Oblivious DNS over HTTPS
With standard DNS over HTTPS (DoH), your DNS queries are encrypted, but the resolver still sees both your IP address and the domain you are looking up. Oblivious DNS over HTTPS (ODoH) adds a privacy layer so that no single entity can see both pieces of information at the same time.
ODoH introduces two roles between your device and the DNS resolver:
- Proxy — Forwards your encrypted DNS query to the target. The proxy can see your IP address but cannot read the query because it is encrypted.
- Target — Receives and decrypts the DNS query, then sends it to the upstream resolver. The target can read the query but only sees the proxy's IP address, not yours.
Because the query is encrypted before it reaches the proxy, and the target never learns your IP address:
- The proxy has no visibility into the DNS messages, with no ability to identify, read, or modify either the query being sent by the client or the answer being returned by the target.
- The target only has access to the encrypted query and the proxy's IP address, while not having visibility over the client's IP address.
- Only the intended target can read the content of the query and produce a response, which is also encrypted.
This means that, as long as the proxy and the target do not collude, no single entity can have access to both the DNS messages and the client IP address at the same time. Clients are in complete control of proxy and target selection, so you can choose a proxy and target operated by different organizations to reduce collusion risk.
Clients encrypt their query for the target using Hybrid Public Key Encryption (HPKE ↗), a standard for encrypting messages to a recipient using their public key. A target's public key is obtained via DNS, where it is bundled into an HTTPS resource record and protected by DNSSEC.
Cloudflare 1.1.1.1 supports ODoH by acting as a target that can be reached at odoh.cloudflare-dns.com.
To make ODoH queries you can use open source clients such as dnscrypt-proxy ↗.
iCloud Private Relay ↗ uses similar privacy-separation principles and uses Cloudflare as one of their partners ↗.