next 5 years in exchange for the use of its 184.108.40.206 network address along with the chance of permanently acquiring the IP address — including 220.127.116.11.
On APNIC's blog post, they stated that their deep interest is in understanding the technical infrastructure of the internet including the intricacies of DNS in order to mitigate malicious denial of service attacks. They were also quick to reiterate Cloudflare's commitment to data privacy:
"In setting up this joint research program, APNIC is acutely aware of the sensitivity of DNS query data. We are committed to treat all data with due care and attention to personal privacy and wish to minimise the potential problems of data leaks. We will be destroying all "raw" DNS data as soon as we have performed statistical analysis on the data flow. We will not be compiling any form of profiles of activity that could be used to identify individuals, and we will ensure that any retained processed data is sufficiently generic that it will not be susceptible to efforts to reconstruct individual profiles. Furthermore, the access to the primary data feed will be strictly limited to the researchers in APNIC Labs, and we will naturally abide by APNIC's non-disclosure policies."
Will It Really Boost Internet Speed?
Medium.com ran a performance test of the Top 8 Free DNS Providers (including Cloudflare 18.104.22.168) from 18 locations around the world, running 70 DNS lookups for an hour for different popular domains. The result is that all providers had under 15ms response time across US, Canada and Europe.
Asia and South America is where there were significant differences in performance so the answer to that question is Yes and No... or depends on where you live.
It's great to have companies that are passionate about promoting our right to information and that are protecting our freedom of expression, personal information and online privacy - even if 90% of online users don't even think twice before clicking "I Agree" and effectively signing away those very rights. As for enjoying "faster" internet, unless you're trying to win an Olympic medal or trying to break a Guinness World Record, a latency of 10ms (a hundredth of a second) won't hurt or kill you.
What is exciting is that having an independent DNS-over-HTTPS service provider might open doors for more browsers, OS, routers and apps to experiment on supporting the new protocol, paving the way for a truly secure and better internet.