DNS over HTTPS makes the internet safer, but at what price?

In principle, DoH makes going online a little safer and helps to protect the privacy of internet users. However, the implications for the Domain Name System (DNS) are potentially far-reaching. Various major tech companies have announced that DoH is on their roadmap, and several are already moving ahead with implementation, including Google, Apple and Microsoft. However, the player taking the most aggressive approach is Mozilla, with its Firefox rollout. Mozilla is enabling DoH by default in the browser, meaning that Firefox will send DNS queries to Mozilla's trusted service providers in the US. Although the company has been persuaded to row back a little (insofar as DoH is being now enabled by default only for users in the US), many people in the wider internet community remain concerned about the implications.

Trusted resolver

So, what's the issue with DoH? What makes it so controversial? The DNS has served as 'the internet's phone book' since 1983. When you ask your browser to take you to the website linked to a domain name, the browser uses the DNS to look up the site's IP address. That involves the browser sending queries to a recursive server on your network via a simple stub resolver on your computer or phone, and getting back replies. The recursive resolver is normally operated by your internet access provider or your employer. However, DNS traffic isn't ordinarily encrypted, and that can be problematic, especially on a public Wi-Fi network. The reason being that unencrypted traffic can be intercepted, blocked or manipulated. DoH resolves that problem by encrypting DNS queries and sending them to a trusted resolver via a secure connection (HTTP with TLS). However, the implementation of DoH in Firefox was prompted mainly by another issue, namely that it's common for US internet service providers (ISPs) to sell their customers' DNS data. "Mozilla felt that that just wasn't on," explains Moritz Müller, Research Engineer at SIDN Labs. "So they decided that it was better, and more secure for US users, if Firefox didn't send DNS traffic to the local ISP's resolver, but to a resolver operated by Cloudflare. Clear privacy arrangements were made with Cloudflare, which Mozilla thought offered more protection than the standard contracts that internet users have with their ISPs. From the privacy viewpoint, there are advantages to using Cloudflare in the US."

Further internet centralisation

In Europe, however, privacy is much better protected by law, particularly by the GDPR. So, for example, European ISPs aren't free to use DNS data as they please for marketing purposes. And some European service providers even block DoH, Müller pointed out in a recent blog post. "In Europe, if you use your ISP's resolver, your DNS data is pretty secure." It is nevertheless the case that, even in Europe, the encryption of DNS traffic by means of HTTPS has the benefit of addressing the security issues associated with public networks. Your DoH resolver encrypts queries, gets answers and passes them on to you in encrypted form. All in milliseconds, without any discernible impact on your internet experience, even if your hardware is relatively old and slow. The controversy surrounding Mozilla's decision initially focused largely on traffic being forwarded to an actor with whom the user has no formal relationship (Cloudflare). That was seen as contributing to the centralisation of the internet. Many people regard centralisation as undesirable, albeit primarily in hypothetical terms. What if a centralised provider's service goes down? And what if a centralised service provider begins to abuse their power? It's also been suggested that sending European DNS traffic to a US actor for processing could lead to latency problems, but that seems unlikely. "Cloudflare's resolvers aren't all in the US; the company has a globally distributed anycast server infrastructure. So a DNS query from a user in the Netherlands will probably be processed at a data centre in Amsterdam." It's also worth noting that, while continuing to roll out the default implementation of DoH for US users, Mozilla has responded to the critical feedback by designating other trusted DoH resolvers, in addition to Cloudflare's. They include resolvers operated by NextDNS and - ironically - US ISP Comcast, with whom specific privacy agreements have been made.

Experimenting with the protocol

Although a user can edit Firefox's settings so that a different resolver is used, the default is always one of the trusted resolvers mentioned above. As Müller explains, "The default resolver can be changed by opening the Firefox menu, selecting 'Options', then scrolling down to 'Network settings' on the 'General' tab and ticking 'Enable DNS over HTTPS'. You can then select a provider from the pull-down list or manually enter the IP address or URL of your preferred DoH resolver. So, for example, you could tell Firefox to use our experimental SIDN Labs DoH service." You might want to do that if, for instance, you're accessing the internet via a public network. Or if you're a network administrator who uses blacklists of malicious domain names to filter 'bad' network traffic heading for your DNS resolver. "Someone like that can use our DoH resolver to test the effectiveness of their security arrangements in the event of a network user enabling DoH in their browser," says Müller. "If you use the Wireshark tool to monitor your network traffic, you'll see that when DoH is enabled in your browser, the flow of DNS traffic through port 53 almost dries up." (DoH traffic goes via port 443, which is used for all HTTPS traffic, ed.) Consequently, while DoH makes the interception of traffic much harder, the user is still giving away information in various ways. In other words, it's not a perfect solution. "Outsiders can still see the name of any server you connect to, although moves are afoot to prevent that through ESNI. If you really don't want anyone else to know what you're doing on the internet, you need to use a VPN and send all your traffic to a server that you trust, preferably one that you control yourself." As mentioned earlier, Mozilla isn't the only company embracing DoH. The technology can also be enabled in Google Chrome, which features a list of trusted resolvers that users can configure in their operating systems. If a trusted resolver is used to send plain-text DNS queries, Chrome automatically upgrades the connection to DoH. Microsoft too is experimenting with the automatic upgrading of Windows connections to the resolver configured in the operating system, if it supports DoH. Apple, which in recent years has been positioning itself as a champion of privacy, has adopted a distinctive approach with IoS, iPadOS and MacOS, according to Müller. "At their recent Developer Conference, they announced plans to support DoH. So, for example, app developers can configure DoH resolvers, and in due course it'll be possible to select a DoH resolver for the whole system."

Who controls the internet?

The saga surrounding introduction of DoH raises a fundamental question: who decides where our internet traffic should go? How much control does the Netherlands, or Europe as a whole, have over 'our' part of the internet? "There is a degree of local control," says Müller, "but it mainly takes the form of political control. The DoH question is ultimately too technical for the average user. Consequently, action is required at a higher level. Europe needs to exert more influence over big tech companies." Against a background of increasing calls for browser regulation, SIDN is monitoring the development of DoH closely, performing internet measurements and making information available to internet users. SIDN is also encouraging users to try things out for themselves and form their own opinions. As Müller explains, "We want to give the Dutch public an objective view of DoH. Few other market players are trying to do that. DNS is an important protocol, but people tend to take it for granted. And not many players pay much attention to security and privacy. We attach a lot of importance to privacy and see DoH as a useful aid to privacy, but with caveats. It can enhance security in certain situations, such as when you're connected to an untrustworthy network. However, it can mean that a carefully defined company security policy is by-passed and therefore undermined. We understand where DoH is coming from and we applaud market players for embracing it. Nevertheless, we see an important role for (neutral) actors such as SIDN, who can oversee the process and ensure that all interests are weighed up objectively and taken into account." This knowledge article was originally published on tweakers.nl on 16 July 2020.