Cloudflare’s 1.1.1.1 DNS Does Nothing for Privacy

I didn’t pay much attention to the experimental Cloudflare  Domain Name Service (1.1.1.1) until I saw their co-founder & COO Michele Zatlyn describing it on Bloomberg Technology. There’s nothing novel about DNS, regardless of who supplies it. You ask it for the IP address associated with a domain name, and it gives you one relative to where you are. No big deal.

But it becomes troublesome when the over-hyping sets in. Zatlyn claimed that ISPs are free to sell browsing histories today, which isn’t quite true. She also claimed that 1.1.1.1 would speed up browsing, which is dubious. And she claimed using a DNS from a party other than your ISP would hide your web activity from your ISP, which is blatantly false.

How do I know this and why did she say it? Read on.

Do ISPs Sell Your Browsing Histories?

No. ISPs have information about your browsing histories because they know the IP addresses of the sites with which you communicate. Even if the sites you visit use TLS to encrypt the content of your communication, the ISPs can’t route your packets to the right place without a destination IP address. They also know where the elements of the web pages – pictures, snippets of text, videos, ads – come from because they have to route those as well.

This information flows over TCP, a bi-directional protocol. So every piece of information seen by the ISP is also seen by the other party in this two-way communication. So alternative DNS does not prevent the ISP or the destination site from knowing the IP address – and hence the identity – of the other party. If you want to hide your browsing history from your ISP you need to use a VPN as well as cloaking your DNS queries.

Both ISPs and web trackers know your browsing histories, but neither sells this information. If they did, we would likely see a firestorm of criticism and some lawsuits. How these suits come out is a matter for lawyers to judge, but nobody with the information is currently testing the waters.

Will Cloudflare Speed up Your Web Browsing?

No. They may in fact resolve domain names a few milliseconds faster than your ISP’s DNS, but there’s not going to be enough of a difference for you to notice. The reality of web browsing speed is that it’s determined by the sites as long as your Internet package is faster than 15 Mbps.

We’ve seen steady increases of 30% per year in raw broadband speed over the last eight years, but web page load times have remained stagnant. I presented a paper on this at TPRC last year: You Get What You Measure: Internet Performance Measurement as a Policy Tool.

DNS lookups are not a significant part of web page load time, so eliminating them altogether wouldn’t make any difference. And 1.1.1.1 isn’t the fastest DNS on the market anyway: it depends entirely on where you are. 1.1.1.1 does have nice average speeds, but it’s brand new and has fewer customers. Despite this advantage, there are faster DNSes in Atlanta, New York, Montreal, Frankurt, and other places.

The open, non-profit Quad9 DNS* delivers the quickest absolute lookup times, and it also checks the domain you’re resolving for presence in IBM’s threat database.  Knowing I’m about to visit a malware site is more important to me than shaving 4 or 5 thousands of a second off of the page’s 2 to 3 second load time. That said, Cloudflare is able to resolve its customers’ addresses very, very fast; fast enough to reduce web page load times by a few hundredths of a percent under ideal circumstances.

Will Cloudflare’s 1.1.1.1 DNS Hide Information from Your ISP?

No. As we’ve said, DNS queries are questions that return answers. Since the answers are necessary for all Internet communication, they can’t be hidden. Even though Cloudflare hides the questions you’re asking from the ISPs it can’t hide the answers.

So this is not a meaningful privacy enhancement. It appears to be the sort of product that comes down from the top of the company instead of up from the engineering ranks. Cloudflare’s CEO still feels bad about cutting off his Nazis, and wants to be one of the Internet’s good guys again.

So he’s told his engineers to build this service for image and reputation reasons. It makes sense for CDNs to offer DNS services, of course. But why must Silicon Valley insist on over-hyping every little thing it does? Engineers see things like this as minuscule performance enhancements and nothing more.

If Cloudflare really wanted to improve privacy it would offer a VPN.

*Note: Corrected; initially I said Quad9 was an IBM project.