No, CloudFlare doesn’t respect your privacy: CloudFlare issues & truly anonymous DNS

CloudFlare DNS (1.1.1.1) claims to be a public DNS resolver which claims, according to their website;

“We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained a big 4 accounting firm to audit our assertions about our systems annually to ensure that we’re doing what we say. Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t.”

https://1.1.1.1/dns/

Interestingly enough, CloudFlare entered into a research agreement with APINC, the organization which owns the 1.1.1.1 IP range. According to APINC, the statements regarding CloudFlare DNS, it’s privacy, and anonymity on its official website are simply false.

“We will be destroying all “raw” DNS data as soon as we have performed statistical analysis on the data flow. We will not be compiling any form of profiles of activity that could be used to identify individuals,”

https://labs.apnic.net/?p=1127

The fact that they have “raw” DNS data, containing personally-identifiable information such as IP addresses (since, after all, IPs are the focus of their research) doesn’t merely imply that they collect it, but it is a direct claim stating that they DO in fact collect said information; otherwise it wouldn’t be in their possession to perform “statistical analysis”.

But that’s not even the worst of what CloudFlare has done;

According to a source which I’ve had the good fortune to stumble upon; CloudFlare has protected websites owned by ISIS, the Taliban, and likely other terrorist groups as well. CloudFlare has not only proxied terrorist content, but according from an excerpt pulled from the New York Times, they have even provided their services to websites containing child pornography.

I’ll end this section with this peachy little quote from the CEO of CloudFlare:

“Back in 2003, Lee Holloway and I started Project Honey Pot as an open-source project to track online fraud and abuse. The Project allowed anyone with a website to install a piece of code and track hackers and spammers. We ran it as a hobby and didn’t think much about it until, in 2008, the Department of Homeland Security called and said, ‘Do you have any idea how valuable the data you have is?’ That started us thinking about how we could effectively deploy the data from Project Honey Pot, as well as other sources, in order to protect websites online. That turned into the initial impetus for CloudFlare.” – Matthew Prince

https://web.archive.org/web/20170217121944/http://www.law.uchicago.edu/alumni/accoladesandachievements/matthew-prince-00-discusses-cloudflare-cloud-computing-journal

More fun little things regarding CloudFlare’s shady operations and past can be found here, this website was put together rather well and includes citations.

You can’t trust most public DNS servers.

DNS servers collect identifiable information with each query, so it’s difficult to find a public DNS server which truly doesn’t collect or retain this data. For our purposes here, I’m going to simply say that it isn’t truly possible to have the perfect solution with any 3rd party DNS provider. The only person who you can really trust with your own privacy is yourself; which brings me to the solution.

Unbound: A DNS server that runs on your local machine.

That’s right; a separate machine for a DNS server isn’t even necessary! You can run unbound directly on your workstation or laptop! According to Unbound’s website, it is compatible with both Microsoft Windows and Linux-based operating systems, among others including macOS and BSD derivatives.

The documentation made available here under the Manual Pages section will help you install Unbound and get started with it. It’s extremely simple to install on Windows using the executable installer or through your Linux distribution’s package manager.

It’s very easily installed on Windows

Once you have ran the executable to install the package, on Windows, only one change needs to be made regarding network settings in order for Unbound to essentially work out of the box!

Just go to Network and Internet Settings>Adapter Options, then right-click on your network interface, select properties, then double-click on “IPv4”.

Set your preferred DNS server to 127.0.0.1 (Your machine/localhost, where Unbound is running). Personally, I set my Alternate DNS to NixNet DNS, as I know the owner of the service and trust that he dumps his logs to /dev/null or purges them as needed to ensure user privacy as he shares much the same, if not stricter privacy standards than CYGO. Technically, the alternate DNS probably won’t even be used as long as Unbound is functional.

I hope this post was helpful! Be on the lookout for more posts like this, and check out previous posts in the CYGO contributor blog series.

Leave a Reply