Cloudflare launches Tor hidden service for DNS resolver

The power of Tor has been combined with the privacy-preserving features of 1.1.1.1

Following the launch of its DNS resolver service in April, Cloudflare has rolled out a new functionality for “exceptionally privacy-conscious folks” that might not want to reveal their IP address to the DNS at all.

Cloudflare cryptography engineer Mahrud Sayrafi yesterday announced the launch of the company’s Tor hidden service for its DNS resolver.

The service, which forwards all communication on DNS ports to the corresponding ports on 1.1.1.1, is available at https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion and accessible via tor.cloudflare-dns.com.

The 56-character string contains a full Ed25519 public key, which is used to secure communication with the hidden service.

“Resolving DNS queries through the Tor network… guarantees a significantly higher level of anonymity than making the requests directly,” Sayrafi explained.

“Not only does doing so prevent the resolver from ever seeing your IP address, even your ISP won’t know that you’ve attempted to resolve a domain name.”

The new Tor hidden service follows the recent launch of Cloudflare’s DNS resolver, 1.1.1.1, which is available publicly for everyone to use.

While the San Francisco-based company said it wants 1.1.1.1 to be the “fastest public resolver on the planet”, the service saw a global outage for 17 minutes on May 31, due to a coding oversight in its Gatebot DDoS mitigation system.

No fronts

The launch of Cloudflare’s Tor hidden service comes just a month after Google and Amazon moved to end the practice of domain fronting, which allowed individuals to conceal their browsing patterns.

While both companies said the move would help improve security for legitimate domain owners, digital rights activists took the announcement as a direct hit on anti-censorship efforts.

The new Cloudflare service might just be the alternative that privacy-conscious users are seeking, although it should be noted that the company said the hidden resolver is still an “experimental service” and should not be used in production or for other critical operations.