The Domain Name System (DNS) is the Internet’s phone book. When people use the web, they don’t type in the IP address of the website that they want to visit. Instead, they use a domain name, like www.google.com.
The job of DNS is to convert this domain name into an IP address that a computer can use. A series of queries accomplish this to DNS servers.
DNS servers are organized in a hierarchy so that a computer may make several different requests to different servers. Each submission will contain more information about the site that the user wants to visit.
The issue is that DNS sends these requests out in plaintext. Anyone who can intercept or eavesdrop on the network traffic can see the websites that someone is trying to visit.
DNS over HTTPS (DoH) tries to fix this issue. HTTPS uses encrypted web traffic and is what is going on when you see the lock icon in your browser’s address bar. By sticking DNS requests and responses inside HTTPS packets, DoH protects the DNS traffic from eavesdroppers.
DoH has been in the news recently because several browsers, including Firefox and Chrome, are now making it an option in their browsers.
However, the use of DoH is a very controversial topic.
Logically, it seems like DoH would be a good thing. It is designed to increase the privacy of Internet users by ensuring that no one can spy on where they’re going on the Internet.
However, providing privacy for some people means providing privacy for everyone. Monitoring DNS requests is a standard method for detecting malware on a computer. It also can be used to track visits to illegal or unethical websites.
With the introduction of DoH, these positive applications of eavesdropping on DNS traffic will no longer be possible.
DoH intends to protect users’ privacy by encrypting their DNS requests. Since these requests can tell an eavesdropper where the user is browsing, this is helpful for security.
While DoH is not the most efficient approach to this, it does effectively encrypt DNS requests.
However, the impact of DoH has a negligible effect on a user’s security. The information that DoH protects is also leaked in various ways.
Once the DNS request is completed, the user will visit the target site using a web browser. If the request is made using HTTP, the entire communication will be unencrypted, and anyone can read it.
If the request is made using HTTPS, a field called Server Name Indication (SNI) is left unencrypted in the traffic. This field contains the domain name of the target site, the same information that DoH encrypts in DoH traffic.
Finally, the traffic must have the target IP address left unencrypted regardless of implementation. Like a postal address, routers along the way need this information to get the traffic to its destination.
Research has found that, in 95% of cases, the IP address is sufficient to determine the site that a user is visiting.
While DoH does help to protect sensitive information contained in DNS traffic, it doesn’t help the user. The same information is leaked in a variety of ways.
The only positive impact would be if the eavesdropper could only see the user’s DNS traffic. While this is possible, DoH is mainly billed as protection against ISP eavesdropping, and an ISP sees everything.
DNS over HTTPS is designed to improve the privacy of end-users. However, it has a significant impact on the cybersecurity of where they work.
One of these impacts is more technology-focused. Most DNS servers do not support DoH, so DoH traffic goes to specialized “resolvers.” An organization’s DNS traffic may be split between two different infrastructures (pure DNS vs. DoH).
This split model is not the best practice for software design.
The other major impact of DoH on businesses is that it breaks most cybersecurity tools. Many companies monitor DNS traffic to protect their employees. DNS-based traffic filtering looks for:
Using DoH, employees can bypass these protections.
While this may benefit them by allowing access to restricted content, it also leaves them open to visiting phishing and malware-laden sites. As a result, companies will have more difficulty identifying and protecting against malware on their networks.
One of the major selling points of DoH to potential users is the ability to conceal DNS requests from ISPs. An ISP may monitor a user’s DNS traffic for various purposes. Some of these are positive, while others are negative.
The positive benefits of an ISP monitoring DNS traffic are the same as enterprise monitoring. These systems are designed to identify (and possibly block) requests related to malware and illegal material.
For example, the UK intended to use DNS monitoring to ensure that visitors to pages with adult content were over 18 years of age. The protection against malware and the prevention of illegal activities are generally seen as a positive impact of DNS monitoring.
ISPs can also abuse their power over a user’s Internet connection. The ISP can collect and monetize data about a user’s browsing habits. Censorship programs like the Great Firewall of China are also implemented through the cooperation of the ISPs.
Implementing DoH will have little or no impact on an ISP’s ability to monitor users’ traffic. However, the impacts of DoH on ISPs are purely theoretical. Since an ISP has full access to a user’s Internet connection, they can collect the data protected by DoH in other ways.
While DoH has good intentions, it does little to help the user and has significant negative impacts.
The same information that DoH protects is leaked in several other ways, and users are better off using other solutions, like VPNs or the Tor network, to protect their privacy.
On the flip side, DoH makes it harder for organizations to implement legitimate uses of DNS monitoring.
The implementation of DoH is also problematic. It centralizes the DNS infrastructure to a few “resolvers,” making it easier for an eavesdropper with access to a resolver to collect data.
This also increases the complexity of organizations’ infrastructure since they must implement a split DNS/infrastructure.
While DNS has significant support from Google and Firefox, it creates more problems than it solves. Like DNSSEC and DNS over TLS (DoT), other solutions solve the same problem more efficiently and effectively.