Comparison of policy and privacy statements 2019

The goal of this page is to provide a high level overview of the operations and privacy policies and practices (as published in 2019) of some of the larger DNS Privacy service offerings. 

NOTE: An analysis of privacy statements by operators will clearly only provide a snapshot at the time of writing. The page content was last reviewed on 18th Dec 2019. Please email any corrections to sara@sinodun.com

Operators

Quad9

UDP/TCP and TLS (port 853) service provided on two addresses:

  •  ‘Secure’: 9.9.9.9, 149.112.112.112, 2620:fe::fe, 2620:fe::9
  • ‘Unsecured’: 9.9.9.10, 149.112.112.10, 2620:fe::10, 2620:fe::fe:10

Policy:

Cloudflare

UDP/TCP and TLS (port 853) service provided on 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111 and 2606:4700:4700::1001.

Policy:

DoH provided on: https://cloudflare-dns.com/dns-query

Policy:

Tor endpoint: https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion

Google

UDP/TCP  and TLS (port 853) service provided on 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888 and 2001:4860:4860::8844.

Policy: https://developers.google.com/speed/public-dns/privacy

OpenDNS

UDP/TCP service provided on 208.67.222.222 and 208.67.220.220 (no IPv6).

We could find no specific privacy policy for the DNS resolution, only a general one from Cisco that seems focussed on websites.

Policy: https://www.cisco.com/c/en/us/about/legal/privacy-full.html

Comparison

The following tables provides a high-level comparison of the policy and practice statements above and also some observations of practice measured at dnsprivacy.org

The data is not exhaustive and has not been reviewed or confirmed by the operators.

The List Items in the title are those from version -01 of the BCP for DNS privacy operators.

A question mark indicates no clear statement or data could be located on the issue. A dash indicates the category is not applicable to the service.

Policy

List Item 1 2 3 4 5 6 7
Redirect NXDOMAIN IP address are PII IP address logging Clear list of what data stored and for how long Share anonymized data with partners Share identifiable data with partners Share or sell data to third parties Exceptions to collection for attack analysis non-profit Partners Combine DNS data with other data sources Redirect NXDOMAIN Block domains
Quad9 Secure Y N Y Y N N Y Y

IBM
PCH
GCA

N N Y
Quad9 Unsecured Y N Y Y N N Y Y N N N
Cloudflare

Y N Y Y N N N N APNIC N N ?
Cloudflare DoH Y N Y Y N N N N Mozilla/
Firefox
N N ?
Google N Y(1) Y ? ? ? N N ? N N N(1)
OpenDNS Y Y N ? Y Y ? N ? Y N ?

(1) Only in temporary logs

Practice

List Item 2 3 4 5 6

DNSSEC EDNS(0) Padding OOOR

EDNS(0)
Keepalive

Query
Name Minimization

Send

ECS

Respect client ECS Local root zone Auth Domain Name SPKI pinset Juristdiction
(TBD) 
Obtaining consent
(TBD) 
Quad9 Secure Y N N N N N ? N Y N

Quad9 Unsecured N N N N N N ? N Y N

Cloudflare

Y Y Y N Y N - Y Y N

Cloudflare DoH Y Y Y N Y N - Y - -

Google Y N Y N N Y Y N Y N

OpenDNS N - - - ? ? ? ? - -

(1) Only in exceptional circumstances