Cloudflare DoH!

This is a follow up to my previous article “Some problems with DoH!“. Given that Cloudflare are the preferred partner of Mozilla who are threatening to impose DNS-over-HTTPS on the majority of people I thought it worth while to have a look at what they have to say for themselves. All of this information is taken from https://developers.cloudflare.com/1.1.1.1/ as it was on 14th August 2018 ( archive.org link ). Some of my commentary may verge on the pedantic*, but given the nature of what is being proposed I think a little** pedantry and cynicism is called for. I may be mainly asking cycnical and paranoid questions, given the weasel words and behaviour we’ve all seen from other companies I think this is justified for someone selling themselves on privacy.

The opening section of their segment on “DNS over HTTPS” correctly identifies that DNS isn’t encrypted
Even if you are visiting a site using HTTPS, your DNS query is sent over an unencrypted connection.
and that DNSSec to prevent man in the middle has not been widely deployed:
but only a single-digit percentage of domains use DNSSEC.
They then pull a bit of a bait and switch and say:
To combat this problem, Cloudflare offers DNS resolution over an HTTPS endpoint. If you build a mobile application, browser, operating system, IoT device or router, you can choose for your users to use the DNS over HTTPS endpoint instead of sending DNS queries over plaintext for increased security and privacy of your users.”
The observant amongst you will have noticed that this solves the first problem they identify but makes no difference at all to the problem of man in the middle attacks and the wide spread lack of DNSSEC. Now as discussed previously if you’re on a hostile network worrying about your DNS traffic being snooped is a sensible concern. Solving that problem would be a good thing, solving the uptake of DNSSEC, which cloudflare don’t do would be even more useful. That Cloudlfare have listed two problems and then presented the solution to just one of them as if it solves both, seems disingenuous and doesn’t fill me with the warm and fuzzies.

The net far more interesting section is their section on privacy. After a very innocuous first paragraph things go down hill quickly.
Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted.
That DNS is insecure I don’t think anyone will argue with, that it’s also usually slow I’m far less convinced about, especially once results are cached at your local DNS server ( which for popular sites most of the time they will be). The second sentence is verging on the down right dishonest. The only people that can snoop on your DNS data are people on the network between you and your DNS resolver, which by default is normally fairly local. So saying “anyone else listening in on the Internet” is one hell of a stretch. Also they can’t see what app you use or what website you visit they can see what DNS records you’ve looked up, which with many browsers doing link pre-fetching are far from the same things.

Cloudlfare then warn us that some DNS providers will sell our data or use it to target ads at us. To which I say this is probably true, but probably not your ISP and also read the terms and conditions and choose a reputable DNS service provider. Now my next problem is I admit born out of cynicism from havign heard this line before ( I’m looking at you Google and Facebook ):
Cloudflare will never sell your data or use it to target ads. Period.
Based on previous free services, one has to ask what counts as “your data”, will they sell “anonymized” data? As they’ll be getting requests made by browsers and apps which can be fingerprinted they’ll have access to a much richer set of data than the dodgy DNS providers they warn us about. Also will they sell aggregated/anonymized data and use that to target ads? e.g. They pass on that there are a lot of requests from some town for product X, which would be of value too advertisers even though it’s not selling your data as such, at what level do they consider it to not be your data?

All debug logs, which we keep just long enough to ensure no one is using the service to cause harm, of are purged within 24 hours.
Now the obvious question here is what exactly is logged in that rolling 24 hour debug log, is it full query logging with your browser finger print? Which again is far more data than most DNS providers would keep and if it’s logged it’s subject to legal discovery, and Cloudlfare being a US company once that data is logged it’s also much easier for the US government and agencies to request it.

Cloudflare will not retain any personal data / personally identifiable information, including information about the client IP and client port.
This leaves the door wide open for them keeping “anonymised” data as many other highly invasive free services have done in the past. If I was cynical I’d say it also hints at how much they are initially logging.

Cloudflare will retain only limited transaction data for legitimate operational and research purposes, but in no case will such transaction data be retained by Cloudflare for more than 24 hours.
This may be broadly true, but as many previous cases will attest in the event of a legal discovery request, if it’s being logged it can be forced to be kept. This is why most privacy focussed services log as little as possible as if it’s not logged it cant be asked for.

The final sentence in their privacy statement is the one that makes me laugh though:
Frankly, we don’t want to know what you do on the Internet — it’s none of our business — and we’ve taken the technical steps to ensure we can’t.
Clouflare are a content delivery company, knowing what people want to access and from where and using which browser or application is blatantly something of great interest to a CDN. They may not care about you as an individual but in aggregate knowing what people want to access and from where and how is hugely useful commercially. Further given they’ve said they have debug logs they do have the ability to access this data, after all they can snoop on it if they choose. They may well have taken procedural steps to make it difficult especially on an individual basis but the idea that they “can’t” is laughable. The cynic in me says the idea that they won’t be making any use of the data we’re giving them is absurd especially as they say that “APNIC will have limited access to query the transaction data” so aggregate data at least must be being kept, and if there’s one thing we should have all learnt by now the details of just what is being kept matter. Finally if you consider that Cloudlfare claims to handle 10% of the internet traffic handing them our DNS data may not be a sound privacy move depending on to what level they aggregate it.

In the “Cloudflare 1.1.1.1” FAQ they repeat the same line about slow and insecure and how the entire internet can snoop your DNS. They then go on to say:
“Given the current state of affairs, Cloudflare decided that it was time to create a DNS resolver with your privacy and security in mind. What this means is that whenever you click on or type a web address in your internet browser your DNS lookup request will be sent over a secure channel to the Cloudflare Resolver rather than to an unknown DNS resolver, significantly decreasing the odds of any unwanted spying or man in the middle attacks.”

Now that implies that either your browser has set your DNS for you in which case it’s still unknown, or you’ve chosen to set your own DNS in which case it’s a known provider no matter who you use. Also unless your on a dodgy roaming network or WiFi hotspot most man in the middle attacks are not between you and the recursor but between your recursor and the authoritative server.

Cloudflare will not retain or sell or transfer to any third party (except as described in the section below and as may be required by law) any personal information, IP addresses or other user identifiers from the DNS queries sent to the Cloudflare Resolver;
Shame they didn’t mention that in the main privacy section when they said “but in no case will such transaction data be retained by Cloudflare for more than 24 hours“.

Cloudflare will not combine the data that it collects from DNS queries, with any other Cloudflare or third party data in any way that can be used to identify individual end users;
Families, people in the same building etc. though they’re far game. They won’t narrow it down to just you, but it could be either you or your boy friend.

In fairness to them the anonymized data they say they’ll collect is pretty reasonable and doesn’t cause concern from what I can see, though that’s what they collect in an anonymized fashion not what they log. But in the list of data htey say they’ll keep indefinitely they mention:
Number of unique users, queries over IPv4, queries over IPv6, queries with the RD bit set, queries asking for DNSSEC, number of bogus, valid, and invalid DNSSEC answers, queries by type, number of answers with each response code, response time quantiles (e.g. 50 percentile), and number of cached answers per minute, per day, per protocol (HTTPS/UDP/TCP/TLS), per Cloudflare data center, and per Autonomous System Number.
The first item on that list interests me “Number of unique users”, as to count the number of unique users you’ve got to be recording something that uniquely identifies a user, if you want to track how many “unique users” you have in a week you’ve got to keep record of some sort of fingerprint for each user during that week period. Again I’m sure they’ll do a very good job of making sure that unique user identifier can’t be tied to anything else, but well we’ve heard that before.

The big problem with everything they claim ( and it is mainly good ), is that we’re giving them a lot of data, far more than a normal DNS resolver and we have to trust them on how well they anonymize it and at what level they consider it to no longer be “personally identifiable”. Many companies offering free services in the past have sung from the same page only for us latter to discover that it wasn’t that anonmyised and wasn’t that aggregated. Having been bitten before I’m not sure how much I trust such claims, especially when it’s being sold by misleading scaremongering and looks likely to be foisted upon the majority of users “for their own good”. On which subject it’s worth drawign attention to this little bit in the “Cloudflare resolver for firefox” section:
Therefore, the data Cloudflare collects and processes pursuant to its agreement with Firefox is not covered by the Cloudflare Privacy Policy.
(Emphasis mine), so all of the privacy they’ve mentioned before doesn’t apply if you’re using Firefox, if you’re using Firefox what’s collected is dependent on the agreement between them and not on what you may agree to. Both companies seem to be saying “just trust us” on this, as the agreement between them isn’t a matter of public record, and again past experience suggests that if they change it they’ll not announce it well. The amount of data they’ll collect for Firefox is a different list than what they collect for themselves. Of particular note is they’ll now collect:

  • Resolver IP address + Port the Query Originated From
  • EDNS Payload

Which I believe is more identifiable than what Cloudflare would collect for themselves. The final sentence is also worth making note of:
Cloudflare will not sell, license, sublicense, or grant any rights to your data to any other person or entity without Mozilla’s explicit written permission.
So not your consent but Mozilla’s where as if you just use Cloudflare not via Firefox they promise:
Cloudflare will not sell, license, sublicense, or grant any rights to your data that we collect from DNS queries to any other person or entity without your consent.
So by using Firefox with Cloudflare you are ceding control of your data to Mozilla and what they agree with Cloudflare, I struggle to see how this improves the safe guards on my data.

Ultimately it’s the normal privacy promise that we’ve heard from other firms before it turns out they were using supposedly anonymised data to do highly targeted tracking and advertising. So as ever it comes down to do you trust Cloudflare to behave better than other people have? Or the question for net time do you trust the private agreement between Mozilla and Cloudlfare, and do you think centralising the internet to a single provider in this way is a good thing™?

* This is a lie it will be very pedantic
** Also a lie I mean lots

Bookmark the permalink.

Leave a Reply