813-999-0631 info@tetratos.com
DNS over HTTPS is coming whether ISPs-governments like it or not

April 24, 2019

DNS over HTTPS (DoH), backed by Google, Mozilla, and Cloudflare, is about to make web surveillance a lot more difficult.

DNS over HTTPS (and its close relative DNS over TLS, or DoT) makes this impossible because it encrypts these requests – normally sent in the clear – hence the panic reported in a recent Sunday Times article (paywall).

For more detail on how DoH/DoT works, read our previous coverage on the topic. The takeaway, however, is that Britain’s National Cyber Security Centre (NCSC), and probably the US Government think its unexpectedly rapid evolution imperils the monitoring of terrorism and other illegal content.

Big ISPs also worry it will interfere with complex Content Delivery Network (CDN) traffic caching, make customer management through support and captive portals difficult, and leave them fielding calls from unhappy customers when the third-party DNS servers offering DoH fall over.

DoH’s sudden rise

Filter the hysteria and what you’re left with is a technological conflict between ISPs which have traditionally controlled the first leg of every internet connection and companies that control the software that sits on devices – this is primarily Google but also companies such as Cloudflare and partner Mozilla which promote privacy.

Today, users connect to the internet by paying an ISP for a connection. In effect, under DNS over HTTPS, they will then establish a second DNS connection to servers run by companies such as Google and Cloudflare to make web browsing private.

It’s come to a head now because Google is in the process of implementing DoH as part of its public DNS system (8.8.8.8/8.8.4.4), which will be supported at some point in the world’s most popular browser, Chrome, and is already supported in Android 9 (this has been possible for some time on older Android versions by using Google’s Intra app).

Mozilla, meanwhile, has identical plans for Firefox implemented via Cloudflare’s 1.1.1.1 service, which the company is still testing, while Cloudflare released a dedicated Android/iOS app last year.

Currently, if a government agency wants to know which sites you’ve been visiting they can ask an ISP. In theory, under DoH they could do the same by asking Google, Cloudflare or Mozilla.

Unfortunately, the problem isn’t simply whether those companies would agree to comply, but whether they could even if they wanted to.

For example, Cloudflare has previously said it only logs DNS requests for 24 hours and plans to prove that with a public audit of its behavior run by KPMG. Compare that to ISPs which in many countries now collect domain data for up to a year.

Here to stay?

It should have been obvious that something like DoH was coming since a slew of proposed technologies for encrypting DNS requests started gathering momentum in 2017. Last October, the IETF formally adopted DoH (aka RFC 8484) as the simplest route for this to happen quickly.

Not everyone was happy with this for architectural reasons, not least because it places a lot of trust in the resolver, principally Google, Cloudflare and anyone else who adopts it.

Hitherto, the internet has been built as a compromise between what the user could do and what the service provider would let them do. DoH, some claim, upsets this balance.

The counter-argument is that too many ISPs and governments have lazily used DNS as a quick surveillance fix, for legal, political but also commercial reasons.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

Get weekly tech updates and immediate alerts when there is a zero-day or security issue!

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Pin It on Pinterest

Share This