Cloudflare's 1.1.1.1 DNS Passes Privacy Audit, Some Issues Found

Cloudflare has released the results of a privacy audit of their a 1.1.1.1 DNS service that backs up Cloudflare's statement regarding how DNS query data is being stored and collected on their servers.

After launching their 1.1.1.1 DNS service in 2018, people became concerned that Cloudflare was utilizing the data received from the use of their DNS resolvers as a currency that could be sold to third-parties or enrich the company in some way.

No doubt having huge amounts of data about the sites people visit would be of benefit, Cloudflare has always stated they put privacy first when they designed their 1.1.1.1 service by wiping logs within 24 hours and never writing the full IP address of users to logs.

"We began talking with browser manufacturers about what they would want from a DNS resolver. One word kept coming up: privacy. Beyond just a commitment not to use browsing data to help target ads, they wanted to make sure we would wipe all transaction logs within a week. That was an easy request. In fact, we knew we could go much further. We committed to never writing the querying IP addresses to disk and wiping all logs within 24 hours." - Cloudflare

Even with these promises, with the huge portions of the Internet already utilizing their services, users were still concerned about the tremendous amount of data being fed into Cloudflare.

This was further exacerbated when Cloudflare became the default DNS resolver in Firefox for the browser's DNS-over-HTTPS implementation.

To ease user's concerns, Cloudflare hired an independent auditing firm, KPMG, to perform a privacy audit of the 1.1.1.1 DNS service.

Privacy audit for Cloudflare's 1.1.1.1 service released

Today Cloudflare has published the results of the KPMG audit and though the audit showed that Cloudflare is keeping its word about how it handles user data, there were some issues discovered that required changes to Cloudflare's privacy disclosures.

For example, Cloudflare originally stated that no querying IP addresses are ever written to disk. The KPMG audit, though, discovered that Cloudflare Netflow/Sflow network-wide monitoring implementation would retain ".05% of all packets" passing through their network, including the IP addresses of DNS queries.

"We want to be fully transparent that during the examination we uncovered that our routers randomly capture up to 0.05% of all requests that pass through them, including the querying IP address of resolver users. We do this separately from the 1.1.1.1 service for all traffic passing into our network and we retain such data for a limited period of time for use in connection with network troubleshooting and mitigating denial of service attacks," John Graham-Cumming, CTO of Cloudflare, stated in a blog post.

Cloudflare had also stated that all logs were wiped within 24-hours, but the audit revealed that the logs are wiped within 25 hours and some anonymized data is kept indefinitely.

According to KPMG's audit, while there were some issues found, Cloudflare was found to be configured in a way that supports their public commitments to privacy.

"In our opinion, management’s assertion that the 1.1.1.1 Public DNS Resolver was effectively configured to support the achievement of Cloudflare’s Public Resolver commitments for the period from February 1, 2019 to October 31, 2019, based on the criteria above, is fairly stated, in all material respects," the KPMG stated in their audit.

The main points shared by the KPMG audit are:

• Public Resolver data is anonymized via truncation of the source IP (truncation of the last octet for IPv4 and the last 80 bits for IPv6).
• Public Resolver data (including anonymized source IP’s) is deleted from the stream processing platform within 25 hours.
• Public Resolver Logs are deleted from Cloudflare’s data warehouse within 25 hours via retention configurations on the database table storing the Public Resolver Logs.
• Edge routers implemented at colocation data centers are configured to log a sample of Netflow / Sflow logging data at a sample rate of no more than .05% of all packets.
• Edge routers implemented at colocation data centers are configured to only route traffic from ports 80, 443, 853 and 53 to the Public Resolver.
• Syslog is not enabled on edge routers implemented at colocation data centers for accepted Public Resolver requests.
• System configurations supporting the Public Resolver were consistently applied for the period from February 1, 2019 to October 31, 2019.
• DNS payload information is dropped from the sampled Netflow / Sflow logging data before it is stored in Cloudflare's data warehouse.
• Netflow / Sflow sampled logging data is deleted from Cloudflare's data warehouse within 60 days.
• External access to the anonymized Public Resolver Logs in Cloudflare's data warehouse is restricted to APNIC via a unique, authorized API access key. 

For those issues that were discovered, Cloudflare has updated their privacy commitments to reflect the results of this audit and to include language that explains how some data may be retained due to the network monitoring.

The full Cloudflare KPMG privacy audit can be read here.