Cloudflare’s Commitment to Privacy: 184.108.40.206 Public DNS Resolver
Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email, and the first thing your phone or computer does is ask its directory: where can I find this?
Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it to target you with ads.
Given the current state of affairs, Cloudflare created a DNS resolver with your privacy and security in mind. Cloudflare, in partnership with APNIC, runs the 220.127.116.11 public resolver, a recursive DNS service that values user privacy and security. DNS requests sent to our public resolver are sent over a secure channel, significantly decreasing the odds of any unwanted spying or man in the middle attacks.
The 18.104.22.168 public DNS resolver was designed for privacy first, and Cloudflare commits to the following:
Frankly, we don’t want to know what any one person is doing on the Internet — it’s none of our business — and we’ve taken the technical steps to ensure we can’t.
We wanted to put our money where our mouth was, so we retained one of the top four accounting firms to audit our practices and publish a public report confirming we’re doing what we said we would. The report is available here.
Cloudflare has partnered with APNIC Labs, the regional Internet registry for the Asia-Pacific region to make the 22.214.171.124 IP address the home of the Cloudflare Public DNS Resolver. As part of its mission to ensure a global, open and secure Internet, APNIC conducts research about the functioning and governance of the Internet, which it makes available on its website, located at www.apnic.net.
Cloudflare has agreed to provide APNIC with access to some of the anonymized data that Cloudflare collects through the Cloudflare Public DNS Resolver. Specifically, APNIC will be permitted to access query names, query types, resolver location and other metadata via a Cloudflare API, that will allow APNIC to study topics like the volume of DDoS attacks launched on the Internet and adoption of IPv6.
APNIC Labs will use such data for non-profit operational research. As part of Cloudflare’s commitment to privacy, Cloudflare will not provide APNIC with any access to the IP address associated with a client.
Aside from APNIC, Cloudflare will not share the Public Resolver Logs with any third party.
The Public Resolver Logs we store consist entirely of the following fields:
Additionally, recursive resolvers perform outgoing queries to various authoritative nameservers in the DNS hierarchy that are logged in subrequest fields. These logs are used for the operation and debugging of our public DNS resolver service.
The following subrequest data is included in the Public Resolver Logs:
Except for the limited aggregated data generated using the Public Resolver Logs described below, all of the Public Resolver Logs are deleted within 25 hours of Cloudflare’s receipt of such information.
Cloudflare will only store the following aggregated data:
Cloudflare may store the aggregated data described above indefinitely in order to assist Cloudflare in enhancing the overall performance of the Cloudflare Resolver and identifying security threats.
Cloudflare does not block or filter any content through the 126.96.36.199 Public DNS Resolver, which is designed for direct, fast DNS resolution, not for blocking or filtering content. Cloudflare does block and filter malware and adult content through 188.8.131.52 for Families, which is designed to help individuals protect their home networks.
In general, Cloudflare views government or civil requests to block content at the DNS level as ineffective, inefficient, and overbroad. Because such a block would apply globally to all users of the resolver, regardless of where they are located, it would affect end users outside of the blocking government’s jurisdiction. A government request to block content through a globally available public recursive resolver like the 184.108.40.206 Public DNS Resolver and 220.127.116.11 for Families therefore should be evaluated as a request to block content globally.
Given the broad extraterritorial effect, if Cloudflare were to receive written requests from law enforcement and government agencies to block access to domains or content through the 18.104.22.168 Public DNS Resolver or to block access to domains or content through 22.214.171.124 for Families that is outside the scope of the filtering in that product, Cloudflare would pursue its legal remedies before complying with such a request. We also commit to documenting any government request to block access in our semi-annual transparency report, unless legally prohibited from doing so.