Cloudflare's 1.1.1.1 DNS Passes Privacy Audit, Some Issues Found

Tiamati

Level 12
Thread author
Verified
Top Poster
Well-known
Nov 8, 2016
574
Despite the issues, i'm glad with Cloudflare results. It was better than i expected... It had some flaws but they weren't critics and they seem committed to be clear about them.

For example, Cloudflare originally stated that no querying IP addresses are ever written to disk. The KPMG audit, though, discovered that Cloudflare Netflow/Sflow network-wide monitoring implementation would retain ".05% of all packets" passing through their network, including the IP addresses of DNS queries.

"We want to be fully transparent that during the examination we uncovered that our routers randomly capture up to 0.05% of all requests that pass through them, including the querying IP address of resolver users. We do this separately from the 1.1.1.1 service for all traffic passing into our network and we retain such data for a limited period of time for use in connection with network troubleshooting and mitigating denial of service attacks," John Graham-Cumming, CTO of Cloudflare, stated in a blog post.

Cloudflare had also stated that all logs were wiped within 24-hours, but the audit revealed that the logs are wiped within 25 hours and some anonymized data is kept indefinitely.

According to KPMG's audit, while there were some issues found, Cloudflare was found to be configured in a way that supports their public commitments to privacy.
 

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
Despite the issues, i'm glad with Cloudflare results. It was better than i expected... It had some flaws but they weren't critics and they seem committed to be clear about them.
Interesting, thanks. I didn't think Firefox using Cloudflare for their DNS was a good idea and made sure that I used an alternative DNS service. This audit only shows a small amount of data being retained, but that is enough for me to be convinced it was good to take alternative steps. I don't have much to hide from anyone, but my personal data is mine.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
Logging is not the problem, since it is mostly done to deal with DDoS and such, but the problem is, whether the company admits it properly.
We will never log your IP address (the way other companies identify you).
We will never sell your data or use it to target ads. Period.

At first they say, they they do not log, then they admit, that they somewhat do, but they will never sell that data (but use it themselves?).
Lets be honest, DNS servers are costly, they would not do it for free (look at OpenDNS). Cloudflare is making profit from CDN network.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
"If a specific IP address is flowing through one of our data centers a large number of times, then it is often associated with malicious requests or a botnet," said Graham-Cumming. "We need to keep that information to mitigate attacks against our network and to prevent our network from being used as an attack vector itself."
But in order to know, that the IP made requests before, it has to be logged. So it clearly contradicts the claim, that all IP requests are anonymized.
 
Last edited:

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
But in order to know, that the IP made requests before, it has to be logged. So it clearly contradicts the claim, that all IP requests are anonymized.
Well spotted!

The more I've read about this the more contradictions and twists and turns the story seems to take. If they had a consistent story, I'd believe them more, as it is I suspect more has yet to come out on this audit and how true the initial result presented to us turns out to be.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
It's not as your ISP still get the data. Also cloudflare is a external DNS service. One more endpoint for your data. That's not how privacy works
Just claiming without to prove any facts, please sharing details how our ISP will be able getting our data as long as we are using different DNS.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Using Cloudflare, it's the fastest resolver I've tried. Had to look up "SNI"--luckily it's discoverable in a search.

I've long understood my user data's being manipulated and monetized via a "free" service. It's more a matter of at least partial disclosure. I found the audit results very surprising. I expected worse.

Since I can't see my data and how it's processed, it's like being blind in this context. Like anyone, I'd rather pay for my "free" DNS service with the equivalent of a twenty dollar bill, versus a hundred dollar one.

Good article. (y)
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
Just one note I think is important to know about Cloudflare and SNI. Cloudflare already 2018 introduced something called ESNI ( encrypted server name indication ). But that's still not enough and ISPs can if they want and need intercept anyway.
it might still be possible to determine which websites users are visiting by simply looking at the destination IP addresses on the traffic originating from users’ devices. Some of our customers are protected by this to a certain degree thanks to the fact that many Cloudflare domains share the same sets of addresses, but this is not enough and more work is required to protect end users to a larger degree.
ESNI test tool :
Personal I'm happy enough with my ISPs DNS, but I'm also on VPN 24/7.

The audit itself. Well, great that it was done IMO but I'm not over impressed with the fact that they obviously lied and then downplayed it wasn't too serious anyway as the numbers was so extremely low. Don't lie in the first place as otherwise it will either they like it or not hurt their brand and that brand is worth, a lot.
 
Last edited:

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,815
Here's two diagrams about how ESNI works, for anyone interested.
This first shows a HTTPS connection without the use of ESNI:
https_0.png

And the second shows a HTTPS connection using ESNI:
httpsesni_1.png
 

Tiamati

Level 12
Thread author
Verified
Top Poster
Well-known
Nov 8, 2016
574
I agree with all concerns here. Cloudflare lied about some things, and the audit shows some issues... This can't be good. Period. But what are the alternatives? Google, OpenDNS, Quad9? As far as know, none of them are even trying to commit themselves with privacy (specially google). If you have an ISP you can trust, great, stick with it... but if not, cloudflare is probably the closest to ideal you will find (in terms of privacy and speed). For example, my ISP used google as alternative DNS.

One more thing, that i'm not sure but i'll love your opinion. If Cloudflare is using those .05% of packages for making profit (wich they deny), this would probably be enough to make their service viable, without completely compromising users privacy... (ok i know this statement is controversial, but i'll let you reflect about it)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top