Improving DNS Privacy with Oblivious DoH in 1.1.1.1

Cloudflare, Apple, and Fastly have co-authored a new proposed DNS standard called Oblivious DNS over HTTPS (ODoH), which separates IP addresses from queries to prevent any single entity from seeing both at the same time. The protocol adds a layer of public key encryption and a network proxy between clients and DoH servers, ensuring that only the user has access to both the DNS messages and their own IP address simultaneously. ODoH is an emerging protocol being developed at the IETF and provides three main privacy guarantees: the target sees only the query and the proxy's IP address; the proxy has no visibility into the DNS messages, with no ability to identify, read, or modify either the query being sent by the client or the answer being returned by the target; and only the intended target can read the content of the query and produce a response. Cloudflare has made source code available for ODoH, allowing anyone to try out the protocol or run their own service.