Cloudflare Introduces Tor Hidden Service for Its DNS
Cloudflare has launched a Tor hidden service for its DNS resolver, providing users with an additional layer of privacy. The company has published a guide on configuring the cloudflared daemon to use this hidden DNS resolver.
Why a Tor Hidden Service for DNS?
According to Cloudflare, while the company erases logs and does not write client IP addresses to disk, “users who are especially concerned about their privacy may not want to reveal their IP addresses to the DNS resolver at all.”
The DNS client address dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion is accessible via the website tor.cloudflare-dns.com. This complex address is actually a public key used to encrypt communications with the hidden service. Users don’t need to memorize this string, as browsers use the HTTP Alt-Svc header to know how and where to access the resource. This feature is supported by Mozilla Firefox Nightly, which offers onion addresses as alternative services.
How to Use Cloudflare’s Hidden DNS Resolver
In reality, the DNS server address is very simple: 1.1.1.1. The new Cloudflare service is completely free and can be used by changing settings in your web browsers or operating systems. The service works on computers, routers, and smartphones. Just enter 1.1.1.1 in your browser’s address bar to access the main page, where you’ll find setup instructions.
How Does Cloudflare’s Hidden Resolver Work?
Essentially, this is a Tor hidden service that forwards all messages to the appropriate ports on 1.1.1.1, hiding the user’s real IP address. The main difference from using 1.1.1.1 directly is that the .onion address consists of “dns4tor” plus 49 seemingly random letters and numbers. This 56-character string is actually a full public key used to establish a secure connection with the hidden service.
Cloudflare explained, “We simply purchased tor.cloudflare-dns.com as the main subject name for the certificate, and the .onion address as an additional subject. So, if you access it correctly, you should see the following,” the company wrote in its blog.
Security and Limitations
Cloudflare experts note that the hidden service protects users from malicious exit nodes and attacks aimed at deanonymization. The company has published a guide for configuring the cloudflared daemon to use the service. However, the project is experimental and should not be used in commercial products.