DNS over HTTPS – What is it, and why should you care?

Event report

[Read more session reports and live updates from the EuroDig 2019]

The moderator of the session, Mr Vittorio Bertola (Head of Policy and Innovation, Open Xchange) provided an overview about the DNS-over-HTTPS (DoH) protocol and its meaning for policy debates.

Firstly, he introduced three existing ways to resolve DNS queries (requests for converting domain names to Internet Protocol addresses (IP)): (a) resolution on a user’s device by the operating system (OS); (b) local resolution at the Internet service provider’s (ISP) network; and (c) remote DNS resolution by a third party, often in another country which can be free for public resolvers and paid premiums such as Cisco Umbrella or Open DNS. Bertola mentioned 40% of remote resolutions, mostly in developing countries where local infrastructure is poor, is done by Google, and this number continues to rise.

The idea of the DoH protocol is to transmit DNS queries over encrypted HTTPS connection bypassing device’s OS or ISP’s name server, so any application that is able to send and receive HTTPS requests can send DNS queries to wherever the resolvers are. This protocol was released a year ago by the web community and it requires a certain upgrade for DNS or web servers, so the industry needs to deploy it first. There are other encryption solutions for DNS such as DNSSEC, DNS-over-TLS, DNScrypt, but the last two are not widely used.

Bertola explained current challenges for DNS with DoH:

• Device-to-resolver connections are encrypted and hidden in web traffic, so no one in the middle can access DNS queries anymore.

• DNS is becoming an application level service that depends on the configuration of a particular app to send DNS queries.

• App creators are gaining control over the choice of the DNS resolvers and can hardwire a remote resolver list leaving no choice for the user.

Then he moved to the consequences of DoH deployment. The protocol can protect users that are already using remote resolution by encrypting the queries so nobody can track their activity on the Internet and sniff the DNS traffic. The good or bad meaning of DoH depends on the use case; if you trust your device OS, or your ISP, they can protect you from malware, filter unwanted resources, and provide parental control and this is not possible with DoH since your DNS traffic is hidden. But if you want to have a choice of DNS resolvers, this may not work if the app creator limits the options, or even redirect your traffic somewhere else to collect data about you. Another problem is that each app can use its own name server, as well as point to different IP addresses for the same name, depending on the local policies of blocking resources. In addition, content delivery network (CDN) optimisations can send you to different places for the same name. Active debates about DoH started after Mozilla announced last year that they wanted to enable this new protocol in the Firefox browser by default, using Cloud as a DNS server provider. Now Mozilla is working on the resolver policy – more DNS providers can be added to the list, if they go through the accreditation process by meeting strong requirements in terms of security and privacy. Moreover, Bertola pointed to another serious concern – future concentration of DNS traffic. Currently four browsers control over 90% of the world’s web traffic, and they are placed in a single country and therefore a single jurisdiction. With the deployment of DoH they will define their resolver policy.

Summarising the main policy implications of DoH, Bertola emphasised six areas:

1. Privacy: While your DNS queries cannot be sniffed, your DNS data will be subject to the resolvers’ rules of privacy, law enforcement, and net neutrality. Also, DNS providers can potentially store and use your data (cookies, digital fingerprints) for monetisation.
2. Censorship: You will get DNS-based content filters mandated by the law of the remote resolver’s country. In addition, your home country may start impose ISPs more invasive methods of filtering (by IP address, for example, or stricter firewall rules) to keep control since filtering by DNS is relatively easy to bypass.
3. Net neutrality: Application makers or resolver providers may break network neutrality, depending on the laws of the host country.
4. Performance: Your remote resolver may be located very far, but still perform better. However it cannot get topologically better results for CDNs unless it violates your privacy.
5. Security: The remote resolver may not get real-time threat feeds for your country to protect you. Local names for addresses will not work, though there is still some ongoing research.
6. User empowerment: Currently users can choose a DNS server for resolving, though it requires some technical skills. With DoH, not every app will let you have a choice, your DNS queries will go wherever the apps want. Outside the technical community, ordinary users do not understand what changes are coming.

Bertola pointed out that DoH technology potentially creates more freedom for a user, especially for the heavily-censored part of the world, but it just puts other companies in charge of controlling traffic and the DNS resolution. A user can only hope having more freedom, ‘but it’s not a freedom-making technology’.

Bertola asked to focus on three questions: Who has to control the resolver choice? Who should be entitled to apply resolution policies? Where to have this discussion? At the Internet Engineering Task Force (IETF) or a more multistakeholder platform?

Mr Simon Hicks (Head of ICT and Digital Technical Standards Policy, Department for Digital, Culture, Media and Sport, UK) said that the UK is seeking to use DNS filtering of undesirable content and attempting to put that responsibility on the ISPs. Now they want industry engagement in planning how DoH will be used from the legal perspective. For example, to see a default option for DoH resolution within the country the user is in. The problem is that what can be useful for the UK may not work for the rest of the world, so there is a need for a bigger discussion.

Ms Collin Kurre (Digital Programme Officer, Article 19) drew the audience’s attention to how DNS filtering and DoH compatibility with legal frameworks are not the right way to address social problems arising from content. She gave an example from Sweden where they have started a new initiative to reduce the dependence on DNS blocking and filtering by encouraging parents to educate their children for secure web surfing so that they would have less dependence on parental filters.

Mr Adam Kingsley (Director of Policy, Sky) said there is a demand in the British society for a voluntary, simple-to-use parental control by ISPs on a local level. The newly published white paper on online harms just proves this demand, but in case of DoH, the responsibility over the content filtering will be moved for another country, the USA namely, and may cause problems. He suggested two ways to solve them: (a) to implement a standard that is compatible across all OS and app providers, which is a great challenge, or (b) To call for a duty in the country of destination.

Mr Peter Koch (Senior Policy Advisor, DENIC) noted that much of the discussion about DNS is poisoned by the long-standing discussion of whether the DNS is the appropriate place for content control, and he argued that it is not, since there are many ways to get around the blocks and filters for a user. He claimed the protocol is innocent itself, his main aim is to encrypt DNS traffic to avoid sniffing; for example, from nation states for intelligence purposes. He also tried to move the debate towards the powers and duties of resolution providers.

Mr Peter Van Roste (General Manager, Council of European National Top-Level Domain Registries [CENTR]) emphasised the importance of participation of the top level domain (TLD) community in improving the situation with Mozilla and choice of alternative DNS resolvers provided by ccTLDs like .LU and .CZ.

Kurre added that it is important to have an option instead of either accepting or being unable to connect to the Internet. People should exercise full agency in terms of choices. Also, there should be informed consent to use any particular resolution and we need to help people be aware of the choices. Finally, she noted that there should be an option to revoke consent, or to have redress mechanisms if there are breaches of data or violations of privacy policy by a DNS provider.
 

By Stadnik Ilona