←back to thread

1.1.1.1: Fast, privacy-first consumer DNS service

(blog.cloudflare.com)
1895 points _l4jh | 6 comments | 01 Apr 18 12:14 UTC | HN request time: 0s | source | bottom
Show context
ocdtrekkie ◴[01 Apr 18 17:28 UTC] No.16729397[source]
So, one thing I'd love to see clarified: APNIC was interested in studying the junk traffic to 1.1.1.1. Cloudflare's DNS will not log or track. So what is logged and tracked for APNIC's research purposes? Everything but DNS? Everything but DNS and HTTPS requests directly to 1.1.1.1 (presumably people looking for details on Cloudflare DNS?).

What's being studied?

Fun fact: CCNA classes regularly use 1.1.1.1 as a router-id. Really good reason now not to configure it via a loopback address.

replies(2): >>16730372 #>>16732522 #
1. ENOTTY ◴[01 Apr 18 20:52 UTC] No.16730372[source]
Really hoping this question gets answered. It seemed contradictory to me.
replies(1): >>16730435 #
2. ocdtrekkie ◴[01 Apr 18 21:07 UTC] No.16730435[source]
My strong impression is that they wouldn't give APNIC any data that can be used to identify users of their DNS service, but I'd definitely love a more detailed answer than what the site currently provides.
replies(2): >>16731033 #>>16731487 #
3. xuande ◴[01 Apr 18 23:01 UTC] No.16731033[source]
Found this: https://labs.apnic.net/?p=1127
replies(1): >>16732279 #
4. ◴[02 Apr 18 00:57 UTC] No.16731487[source]
5. ENOTTY ◴[02 Apr 18 04:15 UTC] No.16732279{3}[source]
An excellent find!

> We will be destroying all “raw” DNS data as soon as we have performed statistical analysis on the data flow. We will not be compiling any form of profiles of activity that could be used to identify individuals, and we will ensure that any retained processed data is sufficiently generic that it will not be susceptible to efforts to reconstruct individual profiles. Furthermore, the access to the primary data feed will be strictly limited to the researchers in APNIC Labs, and we will naturally abide by APNIC’s non-disclosure policies.

So it's a 5 year research program, with options to extend it as a research program. To me, that means they intend to keep DNS data for up to 5 years (or longer) before performing statistical analysis and processing on it. Here is APNIC Labs's privacy policy http://labs.apnic.net/privacy.shtml and APNIC's privacy policy https://www.apnic.net/about-apnic/corporate-documents/docume...

So much for "privacy-first".

replies(1): >>16732417 #
6. ocdtrekkie ◴[02 Apr 18 04:48 UTC] No.16732417{4}[source]
Most of those terms relate to APNIC "ad" placement, and it specifies as such. They likely do not apply here, as it seems Cloudflare is not tracking the IP address, and things like browser fingerprinting wouldn't even show up in a DNS request.

The highlight point to me is that they not only say that won't collect data that could be used to identify individuals, but seem to realize even seemingly anonymized data can be traced back to individuals too, hence the further claim.

I'm inclined to give APNIC the benefit of the doubt, they're a nonprofit, and a fundamental part of the Internet's addressing structure, but it'd be nice to get a bit more detail from them on what they :do: collect.