VPN vs Cloudflare DNS: Which is best for privacy?

Cloudflare has launched a new DNS service, 1.1.1.1, which it claims is the internet’s fastest, privacy-first consumer DNS service. This couldn’t have come any sooner – with news of Facebook misusing user data and the repeal of net neutrality, Cloudflare argues that 1.1.1.1 provides a faster and safer connection to the internet.

But how good is it really? And how does it compare to a VPN? We dig through the details to find out which one is better for your privacy, and why.

What is DNS?

The Domain Name System (DNS) is often likened to a phonebook for the internet. Computers recognize each other by their IP addresses, not by the site names associated with them, so whenever you type in a website like Google.com, the DNS service locates the IP address linked to Google and connects you to it.

The DNS service that connects you to the internet is provided by your ISP, which logs all the websites you visit. If your ISP can do this, your government certainly can, and this can land you in hot water if you’re living in a country that isn’t so open to opposing social and political views.

Add in snoopers, hackers, and Man-in-the-Middle attacks, and your DNS could expose you to a host of online vulnerabilities and attacks that can extract your personal information.

Cloudflare’s 1.1.1.1 promise is to fix these DNS-related problems, while also providing super-fast connection speeds.

Security

What is 1.1.1.1?

Cloudflare’s 1.1.1.1 is a DNS resolver. When configured properly on your device, all your connection requests will route through it. Released on April 1 (playing on the pun of ‘four ones’), 1.1.1.1 takes your requests and resolves them at crazy fast speeds (up to 28% faster, according to the official website), while also pledging to delete all DNS logs after 24 hours. The system doesn’t save your IP address queries either.

By channeling all your queries to 1.1.1.1 instead of your ISP’s DNS service, you’re entrusting your IP address queries with Cloudflare and APNIC, the regional internet registry the company partnered with to get the resolver.

Cloudflare DNS also minimizes the query names sent to authoritative DNS servers – instead of sending “www.one.example.com”, it just discloses the “example.com” part of your request to authoritative DNS servers, reducing any privacy leakages that could occur when making a request.

More importantly, 1.1.1.1 provides an alternative to Google’s DNS-over-HTTPS support, which is the biggest provider of such support, from Google’s Public DNS and Android operating system. With Cloudflare throwing its hat into the ring and providing its own DNS-over-HTTPS support, there’s a hope that more providers will take a step in creating privacy-oriented DNS protocols like 1.1.1.1.  

How private is 1.1.1.1?

By changing your DNS server to 1.1.1.1, you’re channeling your traffic to 1.1.1.1, and not your ISP. Cloudflare says it won’t log your IP address with 1.1.1.1, and the firm seems committed to that promise.

While it doesn’t log your IP address, the outfit does log anonymized DNS query data. According to its Commitment to Privacy, Cloudflare states that the only information it will collect are “anonymized DNS query data sent to the Cloudflare Resolver”. Some of that information is logged permanently, including the number of queries, unique users, and an aggregated list of all domain names requested.

While the firm won’t give this information to third-party advertisers, Cloudflare’s partner, APNIC, will be using the information for non-profit operational research, including being able to better understand DNS and to reduce DDoS attacks.

One thing to keep in mind when using 1.1.1.1 is that while your ISP can’t see your DNS traffic when you visit sites that use HTTPS, it can still view the contents on any unencrypted website i.e. sites that are HTTP rather than HTTPS. There’s also the obvious issue of having to trust Cloudflare and APNIC not to record your information.

VPN

How is 1.1.1.1 different to a VPN?

Both 1.1.1.1 and Virtual Private Networks (VPNs) route your DNS traffic through their servers, bypassing your ISP and preventing anyone from seeing your traffic. Good VPNs also don’t log your personal and identifiable data.

A VPN is different in a couple of ways, however. A VPN is a network that encrypts all the traffic that flows through it, including both HTTP and HTTPS. The VPN server you connect to acts as an intermediary server in a location of your choosing, which not only encrypts your traffic through its server, but also masks your real location so you can browse the internet as if you were in a different country. 1.1.1.1 doesn’t do this.

When it comes to speed, the additional encryption used, and the connection distance to a remote server which is further away, can make VPN connections slower than Cloudflare’s 1.1.1.1. With a good VPN that offers fast speeds, however, the difference narrows.

Which one is better at protecting your privacy?

1.1.1.1 may give you faster connection speeds and protect you from most snoops, but if you want to hide all your traffic, and are willing to pay for it, then go for a good VPN that doesn’t keep logs that can identify you. As with Cloudflare and APNIC’s 1.1.1.1, trust plays a part in selecting a VPN you want to use.

There are also other benefits to having a VPN such as being able to mask your real location with another location. This helps in particular if a site you want to access is geo-blocked, like Netflix or Google, and you’re in a country where those sites are blocked.

The best VPNs don’t keep logs, and offer server locations from all over the world. ExpressVPN does a good job with this, and offers apps for a variety of systems and devices, so no matter what device you’re using, you are protected.

We've highlighted the best VPN services of 2018

Leave a Reply