In recent years, a lot of time and effort has been devoted to increasing the security of the DNS protocol. For example, DNSSEC makes it almost impossible to falsify DNS responses. More than half of the 5.8 million-plus .nl domain names now have DNSSEC protection. However, DNSSEC doesn't prevent the interception of internet traffic. And monitoring an internet user's DNS traffic can reveal a lot about that user's internet behaviour, even if the rest of the traffic is encrypted. In other words, DNS traffic interception has major privacy implications.
The renewed focus on privacy has led to a series of DNS innovations referred to collectively as 'DNS privacy'. The purpose of the innovations is essentially to prevent DNS traffic being read by third parties. Various techniques have been devised for achieving that aim, which are described in a separate background article.
DNS privacy is therefore mainly about protecting DNS traffic. Usually, that comes down to encrypting the communication – using TLS, for example. However, it's now also possible to send DNS traffic over an HTTPS connection on a standardised basis.
Controversy surrounding DNS over HTTPS (DoH)
Known as DNS over HTTPS (DoH), the technology is certainly a departure from the norm, and has raised some eyebrows. The reasons are explained below.
DoH was devised with certain scenarios in mind. One being a state agency prying into the user's activities and possibly injecting false DNS information. Another scenario might be an ISP gathering users' DNS data for sale to a third party.
DoH is intended to prevent that kind of thing. Basically, it entails DNS traffic being sent together with encrypted HTTPS traffic to a trusted (external) resolver (the 'trusted recursive resolver' or TRR). In other words, no separate protocol or port number is involved. Consequently, DNS traffic can't be distinguished from normal HTTPS traffic, and interception (filtering) becomes much harder.
The problem is that DNS traffic filtering doesn't always happen under scenarios such as those outlined above. There are also legitimate reasons for filtering. For example, some DNS filters prevent users from unintentionally landing on malicious websites. The operators of some networks have gone to a lot of trouble to build such DNS firewalls for the protection of users. When DoH is enabled, firewalls can easily be bypassed, without the user necessarily being aware of it. Many network operators view that possibility with dismay, because of the implications for network security.
The value of DNS
Various recent developments, including developments in the field of DoH, reflect the importance of DNS. First, the protocol is of course essential for the smooth and reliable working of the internet. Second, as outlined above, it forms the basis for many security measures.
Third, it lends itself to effective user profiling. And user profiles have commercial value. Although it isn't general practice in the Netherlands, ISPs in some countries habitually monitor their users' surfing by logging DNS traffic. The information generated is then sold to advertisers.
DNS resolving (as a service) is therefore a lucrative potential means of generating income, or, at least, a way of gathering very useful information. That is probably why Google, Cloudflare, Quad9 and others are so keen to offer such services.
Browser-based DNS service
DNS performance also influences the user experience. An under-performing DNS translates into slow-loading web pages. That fact isn't lost on web browser developers. In their constant efforts to optimise the user experience, developers have therefore turned their attention to the DNS.
The people behind Chrome, Firefox and even Android want to offer users the best possible security, privacy and all-round experience. Getting to grips with DNS, they have incorporated encrypted 'privacy-enabled' DNS into their products. In most cases, that implies opting for DNS over HTTPS. After all, HTTPS is home ground for them; they know its capabilities inside out. The enthusiasm of the browser developers has consequently been the driving force behind the rapid development and adoption of the DoH protocol.
Google has set up its own large-scale public DNS service, which its products will doubtless utilise. Meanwhile Mozilla has chosen Cloudflare to provide trusted recursive resolver (TRR) support. For the moment, the feature is a hidden experimental option, disabled by default. However, general activation is being seriously considered.
Of course, Cloudflare has an interest in their public DNS resolver service being linked to a popular browser such as Firefox. Cloudflare also promotes its service with various other mobile apps for Android and iOS.
If the likes of Google and Mozilla do in fact take control of the DNS traffic within their products and route it to their own services or preferred service providers, bypassing the traditional channels, that will have significant implications, including further centralisation of the internet.
The developments outlined above have elicited a mixed response. They are opposed both by security experts and by privacy experts. Some commentators have expressed dismay at the link-up between Mozilla and Cloudflare, since they have little faith in the avowed good intentions, particularly those of the commercial player Cloudflare. The argument is that using Cloudflare’s trusted recursive resolver merely shifts the privacy problem at best, rather than resolving it.
Others have pointed to operational risks, such as scalability and network security. Many network operators don't want their users accessing a third-party DNS resolver, whether intentionally or otherwise.
Meanwhile, lawyers have questioned whether such arrangements are consistent with the GDPR or net neutrality rules.
The criticasters want to see more user choice at the very least. Otherwise, they fear that users will fall prey to commercial organisations that monetise their insight into users' internet behaviour when they are supposedly protecting them. They also point out that DoH actually facilitates user 'fingerprinting', because additional information is made available. In their desire for privacy, users may therefore be jumping out of the frying pan and into the fire.
Consider the consequences if Firefox does roll out DNS over HTTPS as the unsolicited default setting in collaboration with Cloudflare 188.8.131.52. Cloudflare is, after all, a commercial organisation, beholden to its shareholders and governed by US law. Over time, how secure will DNS data be with them? And what regulatory framework will safeguard it? In the Netherlands, ISPs are bound by the GDPR. Can the same or similar be said of those elsewhere?
Loss of control
As indicated above, much DNS traffic filtering is done for legitimate network protection purposes. Use of DNS firewalls can prevent users landing on malicious websites, or sites that don't conform to the network's security policy. They also allow for intervention in the event of an IoT device being recruited into a botnet and receiving instructions or leaking data via the DNS. That approach is the basis of our own SPIN project, for example. The uncontrolled wild growth of DNS over HTTPS would undermine and frustrate such security initiatives.
The prospect of a browser or other application independently communicating with an external resolver service instead of using a central, uniform method is equally worrying from an operational viewpoint. It would complicate the picture and make fault localisation more difficult. While such problems are not exclusive to DoH, they do arise with DoH in practice.
Developments warrant close monitoring
Clearly, DNS over HTTPS is a controversial technology. Although it is simple, effective and low-threshold, its use and the rapid developments associated with it give rise to a variety of misgivings.
Firm conclusions are premature, since it remains unclear which way the industry is heading. What we can say with confidence is that DoH will change the landscape profoundly. It is therefore important to continue monitoring developments closely, flagging up potential issues and seeking to influence events where appropriate. That is certainly the policy we at SIDN Labs will be backing in the period ahead.
 Yandex has opted for DNScrypt.