DNS over HTTPS (DoH)
The Domain Name System (DNS) is a critical protocol for the functioning of the Internet. The computers that make up the Internet are addressed using IP addresses; however, the people that use the Internet generally don’t want to memorize these IP addresses and use them to direct their traffic (with the notable exception of DNS servers). Instead, people use domain names to direct their traffic, which makes things easier for the user to remember and easier for advertisers to get people to actually visit their websites. By using DNS servers, a client computer can find the IP address associated with the domain requested by the user.
One of the main issues with DNS is that it has significant impacts on the privacy of the user. While many Internet protocols were not made secure and private by design, the use of SSL (and later TLS) enabled traffic to and from a server to be encrypted. As a result, it’s possible to determine that two computers are communicating with one another but not see the data being transmitted if, for example, they’re using HTTPS. The only issue with this is that finding the IP address to communicate with requires the client to perform a DNS lookup if they don’t already know the domain.
Since these DNS lookups are not encrypted, this allows anyone monitoring these requests to know the websites that a user is attempting to visit. As a result, monitoring DNS requests is a common way that governments and organizations invade the privacy of Internet users.
What is DoH?
DNS over HTTPS (DoH) is defined in RFC 8484 and designed to fix this privacy problem. The concept is straightforward: Instead of sending DNS requests and responses out in cleartext, they’ll be sent wrapped in an HTTPS GET or POST request. Since HTTPS is encrypted and authenticated using TLS, this decreases an attacker’s ability to view or modify them.
While DoH may not be widespread and is still considered “in development”, that doesn’t mean that it’s not already available. Firefox’s Nightly build already includes DoH functionality, using Cloudflare’s 18.104.22.168 DNS server as its default server. This provides individuals and organizations the opportunity to test out the technology before it goes mainstream. However, there are likely some bugs that will need working out.
Moving from traditional DNS to DoH is a major step. The Internet has been using unencrypted DNS traffic for decades now, and many DNS servers may not have the ability to generate and transmit encrypted responses without a significant upgrade. As a result, it may not be possible to access certain sites when using DoH.
Assuming that DoH is implemented well and completely functional, there are still significant pros and cons associated with it.
Pros of DoH
The primary pro is that DNS provides additional privacy and security to the Internet user. Since DNS is traditionally sent in cleartext, it can be both viewed and modified by someone performing a Man-in-the-Middle attack. This gives the attacker the ability to spy upon and potentially redirect the user’s Internet traffic. While the use of TLS limits the potential impact, this can still cause significant impacts on privacy, and DoH can prevent that.
Cons of DoH
The main downsides of DoH are that it’s both effective and potentially not effective enough. The main issue with an effective DNS encryption scheme is the fact that it breaks the surveillance laws in several countries. For example, the UK plans to use DNS monitoring to ensure that users are over 18 before viewing adult-rated content. With DNS encapsulated in HTTP and encrypted by TLS, this monitoring may not be possible. As a result, the use of DoH may be technically illegal in some countries.
DoH also may not be “good enough” at protecting privacy, due to the fact that it still uses the traditional recursive DNS scheme for lookups. For example, visiting www.example.com will require queries to both the .com and the example.com DNS servers in order to resolve the request. Some browsers will take a “greedy” approach to this, requesting the entire domain name at each level in hope of skipping a few steps. As a result, every DNS server knows the eventual destination of the traffic. However, this can be mitigated using DNS minimization.
Even with DNS minimization, there may be some leakage of information about DNS requests. With a recursive DNS lookup, the client will send a request to the .com DNS server, followed almost immediately by one to the example.com server. Correlating these two requests gives an eavesdropper the IP address of the next DNS server down the chain, which may be unique to the example.com domain. While this does not show the exact page that the user is visiting, it still leaks some information.
The road ahead for DoH
DoH is the latest of several attempts to add encryption to DNS requests. However, it is the one that seems most likely to succeed, since Google and Mozilla have decided to run with it in their Web browsers. Since Chrome and Firefox are some of the most widely used Internet browsers, this is probably enough to force widespread adoption.
The simple result of implementing DoH is an improvement in Internet user privacy. This is in line with the recent trend toward increased user privacy, as demonstrated by new regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) among others. However, this functionality also directly violates regulations in several different countries, meaning that ISPs may be obligated to disallow it or find an alternative means of surveilling Internet activity.
If the regulations win out over the new technology, the end result may be that nothing really changes unless the workaround employed by the ISPs is limited to them and not available to malicious parties (which seems extremely unlikely). Either that or DoH will be like the passcode on your smartphone, which protects you in general but can be defeated by law enforcement if given a reason to try.