Skip to content

Commit 3aebd71

Browse files
Fill in defined outline for a first complete version
1 parent 6b35cad commit 3aebd71

File tree

1 file changed

+16
-5
lines changed

1 file changed

+16
-5
lines changed

src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx

Lines changed: 16 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,20 +9,31 @@ sidebar:
99

1010
As announced on [our blog](https://blog.cloudflare.com/oblivious-dns/), since late 2020, Cloudflare 1.1.1.1 supports Oblivious DNS over HTTPS (ODoH) ([RFC 9230](https://www.rfc-editor.org/rfc/rfc9230.html)).
1111

12-
ODoH is a protocol for performing remote Domain Name System (DNS) resolution via the OHTTPS protocol ([RFC 9230](https://www.rfc-editor.org/rfc/rfc9230.html)), which improves privacy by separating the contents of an HTTP request (and response) from its requester IP address.
12+
ODoH is a protocol for performing remote Domain Name System (DNS) resolution based on the Oblivious HTTP protocol (OHTTP) ([RFC 9458](https://www.rfc-editor.org/rfc/rfc9458.html)).
1313

1414
## How ODoH works
1515

16-
Clients
16+
OHTTP improves privacy by separating the contents of an HTTP request (and response) from its requester IP address. To achieve this in DNS resolution, a proxy and a target are introduced between the client and the upstream DNS resolver:
1717

18-
Proxy
18+
- The target only has access to the encrypted query and the proxy's IP address.
1919

20-
Target
20+
- The proxy has no visibility into the DNS messages, with no ability to identify, read, or modify either the query being sent by the client or the answer being returned by the target.
21+
22+
- Only the intended target can read the content of the query and produce a response, which is also encrypted.
23+
24+
This means that, as long as the proxy and the target do not collude, no single entity can have access to both the DNS messages and the client IP address at the same time. Also, clients are in complete control of proxy and target selection.
25+
26+
Additionally, clients encrypt their query for the target using Hybrid Public Key Encryption. A target's public key is obtained via DNS, where it is bundled into a HTTPS resource record and protected by DNSSEC.
2127

2228
## Cloudflare and third-party products
2329

30+
Cloudflare 1.1.1.1 supports ODoH by acting as a target that can be reached at `odoh.cloudflare-dns.com`.
31+
32+
At launch, a few proxy partners included [PCCW](https://www.pccw.com/), [SURF](https://www.surf.nl/), and [Equinix](https://www.equinix.com/).
2433

34+
Finally, open source test clients are available in [Rust](https://github.com/cloudflare/odoh-client-rs) or [Go](https://github.com/cloudflare/odoh-client-go).
2535

2636
## Related resources
2737

28-
-
38+
- [Proving Oblivious HTTP privacy properties](https://blog.cloudflare.com/stronger-than-a-promise-proving-oblivious-http-privacy-properties/) blog post
39+
- [Privacy Gateway](/privacy-gateway/)

0 commit comments

Comments
 (0)