What is DNS?
The Domain Name System (DNS) is the backbone of the Internet. It makes the clock tick (not literally) and is often described as the phonebook of the Internet, translating domain names to IP addresses. Just like a phonebook can translate a business name to a physical address.
How does DNS work?
Almost all devices connected to the Internet have an unique IP address, which is used to communicate with other devices. IP addresses are hard to remember for normal human beings because the are made up off seemingly random numbers, such as 192.168.20.243 (IPv4 address). The domain name system allows us to use domain names, such as, nytimes.com, without getting a blank page. When you type nytimes.com into your browser and hit enter, the DNS system translates that hostname into a computer-friendly IP address that is needed to retrieve the NY Times homepage.
The big privacy issue with DNS
The big issue with DNS is the massive impact on privacy. Imagine walking on a street and telling everybody on that street what store you are about to visit, feels weird, right? Well, with our current DNS system, this is reality.
Every time you visit a website, the hostname (like nytimes.com) is send to a DNS resolver to perform the translation, this is often a server owned by your Internet Service Provider (ISP). Everybody, including the server responsible for the translation can see see what request you made. Because the request is made in a plain-text unencrypted form.
DNS-over-HTTPS (DoH), and what it’s meant to solve
The DNS-over-HTTPS protocol is a recent invention. It was created a few years back and was proposed as an internet standard last October (IETF RFC8484). DoH encrypts DNS request to provide privacy and integrity. This is done by using the HTTPS protocol to encrypt the data between the client and the DoH resolver. Because of these privacy advantages, Firefox switched to DNS over HTTPS (DoH) by default for users in the United States on February 2020.
DoH Issues
Although DoH seems promising, it has some limitations. Since its introduction, researchers have identified two main issues. Privacy, despite being improved can still not be guaranteed and it bypasses DNS monitoring and protections.
Privacy issues
DoH encrypts the DNS request and hides the requested domain name (nytimes.com). But ISP’s and other intermediaries can still look at the HTTPS portions that are unencrypted, such as IP addresses and OCSP connections. Furthermore, sites often include content that uses HTTP (unencrypted), allowing the intermediary to stitch together the original location.
Enterprise issues
While DoH can help protect the privacy of users, it can break some existing security controls. In many enterprises a solution is in place that blocks DNS-requests to domains associated with malware or other dangerous categories. The following excerpt from a NSA article explains the threats covered by these DNS based controls.
These essential protective DNS controls can prevent numerous threat techniques used for initial access, command and control, and exfiltration, such as phishing links to malicious domains, connections using dynamic name resolution, and commands hidden in DNS traffic [1]
To mitigate these issues, enterprises should implement their own DoH enabled DNS-resolver and block all other DNS traffic. This ensures that all DNS-requests are sent to a resolver controlled by the enterprise. Standard applications such as Chrome or Firefox should be configured to only use the company’s resolver.
Is it that bad?
To finish off, it can be said that DoH provides extra privacy to users but prevents enterprises from achieving governance and DNS monitoring. Enterprises that consider these limitations and implement thought-out policies and procedures can use DoH without the downsides. So DoH might be a welcome improvement!
[1] NSA - AdoptingEncrypted DNS in Enterprise Environments - https://media.defense.gov/2021/Jan/14/2002564889/-1/-1/0/CSI_ADOPTING_ENCRYPTED_DNS_U_OO_102904_21.PDF
[2] Cloudflare - DNS - https://www.cloudflare.com/learning/dns/dns-over-tls/