Three Internet giants: Mozilla, Google, and Cloudflare, are taking steps towards securing the DNS protocol for browser users. However, the DoH (DNS over HTTPS) standard will make it difficult to supervise the domains that users connect to. This causes increasing controversies, especially in the United Kingdom. While this is an excellent move towards full user privacy, it also causes several security-related worries to appear.
What Is DNS over HTTPS
The DNS protocol is one of the oldest protocols of the Internet. DNS queries are sent in plain text and there is no authentication. For 14 years, there have been attempts to introduce a secure option for the protocol – DNSSEC (RFC 4033 from 2005). However, such attempts keep failing because the infrastructure is too big to change easily.
DNS over HTTPS (DoH) was proposed by P. Hoffman (ICANN) and J. P. McManus (Mozilla) and defined in RFC 8484 in October 2018 so it is quite a recent standard. It follows a slightly older and similar standard: DNS over TLS (DoT) (RFC 7858 from 2016). These standards do not attempt to replace the current DNS infrastructure. Instead, they propose secure tunneling using existing protocols. This requires minimal changes and allows the user to hide DNS queries from all parties except the tunnel endpoint.
Before the introduction of DoH and DoT, there have been other proposals such as DNSCurve designed by Daniel J. Bernstein (djb) in 2009. However, none of them ever caught on, partially because of lack of support from the big players.
Pros and Cons of DoH
Currently, when the user visits a website, they may either query their local ISP DNS cache or any other server that they choose, for example, Google Public DNS. In both cases, all Internet nodes between the user and the DNS cache know exactly what the query is and may filter it. A parent may filter queries that are insecure for a child. An employer may filter queries that are not related to work. An ISP may filter illegal content. A totalitarian government may filter everything that undermines them.
When you use DNS over HTTPS, you direct the DNS query to a selected third party that you trust. The request is sent as part of regular HTTPS traffic. Child protection software, employers, ISPs, and totalitarian governments don’t even know that you are making a DNS query. The only entity that knows about the query and its content is the selected DNS cache.
While this approach helps guarantee privacy, there are several major concerns:
- A lot of child protection software simply filters out improper DNS queries. With DoH, manufacturers of such software will have to use more advanced methods. Similar DNS filters may be used by malware-protection software, for example, to filter out domains used for phishing.
- In several countries, ISPs are required by law to monitor and log all connections. In some cases, they are obliged to filter out traffic to, for example, adult sites. This will not be possible with DoH. ISPs may try to circumvent this by trying to install additional software on customer computers.
- There is already a malware solution that uses DoH to obfuscate its actions: Godlua (a Linux DDoS bot). You can expect a lot more to come soon. This will make it more difficult to detect malware.
Mozilla, Cloudflare, and Google
Despite controversies surrounding DoH, the giants of the Internet are convinced that this is the way to go forward. The first one to introduce DoH support for the masses (in the browser) is Mozilla. In the current version of Firefox, you can manually turn on DNS over HTTPS. While we can expect that future versions of Firefox will have easier configuration, it is still not known whether Firefox will introduce it as the default setting.
To protect user privacy, DNS over HTTPS requires a trusted DNS cache provider. It must be a provider that does not store user data and that will not budge when pushed by governments that are akin to spy on their citizens. For this purpose, Mozilla selected Cloudflare. Cloudflare declared that they store query data for only 24 hours and will not easily succumb to any government pressure.
However, Google already took the first steps toward embracing DoH as well. In late June, they announced the availability of DoH endpoints for the Public DNS service. This means that developers can now use these endpoints to implement DoH in their applications.
While there are only hints and mentions about Google Chrome supporting DoH, we can expect it to happen soon. Some sources even state that the application code already has support for it, it just needs to be turned on by Google. Also, Android 9 already supports DNS over TLS (DoT) so DoH is expected to come in the future as well. Therefore, in the future, we can expect that a lot of DNS queries will be directed to Google’s Public DNS service by default via DoH.
As expected, not everyone is too happy about DNS over HTTPS. The UK Internet Services Providers’ Association (ISPA) nominated Mozilla as the Internet Villain of the Year for “their proposed approach to introduce DNS over HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.”
Just after DoH was introduced, it immediately spawned discussions about its sensibility. For example, Paul Vixie, one of the creators of the original DNS protocol, described DoH as “a cluster duck for Internet security.” The biggest concern is that the Internet was meant to be decentralized and DoH is a strong move towards centralization.
Update: On July 9th, the ISPA backed down on their villain-of-the-year nomination mentioned above.
What are your thoughts and feelings about DNS over HTTPS? Are you going to use it?
Get the latest content on web security
in your inbox each week.