Security

Free APNIC, CloudFlare tool prevents ISPs from selling your internet history

APNIC and CloudFlare announced the free 1.1.1.1 DNS resolver service, which is intended as a drop-in replacement to protect your privacy from providers.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • CloudFlare and APNIC are working together to run a free DNS routing service, as well as study DNS traffic to develop new mitigations for DNS-based attacks.
  • CloudFlare is touting the security aspects of the DNS resolver, noting that the company will not write querying IPs to disk, and will delete logs within 24 hours.

The cloud-based website acceleration service CloudFlare, in cooperation with APNIC (Asia-Pacific Network Information Centre), has announced a new free DNS routing service, 1.1.1.1. The service is intended to be used as an alternative to the DNS routing services provided by ISPs, or by free Wi-Fi hotspot providers, which could log your access history for advertising purposes, or to sell to third parties.

Because this service runs on top of CloudFlare's content delivery network—used by millions of websites to speed up loading times by caching content in multiple geographically discrete locations—it is also substantially faster than competing DNS services. CloudFlare's blog post points to benchmarks performed by Prospect One's DNSPerf, which (at the time of publication) ranks the query speed of 1.1.1.1 as 14.01ms, whereas OpenDNS, the next fastest option, ranks at 20.64ms. Google ranked 4th at 34.51ms.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

CloudFlare is heavily touting the security aspect of the newly-launched DNS routing service. While the post states that some logging is needed to prevent abuse and for debug purposes, the service will not write querying IP addresses to disk, and will wipe all logs within 24 hours. The company has also retained the auditing firm KPMG to verify that they are upholding their commitment to not logging users.

That said, APNIC's involvement with the project extends beyond loaning the 1.1.1.1 and 1.0.0.1 addresses to CloudFlare. APNIC, which manages allocation and registration of IP addresses for the Asia-Pacific region, will conduct a study of the DNS traffic in order to measure the efficacy of caching systems, and to study potential new mitigations against DNS-powered denial of service (DoS) attacks. That said, the organization is also sensitive to the security needs of users.

From APNIC's announcement:

APNIC is acutely aware of the sensitivity of DNS query data. We are committed to treat all data with due care and attention to personal privacy and wish to minimise the potential problems of data leaks. We will be destroying all "raw" DNS data as soon as we have performed statistical analysis on the data flow. We will not be compiling any form of profiles of activity that could be used to identify individuals, and we will ensure that any retained processed data is sufficiently generic that it will not be susceptible to efforts to reconstruct individual profiles. Furthermore, the access to the primary data feed will be strictly limited to the researchers in APNIC Labs, and we will naturally abide by APNIC's non-disclosure policies.

Interested users can change their DNS settings from their router, or on individual devices running Windows, OS X, Linux, or iOS. Manual DNS configuration on Android requires a static IP.

This is not an April Fool's joke

Tech companies have a long tradition of introducing products on April Fools' Day. Given the somewhat peculiar nature of the announcement—particularly as CloudFlare stands to lose money operating a free DNS resolver—the decision to announce the service on April Fools' Day was at least in part numerical. The IP address used is intended to be memorable, like Google's 8.8.8.8 DNS resolver. The choice of 1.1.1.1, or four ones, made launching on April 1st an obvious choice.

Also see

protectweb.jpg
Image: iStockphoto/Natali_Mis

About James Sanders

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks

Free Newsletters, In your Inbox