From 564bb4ec6158f757fd9c7aeb8dfc5bbad519a14f Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 31 Oct 2024 18:20:55 +0000 Subject: [PATCH 1/8] Create placeholder page, reorder, and adjust Encryption index --- .../docs/1.1.1.1/encryption/dns-over-https/index.mdx | 1 + src/content/docs/1.1.1.1/encryption/dns-over-tls.mdx | 2 ++ src/content/docs/1.1.1.1/encryption/dnskey.mdx | 3 ++- src/content/docs/1.1.1.1/encryption/index.mdx | 8 ++++++-- .../1.1.1.1/encryption/oblivious-dns-over-https.mdx | 10 ++++++++++ 5 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx diff --git a/src/content/docs/1.1.1.1/encryption/dns-over-https/index.mdx b/src/content/docs/1.1.1.1/encryption/dns-over-https/index.mdx index 3d29acdca746c76..3a35238ab5c4b85 100644 --- a/src/content/docs/1.1.1.1/encryption/dns-over-https/index.mdx +++ b/src/content/docs/1.1.1.1/encryption/dns-over-https/index.mdx @@ -4,6 +4,7 @@ title: DNS over HTTPS slug: 1.1.1.1/encryption/dns-over-https sidebar: label: About DoH + order: 5 --- import { DirectoryListing } from "~/components" diff --git a/src/content/docs/1.1.1.1/encryption/dns-over-tls.mdx b/src/content/docs/1.1.1.1/encryption/dns-over-tls.mdx index 0dc6f682c4f6963..326f251df111dfc 100644 --- a/src/content/docs/1.1.1.1/encryption/dns-over-tls.mdx +++ b/src/content/docs/1.1.1.1/encryption/dns-over-tls.mdx @@ -2,6 +2,8 @@ pcx_content_type: concept title: DNS over TLS slug: 1.1.1.1/encryption/dns-over-tls +sidebar: + order: 4 --- By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is one way to send DNS queries over an encrypted connection. Cloudflare supports DNS over TLS on standard port 853 and is compliant with [RFC 7858](https://tools.ietf.org/html/rfc7858). With DoT, the encryption happens at the transport layer, where it adds TLS encryption on top of a TCP connection. diff --git a/src/content/docs/1.1.1.1/encryption/dnskey.mdx b/src/content/docs/1.1.1.1/encryption/dnskey.mdx index 9b0fba091df0bca..dc1ec6bd87f55d0 100644 --- a/src/content/docs/1.1.1.1/encryption/dnskey.mdx +++ b/src/content/docs/1.1.1.1/encryption/dnskey.mdx @@ -5,7 +5,8 @@ head: - tag: title content: Supported DNSKEY signature algorithms slug: 1.1.1.1/encryption/dnskey - +sidebar: + order: 7 --- [DNSSEC is a protocol](https://www.cloudflare.com/learning/dns/dns-records/dnskey-ds-records/) that adds a layer of security to the domain name system (DNS). DNSSEC does this by providing authentication through public signing keys using two DNS records: DNSKEY and DS. They can be used to verify DNSSEC signatures in [RRSIG records](https://www.cloudflare.com/dns/dnssec/how-dnssec-works/). diff --git a/src/content/docs/1.1.1.1/encryption/index.mdx b/src/content/docs/1.1.1.1/encryption/index.mdx index 8e1595464057243..fa297bd214666b2 100644 --- a/src/content/docs/1.1.1.1/encryption/index.mdx +++ b/src/content/docs/1.1.1.1/encryption/index.mdx @@ -12,8 +12,12 @@ slug: 1.1.1.1/encryption Traditionally, DNS queries and replies are performed over plaintext. They are sent over the Internet without any kind of encryption or protection, even when you are accessing a secured website. This has a great impact on security and privacy, as these queries might be subject to surveillance, spoofing and tracking by malicious actors, advertisers, ISPs, and others. -To prevent this and secure your connections, 1.1.1.1 supports [DNS over TLS (DoT)](/1.1.1.1/encryption/dns-over-tls/) and [DNS over HTTPS (DoH)](/1.1.1.1/encryption/dns-over-https/), two standards developed for encrypting plaintext DNS traffic. This prevents untrustworthy entities from interpreting and manipulating your queries. +To prevent untrustworthy entities from interpreting and manipulating your queries, 1.1.1.1 supports different standards to encrypt plaintext DNS traffic and improve DNS privacy: + +- [DNS over TLS (DoT)](/1.1.1.1/encryption/dns-over-tls/) +- [DNS over HTTPS (DoH)](/1.1.1.1/encryption/dns-over-https/) +- [Oblivious DNS over HTTPS (ODoH)](/1.1.1.1/encryption/oblivious-dns-over-https/) You can also [configure your browser](/1.1.1.1/encryption/dns-over-https/encrypted-dns-browsers/) to secure your DNS queries. -If you need to secure connections in your smartphone, refer to 1.1.1.1's [iOS](/1.1.1.1/setup/ios/) or [Android](/1.1.1.1/setup/android/) apps. +If you need to secure connections in your smartphone, refer to 1.1.1.1 [iOS](/1.1.1.1/setup/ios/) or [Android](/1.1.1.1/setup/android/) apps. diff --git a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx new file mode 100644 index 000000000000000..160e517a3022bf3 --- /dev/null +++ b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx @@ -0,0 +1,10 @@ +--- +pcx_content_type: concept +title: Oblivious DNS over HTTPS +slug: 1.1.1.1/encryption/oblivious-dns-over-https +sidebar: + order: 6 + label: Oblivious DoH +--- + +As announced on [our blog](https://blog.cloudflare.com/oblivious-dns/), since late 2020, Cloudflare supports Oblivious DNS over HTTPS (ODoH). \ No newline at end of file From 6b35cad45707641befbac9ab281930fc55d750a6 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 5 Nov 2024 10:30:47 +0000 Subject: [PATCH 2/8] Initial outline and fill in intro --- .../encryption/oblivious-dns-over-https.mdx | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx index 160e517a3022bf3..a1f7f47d326a0cc 100644 --- a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx +++ b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx @@ -7,4 +7,22 @@ sidebar: label: Oblivious DoH --- -As announced on [our blog](https://blog.cloudflare.com/oblivious-dns/), since late 2020, Cloudflare supports Oblivious DNS over HTTPS (ODoH). \ No newline at end of file +As announced on [our blog](https://blog.cloudflare.com/oblivious-dns/), since late 2020, Cloudflare 1.1.1.1 supports Oblivious DNS over HTTPS (ODoH) ([RFC 9230](https://www.rfc-editor.org/rfc/rfc9230.html)). + +ODoH is a protocol for performing remote Domain Name System (DNS) resolution via the OHTTPS protocol ([RFC 9230](https://www.rfc-editor.org/rfc/rfc9230.html)), which improves privacy by separating the contents of an HTTP request (and response) from its requester IP address. + +## How ODoH works + +Clients + +Proxy + +Target + +## Cloudflare and third-party products + + + +## Related resources + +- \ No newline at end of file From 3aebd71e3a7c684e82c0941e4fd377096a372b6b Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 5 Nov 2024 13:24:22 +0000 Subject: [PATCH 3/8] Fill in defined outline for a first complete version --- .../encryption/oblivious-dns-over-https.mdx | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx index a1f7f47d326a0cc..d527906757fe86b 100644 --- a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx +++ b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx @@ -9,20 +9,31 @@ sidebar: As announced on [our blog](https://blog.cloudflare.com/oblivious-dns/), since late 2020, Cloudflare 1.1.1.1 supports Oblivious DNS over HTTPS (ODoH) ([RFC 9230](https://www.rfc-editor.org/rfc/rfc9230.html)). -ODoH is a protocol for performing remote Domain Name System (DNS) resolution via the OHTTPS protocol ([RFC 9230](https://www.rfc-editor.org/rfc/rfc9230.html)), which improves privacy by separating the contents of an HTTP request (and response) from its requester IP address. +ODoH is a protocol for performing remote Domain Name System (DNS) resolution based on the Oblivious HTTP protocol (OHTTP) ([RFC 9458](https://www.rfc-editor.org/rfc/rfc9458.html)). ## How ODoH works -Clients +OHTTP improves privacy by separating the contents of an HTTP request (and response) from its requester IP address. To achieve this in DNS resolution, a proxy and a target are introduced between the client and the upstream DNS resolver: -Proxy +- The target only has access to the encrypted query and the proxy's IP address. -Target +- The proxy has no visibility into the DNS messages, with no ability to identify, read, or modify either the query being sent by the client or the answer being returned by the target. + +- Only the intended target can read the content of the query and produce a response, which is also encrypted. + +This means that, as long as the proxy and the target do not collude, no single entity can have access to both the DNS messages and the client IP address at the same time. Also, clients are in complete control of proxy and target selection. + +Additionally, clients encrypt their query for the target using Hybrid Public Key Encryption. A target's public key is obtained via DNS, where it is bundled into a HTTPS resource record and protected by DNSSEC. ## Cloudflare and third-party products +Cloudflare 1.1.1.1 supports ODoH by acting as a target that can be reached at `odoh.cloudflare-dns.com`. + +At launch, a few proxy partners included [PCCW](https://www.pccw.com/), [SURF](https://www.surf.nl/), and [Equinix](https://www.equinix.com/). +Finally, open source test clients are available in [Rust](https://github.com/cloudflare/odoh-client-rs) or [Go](https://github.com/cloudflare/odoh-client-go). ## Related resources -- \ No newline at end of file +- [Proving Oblivious HTTP privacy properties](https://blog.cloudflare.com/stronger-than-a-promise-proving-oblivious-http-privacy-properties/) blog post +- [Privacy Gateway](/privacy-gateway/) \ No newline at end of file From d1a5e575b17b1764eba008afe048d3e3def4a9c8 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 12 Nov 2024 10:22:13 +0000 Subject: [PATCH 4/8] Initial review: experimental status, remove OHTTP ref, and replace Rust client --- .../docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx index d527906757fe86b..7367a03553f11ad 100644 --- a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx +++ b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx @@ -7,9 +7,11 @@ sidebar: label: Oblivious DoH --- -As announced on [our blog](https://blog.cloudflare.com/oblivious-dns/), since late 2020, Cloudflare 1.1.1.1 supports Oblivious DNS over HTTPS (ODoH) ([RFC 9230](https://www.rfc-editor.org/rfc/rfc9230.html)). +As announced on [our blog](https://blog.cloudflare.com/oblivious-dns/), since late 2020, Cloudflare 1.1.1.1 supports Oblivious DNS over HTTPS (ODoH). -ODoH is a protocol for performing remote Domain Name System (DNS) resolution based on the Oblivious HTTP protocol (OHTTP) ([RFC 9458](https://www.rfc-editor.org/rfc/rfc9458.html)). +:::caution +Although ODoH is defined in [RFC 9230](https://www.rfc-editor.org/rfc/rfc9230.html), it is experimental. 1.1.1.1 supports ODoH as [described bellow](#cloudflare-and-third-party-products), but this protocol is not endorsed by IETF nor by Cloudflare. +::: ## How ODoH works @@ -31,7 +33,7 @@ Cloudflare 1.1.1.1 supports ODoH by acting as a target that can be reached at `o At launch, a few proxy partners included [PCCW](https://www.pccw.com/), [SURF](https://www.surf.nl/), and [Equinix](https://www.equinix.com/). -Finally, open source test clients are available in [Rust](https://github.com/cloudflare/odoh-client-rs) or [Go](https://github.com/cloudflare/odoh-client-go). +Finally, open source test clients are available in [Rust](https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-relays.md) or [Go](https://github.com/cloudflare/odoh-client-go). ## Related resources From 1b892a53b8c4514c1ce7e78cd759045810ea673e Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Wed, 13 Nov 2024 17:01:14 +0000 Subject: [PATCH 5/8] Edit RFC callout, improve how it works section, and fix client link --- .../1.1.1.1/encryption/oblivious-dns-over-https.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx index 7367a03553f11ad..112c192dd8a7e6f 100644 --- a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx +++ b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx @@ -10,22 +10,22 @@ sidebar: As announced on [our blog](https://blog.cloudflare.com/oblivious-dns/), since late 2020, Cloudflare 1.1.1.1 supports Oblivious DNS over HTTPS (ODoH). :::caution -Although ODoH is defined in [RFC 9230](https://www.rfc-editor.org/rfc/rfc9230.html), it is experimental. 1.1.1.1 supports ODoH as [described bellow](#cloudflare-and-third-party-products), but this protocol is not endorsed by IETF nor by Cloudflare. +ODoH is defined in [RFC 9230](https://www.rfc-editor.org/rfc/rfc9230.html). This RFC is experimental and is not endorsed by the IETF. ::: ## How ODoH works -OHTTP improves privacy by separating the contents of an HTTP request (and response) from its requester IP address. To achieve this in DNS resolution, a proxy and a target are introduced between the client and the upstream DNS resolver: - -- The target only has access to the encrypted query and the proxy's IP address. +ODoH improves privacy by separating the contents of an HTTP request (and response) from its requester IP address. To achieve this, a proxy and a target are introduced between the client and the upstream DNS resolver: - The proxy has no visibility into the DNS messages, with no ability to identify, read, or modify either the query being sent by the client or the answer being returned by the target. +- The target only has access to the encrypted query and the proxy's IP address, while not having visibility over the client's IP address. + - Only the intended target can read the content of the query and produce a response, which is also encrypted. This means that, as long as the proxy and the target do not collude, no single entity can have access to both the DNS messages and the client IP address at the same time. Also, clients are in complete control of proxy and target selection. -Additionally, clients encrypt their query for the target using Hybrid Public Key Encryption. A target's public key is obtained via DNS, where it is bundled into a HTTPS resource record and protected by DNSSEC. +Additionally, clients encrypt their query for the target using Hybrid Public Key Encryption. A target's public key is obtained via DNS, where it is bundled into an HTTPS resource record and protected by DNSSEC. ## Cloudflare and third-party products @@ -33,7 +33,7 @@ Cloudflare 1.1.1.1 supports ODoH by acting as a target that can be reached at `o At launch, a few proxy partners included [PCCW](https://www.pccw.com/), [SURF](https://www.surf.nl/), and [Equinix](https://www.equinix.com/). -Finally, open source test clients are available in [Rust](https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/odoh-relays.md) or [Go](https://github.com/cloudflare/odoh-client-go). +Finally, open source clients such as [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) can be used to make ODoH queries. ## Related resources From 8a4973edae9f8972e3314e9d1e04d370482f47eb Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 14 Nov 2024 17:31:55 +0000 Subject: [PATCH 6/8] Replace OHTTP blog with HPKE blog --- .../docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx index 112c192dd8a7e6f..04c910b914771bc 100644 --- a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx +++ b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx @@ -25,7 +25,7 @@ ODoH improves privacy by separating the contents of an HTTP request (and respons This means that, as long as the proxy and the target do not collude, no single entity can have access to both the DNS messages and the client IP address at the same time. Also, clients are in complete control of proxy and target selection. -Additionally, clients encrypt their query for the target using Hybrid Public Key Encryption. A target's public key is obtained via DNS, where it is bundled into an HTTPS resource record and protected by DNSSEC. +Additionally, clients encrypt their query for the target using Hybrid Public Key Encryption (HPKE). A target's public key is obtained via DNS, where it is bundled into an HTTPS resource record and protected by DNSSEC. ## Cloudflare and third-party products @@ -37,5 +37,5 @@ Finally, open source clients such as [dnscrypt-proxy](https://github.com/DNSCryp ## Related resources -- [Proving Oblivious HTTP privacy properties](https://blog.cloudflare.com/stronger-than-a-promise-proving-oblivious-http-privacy-properties/) blog post +- [HPKE: Standardizing public-key encryption](https://blog.cloudflare.com/hybrid-public-key-encryption/) blog post - [Privacy Gateway](/privacy-gateway/) \ No newline at end of file From d2f34aab68527c72bfaac954fb6e733f6f79fc97 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Mon, 18 Nov 2024 15:44:04 +0000 Subject: [PATCH 7/8] Remove information already covered in the blog post --- .../docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx index 04c910b914771bc..120d8266408afc9 100644 --- a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx +++ b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx @@ -31,9 +31,7 @@ Additionally, clients encrypt their query for the target using Hybrid Public Key Cloudflare 1.1.1.1 supports ODoH by acting as a target that can be reached at `odoh.cloudflare-dns.com`. -At launch, a few proxy partners included [PCCW](https://www.pccw.com/), [SURF](https://www.surf.nl/), and [Equinix](https://www.equinix.com/). - -Finally, open source clients such as [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) can be used to make ODoH queries. +To make ODoH queries you can use open source clients such as [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy). ## Related resources From e8520082eb135df5969a613d0a8690b2bf43f832 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Mon, 18 Nov 2024 17:17:14 +0000 Subject: [PATCH 8/8] Add mention to iCloud Private Relay --- .../docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx index 120d8266408afc9..71c8e6f8c6efbbd 100644 --- a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx +++ b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx @@ -33,6 +33,8 @@ Cloudflare 1.1.1.1 supports ODoH by acting as a target that can be reached at `o To make ODoH queries you can use open source clients such as [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy). +Also, [iCloud Private Relay](https://support.apple.com/102602) is based on ODoH and uses [Cloudflare as one of their partners](https://blog.cloudflare.com/icloud-private-relay/). + ## Related resources - [HPKE: Standardizing public-key encryption](https://blog.cloudflare.com/hybrid-public-key-encryption/) blog post