The Domain Name System (DNS) is the phone book of the Internet. When people use the web, they don’t type in the IP address of the website that they want to visit. Instead, they use a domain name, like www.google.com.
The job of DNS is to convert this domain name into an IP address that a computer can use. This is accomplished by a series of queries to DNS servers.
DNS servers are organized in a hierarchy, so a computer may make several different requests to different servers. Each request will contain a little bit more information about the site that the user wants to visit.
The issue is that DNS sends these requests out in plaintext. Anyone who can intercept or eavesdrop on the network traffic can see the websites that someone is trying to visit.
DNS over HTTPS (DoH) tries to fix this issue. HTTPS uses encrypted web traffic and is what is going on when you see the lock icon in the address bar of your browser. By sticking DNS requests and responses inside HTTPS packets, DoH protects the DNS traffic from eavesdroppers.
DoH is in the news recently because several browsers, including Firefox and Chrome, are now making it an option in their browsers.
However, the use of DoH is a very controversial topic.
Logically, it seems like DoH would be a good thing. It is designed to increase the privacy of Internet users by ensuring that no-one can spy on where they’re going on the Internet.
However, providing privacy for some people means providing privacy for everyone. Monitoring DNS requests is a common method for detecting malware on a computer. It also can be used to track visits to illegal or unethical websites.
With the introduction of DoH, these positive applications of eavesdropping on DNS traffic will no longer be possible.
The intent of DoH is to protect the privacy of users by encrypting their DNS requests. Since these requests can tell an eavesdropper where the user is browsing, this is helpful for security.
While DoH is not the most efficient approach to this, it does effectively encrypt DNS requests.
However, the impact of DoH has a negligible impact on a user’s security. The information that DoH protects is also leaked in a variety of different ways.
Once the DNS request is completed, the user will visit the target site using a web browser. If the request is made using HTTP, the entire communication will be unencrypted and anyone can read it.
If the request is made using HTTPS, a field called Server Name Indication (SNI) is left unencrypted in the traffic. This field contains the domain name of the target site, the same information that DoH encrypts in DoH traffic.
Finally, regardless of implementation, the traffic must have the target IP address left unencrypted. Like a postal address, routers along the way need this information to get the traffic to its destination.
Research has found that, in 95% of cases, the IP address is sufficient to determine the site that a user is visiting.
In the end, while DoH does help to protect sensitive information contained in DNS traffic, it really doesn’t help the user. The same information is leaked in a variety of ways.
The only positive impact would be if the eavesdropper could only see the user’s DNS traffic. While this is possible, DoH is mainly billed as protection against ISP eavesdropping, and an ISP sees everything.
DNS over HTTPS is designed to improve the privacy of end users. However, it has significant impact on the cybersecurity of where they work.
One of these impacts is more technology-focused. The majority of DNS servers do not support DoH, so DoH traffic goes to specialized “resolvers”. This means that an organization’s DNS traffic may be split between two different infrastructures (pure DNS vs. DoH).
This split model is not the best practice for software design.
The other major impact of DoH to businesses is that it breaks most cybersecurity tools. Many companies monitor DNS traffic in order to protect their employees. DNS-based traffic filtering looks for:
Using DoH, employees can bypass these protections.
While this may benefit them by allowing access to restricted content, it also leaves them open to visiting phishing and malware-laden sites. As a result, companies will have more difficulty identifying and protecting against malware on their networks.
One of the major selling points of DoH to potential users is the ability to conceal DNS requests from ISPs. An ISP may monitor a user’s DNS traffic for a variety of different purposes. Some of these are positive, while others are negative.
The positive benefits of an ISP monitoring DNS traffic are the same as enterprise monitoring. These systems are designed to identify (and possibly block) requests related to malware and illegal material.
For example, the UK intended to use DNS monitoring to ensure that visitors to pages with adult content were over 18 years of age. The protection against malware and the prevention of illegal activities are generally seen as a positive impact of DNS monitoring.
ISPs can also abuse their power over a user’s Internet connection. Data about a user’s browsing habits can be collected and monetized by the ISP. Censorship programs like the Great Firewall of China are also implemented through the cooperation of the ISPs.
However, the impacts of DoH on ISPs are purely theoretical. Since an ISP has full access to a user’s Internet connection, they can collect the data protected by DoH in other ways. Implementing DoH will have little or no impact on an ISP’s ability to monitor users’ traffic.
While DoH has good intentions, it does little to help the user and has significant negative impacts as well.
The same information that DoH protects is leaked in a number of other ways, and users are better off using other solutions, like VPNs or the Tor network, to protect their privacy.
On the flip side, DoH makes it harder for organizations to implement legitimate uses of DNS monitoring.
The implementation of DoH is also problematic. It centralizes the DNS infrastructure to a few “resolvers”, making it easier for an eavesdropper with access to a resolver to collect data.
This also increases the complexity of organizations’ infrastructure since they must implement a split DNS/infrastructure.
While DNS has significant support from Google and Firefox, it creates more problems than it solves. Other solutions, like DNSSEC and DNS over TLS (DoT) solve the same problem in a more efficient and effective way.