The goal of this page is to provide a high level overview of the current operations and privacy policies and practices of some of the larger DNS Privacy service offerings. 


NOTE: An analysis of privacy statements by operators will clearly only provide a snapshot at the time of writing. The page content was last reviewed on 14th Dec 2018. Please email any corrections to sara@sinodun.com

Operators


Quad9

UDP/TCP and TLS (port 853) service provided on two addresses:

  •  'Secure': 9.9.9.9, 149.112.112.112, 2620:fe::fe, 2620:fe::9
  • 'Unsecured': 9.9.9.10, 149.112.112.10, 2620:fe::10, 2620:fe::fe:10

Policy:

Cloudflare

UDP/TCP and TLS (port 853) service provided on 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111 and 2606:4700:4700::1001.

Policy:

DoH provided on: https://cloudflare-dns.com/dns-query

Policy:

Tor endpoint: https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion

Google

UDP/TCP  and TLS (port 853) service provided on 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888 and 2001:4860:4860::8844.

Policy: https://developers.google.com/speed/public-dns/privacy

OpenDNS

UDP/TCP service provided on 208.67.222.222 and 208.67.220.220 (no IPv6).

We could find no specific privacy policy for the DNS resolution, only a general one from Cisco that seems focussed on websites.

Policy: https://www.cisco.com/c/en/us/about/legal/privacy-full.html

Comparison

The following tables provides a high-level comparison of the policy and practice statements above and also some observations of practice measured at dnsprivacy.org

The data is not exhaustive and has not been reviewed or confirmed by the operators.

The List Items in the title are those from version -01 of the BCP for DNS privacy operators.

A question mark indicates no clear statement or data could be located on the issue. A dash indicates the category is not applicable to the service.

Policy

List Item1234567
Redirect NXDOMAINIP address are PIIIP address loggingClear list of what data stored and for how longShare anonymized data with partnersShare identifiable data with partnersShare or sell data to third partiesExceptions to collection for attack analysisnon-profitPartnersCombine DNS data with other data sourcesRedirect NXDOMAINBlock domains
Quad9 SecureYNYYNNYY

IBM
PCH
GCA

NNY
Quad9 UnsecuredYNYYNNYYNNN
Cloudflare

YNYYNNNNAPNICNN?
Cloudflare DoHYNYYNNNNMozilla/
Firefox
NN?
GoogleNY(1)Y???NN?NNN(1)
OpenDNSYYN?YY?N?YN?

(1) Only in temporary logs

Practice

List Item23456

DNSSECEDNS(0) PaddingOOOR

EDNS(0)
Keepalive

Query
Name Minimization

Send

ECS

Respect client ECSLocal root zoneAuth Domain NameSPKI pinsetJuristdiction
(TBD) 
Obtaining consent
(TBD) 
Quad9 SecureYNNNNN?NYN

Quad9 UnsecuredNNNNNN?NYN

Cloudflare

YYYNYN-YYN

Cloudflare DoHYYYNYN-Y--

GoogleYNYNNYYNYN

OpenDNSN---????--

(1) Only in exceptional circumstances

  • No labels