Cloudflare has announced an improvement to the existing DNS-over-HTTPS protocol called Oblivious DoH (ODoH) which sounds very promising.
The big problem with the traditional DNS protocol is that it lacks security and privacy by design. All DNS queries are transmitted in clear text, so a 3rd party like an ISP can intercept them and gain a lot of info on your activity (visited websites, applications used and more). Not only that, but it can also be hijacked and easily blocked for censorship purposes.
DoH solves the traditional DNS vulnerabilities to a reasonable extent by encrypting the DNS traffic between the client and DNS server. But you still have to trust the DNS service provider since the actual real source of traffic is visible on the DNS server side.
What the new ODoH does is fix the DoH single point of trust by eliminating the visibility of your source IP address on the DNS server side by introducing an encrypted proxy in-between.
Notably, the ODoH proxy and the DNS resolvers are operated by different parties, not just Cloudflare.
The concept is similar to the Tor network, where the traffic is routed through bridges before reaching the exit point so that the exit node won’t see the real source IP and the bridges don’t know what is the actual traffic destination (websites you access).
Last but not least, an interesting aspect to this announcement is that the new protocol is the result of a collaboration with engineers from Apple, suggesting that Apple may finally add native support for secure DNS on Mac and iOS.
To find out more, follow these links: