The goal of this page is to provide a high level overview of the current operations and privacy policies and practices of some of the larger DNS Privacy service offerings.
NOTE: An analysis of privacy statements by operators will clearly only provide a snapshot at the time of writing. The page content was last reviewed on 14th Dec 2018. Please email any corrections to sara@sinodun.com
Operators
Quad9
UDP/TCP and TLS (port 853) service provided on two addresses:
- 'Secure': 9.9.9.9, 149.112.112.112, 2620:fe::fe, 2620:fe::9
- 'Unsecured': 9.9.9.10, 149.112.112.10, 2620:fe::10, 2620:fe::fe:10
Policy:
Cloudflare
UDP/TCP and TLS (port 853) service provided on 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111 and 2606:4700:4700::1001.
Policy:
- https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy/
DoH provided on: https://cloudflare-dns.com/dns-query
Policy:
- https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/
Tor endpoint: https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
UDP/TCP and TLS (port 853) service provided on 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888 and 2001:4860:4860::8844.
Policy: https://developers.google.com/speed/public-dns/privacy
OpenDNS
UDP/TCP service provided on 208.67.222.222 and 208.67.220.220 (no IPv6).
We could find no specific privacy policy for the DNS resolution, only a general one from Cisco that seems focussed on websites.
Policy: https://www.cisco.com/c/en/us/about/legal/privacy-full.html
Comparison
The following tables provides a high-level comparison of the policy and practice statements above and also some observations of practice measured at dnsprivacy.org.
The data is not exhaustive and has not been reviewed or confirmed by the operators.
The List Items in the title are those from version -01 of the BCP for DNS privacy operators.
A question mark indicates no clear statement or data could be located on the issue. A dash indicates the category is not applicable to the service.
Policy
List Item | 1 | 2 | 3 | 4 | 5 | 6 | 7 | |||||
Redirect NXDOMAIN | Block domains | IP address logging | Clear list of what data stored and for how long | Share anonymized data with partners | Share identifiable data with partners | Share or sell data to third parties | Exceptions to collection for attack analysis | non-profit | Partners | Combine DNS data with other data sources | Redirect NXDOMAIN | Block domains |
---|---|---|---|---|---|---|---|---|---|---|---|---|
Quad9 Secure | Y | N | Y | Y | N | N | Y | Y | IBM | N | N | Y |
Quad9 Unsecured | Y | N | Y | Y | N | N | Y | Y | N | N | N | |
Cloudflare | Y | N | Y | Y | N | N | N | N | APNIC | N | N | ? |
Cloudflare DoH | Y | N | Y | Y | N | N | N | N | Mozilla/ Firefox | N | N | ? |
N | Y(1) | Y | ? | ? | ? | N | N | ? | N | N | N(1) | |
OpenDNS | Y | Y | N | ? | Y | Y | ? | N | ? | Y | N | ? |
(1) Only in temporary logs
Practice
List Item | 2 | 3 | 4 | |||||||
DNSSEC | EDNS(0) Padding | OOOR | EDNS(0) | Query | Send ECS | Respect client ECS | Local root zone | Auth Domain Name | SPKI pinset | |
---|---|---|---|---|---|---|---|---|---|---|
Quad9 Secure | Y | N | N | N | N | N | ? | N | Y | N |
Quad9 Unsecured | N | N | N | N | N | N | ? | N | Y | N |
Cloudflare | Y | Y | Y | N | Y | N | - | Y | Y | N |
Cloudflare DoH | Y | Y | Y | N | Y | N | - | Y | - | - |
Y | N | Y | N | N | Y | Y | N | Y | N | |
OpenDNS | N | - | - | - | ? | ? | ? | ? | - | - |
(1) Only in exceptional circumstances