Cloudflare touts privacy-friendly public DNS service. Hmm, let's take a closer look at that

We'll share query data, but only with these really trustworthy researchers

Updated Cloudflare has revealed a deal with regional internet registry APNIC to provide a possibly more privacy-conscious DNS resolver at a prestige network address,

The biz contends DNS – which translates human-friendly domain names like into numeric IP addresses, such as, used by software – lacks privacy protection. That largely undisputed claim has become more noteworthy since the US Congress last year dropped rules that prohibited ISPs from selling users' browsing data.

"Your ISP, and anyone else listening in on the internet, can see every site you visit and every app you use – even if their content is encrypted," the company says on its website. "Creepily, some DNS providers sell data about your Internet activity or use it target you with ads."

Surveilling service providers might prefer the term "thoughtfully" rather than "creepily," based on the self-serving presumption that they're helping people with targeted ads.

What do we want? Privacy! When do we want it...

While not every ISP behaves in this way – San Francisco-based MonkeyBrains, for example, states,"[W]e do not inspect [internet] traffic and believe all users on our network are entitled to a private and anonymous interaction with the Internet" – enough do that Cloudflare's pitch could strike a chord among those looking to reduce dependence on the likes of Facebook and Google.

Cloudflare's isn't primarily a website; it's a DNS lookup service that, when queried by browsers and other software, asks around to various servers where to find the authoritative name server to resolve a particular domain to a network IP address.

Ironically for a project predicated on privacy, Cloudflare is sharing DNS query data with APNIC Labs, a part of Asian registry APNIC, in exchange for the use of its network address. The regional internet registry insists it wants to better understand the technical intricacies of DNS, in order to mitigate denial-of-service attacks and to optimize server communication.

The research relationship is set to run for at least five years, after which it may be renewed and APNIC will consider permanently allocating the IP address – along with – to Cloudflare.

Cloudflare also operates its DNS resolver through two IPv6 addresses: 2606:4700:4700::1111 and 2606:4700:4700::1001.

Bleedin' hell

APNIC Labs says it is aware how sensitive DNS query data can be and is committed to minimizing the possibility of data leaks, something Cloudflare had to deal with during last year's Cloudbleed vulnerability.

"We will be destroying all 'raw' DNS data as soon as we have performed statistical analysis on the data flow," APNIC Labs said in a blog post on Sunday.

"We will not be compiling any form of profiles of activity that could be used to identify individuals, and we will ensure that any retained processed data is sufficiently generic that it will not be susceptible to efforts to reconstruct individual profiles."

APNIC Labs says that it will also limit access to the data by its researchers and will abide by its non-disclosure policies.


In this Cloudflare's venture is similar to Google's Public DNS (, which claims that it keeps some data for just 24 to 48 hours. Google, however, keeps other non-personally identifiable information for longer periods.

Sure enough, Cloudflare has positioned its DNS service as an alternative to Google's.

"Cloudflare's business has never been built around tracking users or selling advertising," said CEO Matthew Prince in a blog post. "We don't see personal data as an asset; we see it as a toxic asset."

Face Palm D'oh from Shutterstock

IETF protects privacy and helps net neutrality with DNS over HTTPS


The privacy afforded by Cloudflare's DNS service only blinds ISPs to a small portion of data travelling to and from a device – the DNS query.

Other protective elements have to be added to make a more plausible set of privacy armor.

Two of these, DNS-over-TLS (DoT), and DNS-over-HTTPS (DoH), are evolving protocols that Cloudflare's DNS resolver supports and have begun showing up in browsers. They prevent DNS queries from being logged by the user's ISP and complement other protocols like DNSSEC, which is used to verify the authenticity of domain records.

Cloudflare's system also supports "Query Minimization" (reduces data sent in DNS queries), and "Aggressive negative answers" (DNSSEC performance enhancement). Beyond that, a VPN can shield other data traffic from one's ISP, provided it's trustworthy.

The primary virtue of Cloudflare's DNS resolver, beyond not being run by Google, may be its speed. The company claims has the fastest response time, averaging 14ms globally, using DNSPerf measurements. ®

Updated to add

Cloudflare CTO John Graham-Cumming got in touch to clarify that while APNIC will have access to DNS query data, it will not have access to logs of IP addresses of people sending in those queries.

PS: Cloudflare is rather enamored with Arm-compatible systems. Prince tweeted last month "why we're switching [from Intel processors] to Arm-based servers" with a photo showing a Qualcomm Centriq box drawing less power than an Intel x86 machine with, apparently, the same performance and workload.

It also published some initial findings here, and is understood to be considering shifting its production environment over to Arm.

Broader topics

Narrower topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022