diff --git a/src/content/docs/1.1.1.1/encryption/dns-over-https/index.mdx b/src/content/docs/1.1.1.1/encryption/dns-over-https/index.mdx index 3d29acdca746c76..3a35238ab5c4b85 100644 --- a/src/content/docs/1.1.1.1/encryption/dns-over-https/index.mdx +++ b/src/content/docs/1.1.1.1/encryption/dns-over-https/index.mdx @@ -4,6 +4,7 @@ title: DNS over HTTPS slug: 1.1.1.1/encryption/dns-over-https sidebar: label: About DoH + order: 5 --- import { DirectoryListing } from "~/components" diff --git a/src/content/docs/1.1.1.1/encryption/dns-over-tls.mdx b/src/content/docs/1.1.1.1/encryption/dns-over-tls.mdx index 0dc6f682c4f6963..326f251df111dfc 100644 --- a/src/content/docs/1.1.1.1/encryption/dns-over-tls.mdx +++ b/src/content/docs/1.1.1.1/encryption/dns-over-tls.mdx @@ -2,6 +2,8 @@ pcx_content_type: concept title: DNS over TLS slug: 1.1.1.1/encryption/dns-over-tls +sidebar: + order: 4 --- By default, DNS is sent over a plaintext connection. DNS over TLS (DoT) is one way to send DNS queries over an encrypted connection. Cloudflare supports DNS over TLS on standard port 853 and is compliant with [RFC 7858](https://tools.ietf.org/html/rfc7858). With DoT, the encryption happens at the transport layer, where it adds TLS encryption on top of a TCP connection. diff --git a/src/content/docs/1.1.1.1/encryption/dnskey.mdx b/src/content/docs/1.1.1.1/encryption/dnskey.mdx index 9b0fba091df0bca..dc1ec6bd87f55d0 100644 --- a/src/content/docs/1.1.1.1/encryption/dnskey.mdx +++ b/src/content/docs/1.1.1.1/encryption/dnskey.mdx @@ -5,7 +5,8 @@ head: - tag: title content: Supported DNSKEY signature algorithms slug: 1.1.1.1/encryption/dnskey - +sidebar: + order: 7 --- [DNSSEC is a protocol](https://www.cloudflare.com/learning/dns/dns-records/dnskey-ds-records/) that adds a layer of security to the domain name system (DNS). DNSSEC does this by providing authentication through public signing keys using two DNS records: DNSKEY and DS. They can be used to verify DNSSEC signatures in [RRSIG records](https://www.cloudflare.com/dns/dnssec/how-dnssec-works/). diff --git a/src/content/docs/1.1.1.1/encryption/index.mdx b/src/content/docs/1.1.1.1/encryption/index.mdx index 8e1595464057243..fa297bd214666b2 100644 --- a/src/content/docs/1.1.1.1/encryption/index.mdx +++ b/src/content/docs/1.1.1.1/encryption/index.mdx @@ -12,8 +12,12 @@ slug: 1.1.1.1/encryption Traditionally, DNS queries and replies are performed over plaintext. They are sent over the Internet without any kind of encryption or protection, even when you are accessing a secured website. This has a great impact on security and privacy, as these queries might be subject to surveillance, spoofing and tracking by malicious actors, advertisers, ISPs, and others. -To prevent this and secure your connections, 1.1.1.1 supports [DNS over TLS (DoT)](/1.1.1.1/encryption/dns-over-tls/) and [DNS over HTTPS (DoH)](/1.1.1.1/encryption/dns-over-https/), two standards developed for encrypting plaintext DNS traffic. This prevents untrustworthy entities from interpreting and manipulating your queries. +To prevent untrustworthy entities from interpreting and manipulating your queries, 1.1.1.1 supports different standards to encrypt plaintext DNS traffic and improve DNS privacy: + +- [DNS over TLS (DoT)](/1.1.1.1/encryption/dns-over-tls/) +- [DNS over HTTPS (DoH)](/1.1.1.1/encryption/dns-over-https/) +- [Oblivious DNS over HTTPS (ODoH)](/1.1.1.1/encryption/oblivious-dns-over-https/) You can also [configure your browser](/1.1.1.1/encryption/dns-over-https/encrypted-dns-browsers/) to secure your DNS queries. -If you need to secure connections in your smartphone, refer to 1.1.1.1's [iOS](/1.1.1.1/setup/ios/) or [Android](/1.1.1.1/setup/android/) apps. +If you need to secure connections in your smartphone, refer to 1.1.1.1 [iOS](/1.1.1.1/setup/ios/) or [Android](/1.1.1.1/setup/android/) apps. diff --git a/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx new file mode 100644 index 000000000000000..71c8e6f8c6efbbd --- /dev/null +++ b/src/content/docs/1.1.1.1/encryption/oblivious-dns-over-https.mdx @@ -0,0 +1,41 @@ +--- +pcx_content_type: concept +title: Oblivious DNS over HTTPS +slug: 1.1.1.1/encryption/oblivious-dns-over-https +sidebar: + order: 6 + label: Oblivious DoH +--- + +As announced on [our blog](https://blog.cloudflare.com/oblivious-dns/), since late 2020, Cloudflare 1.1.1.1 supports Oblivious DNS over HTTPS (ODoH). + +:::caution +ODoH is defined in [RFC 9230](https://www.rfc-editor.org/rfc/rfc9230.html). This RFC is experimental and is not endorsed by the IETF. +::: + +## How ODoH works + +ODoH improves privacy by separating the contents of an HTTP request (and response) from its requester IP address. To achieve this, a proxy and a target are introduced between the client and the upstream DNS resolver: + +- The proxy has no visibility into the DNS messages, with no ability to identify, read, or modify either the query being sent by the client or the answer being returned by the target. + +- The target only has access to the encrypted query and the proxy's IP address, while not having visibility over the client's IP address. + +- Only the intended target can read the content of the query and produce a response, which is also encrypted. + +This means that, as long as the proxy and the target do not collude, no single entity can have access to both the DNS messages and the client IP address at the same time. Also, clients are in complete control of proxy and target selection. + +Additionally, clients encrypt their query for the target using Hybrid Public Key Encryption (HPKE). A target's public key is obtained via DNS, where it is bundled into an HTTPS resource record and protected by DNSSEC. + +## Cloudflare and third-party products + +Cloudflare 1.1.1.1 supports ODoH by acting as a target that can be reached at `odoh.cloudflare-dns.com`. + +To make ODoH queries you can use open source clients such as [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy). + +Also, [iCloud Private Relay](https://support.apple.com/102602) is based on ODoH and uses [Cloudflare as one of their partners](https://blog.cloudflare.com/icloud-private-relay/). + +## Related resources + +- [HPKE: Standardizing public-key encryption](https://blog.cloudflare.com/hybrid-public-key-encryption/) blog post +- [Privacy Gateway](/privacy-gateway/) \ No newline at end of file