The impact of DNS encryption on the internet ecosystem and its users

11 Jun 2020 11:30h - 13:00h

Event report

The workshop discussed the impact of Domain Name System (DNS) encryption standards (mainly the DNS-over-HTTPS (DoH) protocol) on the privacy and security of end users, as well as some of the challenges that Internet service providers (ISPs) and the browser community (community of companies who provide and produce browsers) have to face when deploying different implementation models of DoH.

Mr Ondrej Filip (CZ.NIC) started with a brief introduction of DoH’s technical features. He explained that DoH is a method used to increase security and privacy. It enables bypassing several participants in the DNS traffic chain and makes the DNS resolution (translation) take place outside of the user’s network. This can be problematic for corporate firewalls, parental control filters, as well as law enforcement agencies in certain states. In addition, there are operational difficulties when it comes to connectivity between different ISP and DNS providers.

Moreover, there is a problem with the centralisation of DNS queries. Currently, DNS resolving involves a large number of actors. But with the application of DoH, especially in browsers, we may see a great shift of power to a small number of actors.

Mr Nicolai Leymann (Deutsche Telekom) noted that currently, more than 90% of DNS queries are resolved using the ISP’s resources, and only a small fraction of DNS traffic goes to external DNS servers. He added that user experience is greatly affected by DNS performance, yet  most users have no clue how it works. Meanwhile, ISPs are doing a lot of optimisation for DNS traffic so that users could have better and faster access to popular services, but the encryption of the queries makes that impossible. In addition,  Leymann mentioned some possible operational problems that users could face when switching to external DNS providers: the auto upgrades of browsers, difficulty in troubleshooting, and no knowledge on whether DNS traffic is really encrypted.

Looking at the issue from a policy angle, Mr Vittorio Bertola (Open-Xchange) said that the implementation of DoH causes three problems. First, it breaks the balance of power between the various Internet platforms, browser-makers, and ISPs – now the browsers are starting to control where the DNS traffic goes and who can be a DNS provider. Second, he pointed to a fragmentation problem: that the DNS operator may become too ‘big’ to follow ICANN rules and policies, instead creating his own. The third problem is the effectiveness of traffic filtering based on DNS that is used by ISPs for security reasons (avoiding malware, complying with law enforcement agencies, and providing parental controls).

As an example, Bertola highlighted DoH deployment models that already exist: the Mozilla model (DoH by default for US users), and the Microsoft and Google models (that do not change the DNS operator, but upgrade the connection to one that is encrypted). However, none of these models addresses a serious concern: that it is the browser that is in charge of making the decision of who gets the DNS queries. For example, browsers could discriminate against smaller DNS providers or open source projects.

During further discussion, participants touched upon the problem of user awareness about DoH use and where the user data goes in this case; software upgrades of old devices to use new protocols; the use of third party DNS providers under privacy laws; the possibility of having centralised European public resolvers; personal resolvers in home networks for greater privacy; the cost of deploying DoH for ISPs; and the compatibility of DoH and domain name system security extensions (DNSSEC).

By Ilona Stadnik