How Cloudflare DNS Helps Solve 4 Big DNS Privacy Risks

In April 2018, Cloudflare released a new security tool. Called, it’s a consumer DNS address that anyone can use for free. It can help increase DNS security, improve users’ privacy, and potentially even speed up your network connection.

But how does it work? How do you use it? And which DNS privacy risks can it help improve? Let’s take a closer look.

The Problem With DNS and Privacy

The Domain Name System (DNS) is often called “the internet’s phonebook.” It’s the technology responsible for linking the domains we all use every day (e.g. with the IP address of that site’s web server.

Of course, you could enter a site’s IP address and you would still end up at its homepage, but text-based URLs are much easier to remember, hence why we use them.

Unfortunately, DNS technology comes with many privacy issues. The issues can undermine your online safety, even if you take all the usual precautions elsewhere on your system. Here are some the worst privacy issues associated with DNS.

1. Your ISP Is Watching

Because of the way DNS works, it acts as a log of the websites you visit. It doesn’t matter whether the site you’re visiting uses HTTPS—your ISP, mobile carrier, and public Wi-Fi providers will still all know exactly which domains you have visited.

Worryingly, since mid-2017, ISPs in the United States are allowed to sell their customers’ browsing data for financial gain. Indeed, the practice is common around the world.

Ultimately, your browsing history is helping vast corporations make money. It’s why you should always use a third-party DNS provider.

2. The Government Is Watching

Like ISPs, authorities can also use your DNS log to see what sites you’ve been visiting.

If you live in a country which takes a less-than-tolerant approach to political opponents, LGBTQ activists, alternative religions, and so on, visiting sites of that nature could land you in trouble.

Sadly, your DNS lookup history could reveal your private beliefs to entities who will potentially clampdown on you as a result.

3. Snooping and Tampering

You are also at risk from DNS’s lack of “last mile” encryption. Let’s explain.

There are two sides to DNS: Authoritative (on the content side) and a recursive resolver (on your ISP’s side). In broad terms, you can think of DNS resolvers asking the questions (i.e., “where can I find this site?”), and authoritative DNS nameservers providing the answers.

Data moving between the resolver and the authoritative server is (theoretically) protected by DNSSEC. However, the “last mile” —the part between your machine (called the stub resolver) and the recursive resolver—is not secure.

Sadly, the last mile provides plenty of opportunities for snoopers and tamperers.

4. Man-in-the-Middle Attacks

When you browse the web, your computer will frequently use DNS data that’s cached somewhere on the network. Doing so can help to reduce page loading times.

However, the caches themselves can fall victim to “cache poisoning.” It’s a form of man-in-the-middle attack.

In simple terms, hackers can take advantage of vulnerabilities and poor configurations to add fraudulent data to the cache. Then, the next time you try and visit the “poisoned” site, you’ll be sent to a server controlled by the criminal.

The responsible parties can even replicate your target site; you might never know you’ve been redirected and accidentally enter usernames, passwords, and other sensitive information.

This process is how many phishing attacks take place.

How Does Help?

The new service from Cloudflare can remedy many of the privacy issues related to DNS technology.

The company spent a long time talking to browser developers before the service went public and developed its tool in accordance with their recommendations.

1. No Tracking, No Data Storage

Firstly, Cloudflare has made a commitment never to track its DNS users or sell advertising based on their viewing habits. To strengthen consumer confidence in its statement, the company has vowed to never save IP address queries to disk and promised to delete all DNS logs within 24 hours.

In practice, it means your DNS history will stay out of the hands of ISPs and governments. There won’t even be a record with Cloudflare for them to request access to.

2. Cutting-Edge Technology

When you type a URL and hit Enter, almost all DNS resolvers will send the entire domain name (the “www,” the “makeuseof,” and the “com”) to the root servers, the .com servers, and any intermediary services.

All that information is unnecessary. The root servers only need to direct the resolver to .com. Further lookup queries can be initiated at that point.

To combat the issue, Cloudflare has implanted a wide range of both agreed-upon and proposed DNS privacy-protection mechanisms for connecting the stub resolver and the recursive resolver. The result is that will only send the bare amount of information necessary.

3. Anti-Snooping

The service offers a feature which helps combat snooping on the last mile: DNS over TLS.

DNS over TLS will encrypt the last mile. It works by letting the stub resolver establish a TCP connection with Cloudflare on port 853. The stub then initiates a TCP handshake and Cloudflare provides its TLS certificate.

As soon as the connection is established, all communications between the stub resolver and the recursive resolver will become encrypted. The result is that eavesdropping and tampering become impossible.

4. Fighting Man-in-the-Middle Attacks

According to Cloudflare’s figures, less than 10 percent of domains use DNSSEC to secure the connection between a recursive resolver and an authoritative server.

DNS over HTTPS is an emerging technology that aims to help to secure HTTPS domains that do not use DNSSEC.

Without encryption, hackers can listen to your data packets and know which site you’re visiting. The lack of encryption also leaves you vulnerable to man-in-the-middle attacks such as those we detailed earlier.

How Can You Start Using

Using the new service is easy. We’ll explain the process for both Windows and Mac machines.

How to Change DNS on Windows

To change your DNS provider on Windows, follow the steps below:

  1. Open the Control Panel
  2. Go to Network and Sharing Center > Change Adaptor Settings
  3. Right-click on your connection and select Properties
  4. Scroll down, highlight internet Protocol Version 4 (TCP/IPv4), and click on Properties
  5. Click on Use the following DNS server addresses
  6. Enter in the first row and in the second row
  7. Hit OK

How to Change DNS on Mac

If you have a Mac, follow these instructions to change your DNS instead:

  1. Go to Apple > System Preferences > Network
  2. Click on your connection in the panel on the left-hand side of the window
  3. Click on Advanced
  4. Highlight DNS and press +
  5. Enter and in the space provided
  6. Click OK

And Remember to Always Use a VPN

More important than a good DNS, you should always use a strong VPN in the battle for online privacy.

All reputable VPN providers will also supply their own DNS addresses. However, sometimes you’ll need to manually update your DNS using the methods we detailed above. Failure to do so will result in a DNS leak.

But just because your VPN provider provides its own DNS addresses, you can still use Cloudflare’s addresses instead. In fact, it’s recommended; it’s very unlikely your VPN’s DNS will be as sophisticated or as robust as the new service.

If you’re looking for a solid and reputable VPN provider, we recommend ExpressVPN, CyberGhost, or Private Internet Access.