Re: [Add] meeting hum: should the IETF take up this work?

[Ólafur Guðmundsson <olafur@cloudflare.com>]

Jason,

On Tue, Jul 30, 2019 at 5:49 PM Livingood, Jason <
Jason_Livingood@comcast.com> wrote:

> On 7/25/19, 10:12 AM, "Add on behalf of Adam Roach" <add-bounces@ietf.org
> on behalf of adam@nostrum.com> wrote:
> > You can see, for example, Cloudflare's associated privacy
>     policy at
> https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/
>
> [JL] This speaks to the DNS query/response. But with DoH, this is
> contained inside of an HTTP envelope, so to speak, which has much more rich
> tracking - noted at https://www.cloudflare.com/privacypolicy/ under
> website visitors (which I presume applies to all HTTP transactions). So the
> confluence of DNS and HTTP here seems interesting to better understand and
> document as TRR-style policies evolve. Since there is an HTTP server
> involved in DoH, presumably all the normal HTTP log items are seen &
> processed and can be logged, like user agent, cookies, and so on.
>

Cloudflare modified the HTTPS processing for DoH requests, we did this for
privacy, efficiency and speed reasons.
The overwriting goal was to be compliant with the our public policies and
commitments.
Anything that matches https://tools.ietf.org/html/rfc8484#section-4.1
definition
of DoH request is NOT logged by the HTTPS service, we will only respond to
DoH requests on a defined list of DoH service names/addresses.

Our DoH module only counts connections, no logging of content ( mainly to
verify we do not drop anything internally)
The DNS  resolver system is the only one that writes to the resolver logs,
it is unaware of any user agent and other HTTP things,

There is no setting or reading of cookies from our servers (you can confirm
this by doing a request on you own), like

curl --verbose -H 'accept: application/dns-json' '
https://cloudflare-dns.com/dns-query?name=comcast.com&type=AAAA'


> [JL] In addition, I suspect a concern (for the very high scale centralised
> DoH platforms) is not just the per-user privacy policy but also what
> aggregated business intelligence a global scale platform would be able to
> develop (e.g. of a population of 500M users, how many have queried for *.
> netflix.com in the past N hours, by country, ASN, user agent, etc.),
> relative to competitors or potential competitors. So I suspect these
> concerns may arise, at least for platforms of very high scale /
> penetration.
>
>
This is not unique to DoH in any way or shape!
This is common to all DNS queries and having access to query streams, so
every DNS provider should answer if they share any DNS query data and with
whom and for what purpose.
Anyone that has access to query stream from one of the top ISP's in a few
countries might have better view than large Public DNS Resolver.

Restating Cloudflare 1.1.1.1 data policy: Cloudflare will not share any
query data with anyone!! Per our agreement with Apnic; they have access to
subset Resolver of logs for the last 24 hours only data that arrived on the
1.x.x.1 addresses, they do not a have access to data sent by Firefox users
unless the user modified the URL to *"https://1.1.1.1/dns-query
<https://1.1.1.1/dns-query>".*
Cloudflare will not use the query data for anything other than to improve
the service. Cloudflare keeps traffic aggregations and may share those
publicly from time to time.

Cloudflare is fully compliant the policy that Firefox has published AND
they have NO access to query data
-- 
Ólafur Gudmundsson | Engineering Director
www.cloudflare.com blog.cloudflare.com