Part One and Part Two; DNS and DOH

en flag
fr flag
es flag
Voiced by Amazon Polly

Part One: DNS Encryption – Evolution or revolution

A short primer on how we got to here

Rob WilliamsonTuesday, November 19, 2019

Part 1 of a series of pieces on DNS encryption. Read part 2: DNS over HTTPs (DoH) – Who do you love? ( Right after this Part One)

“Centralized DoH is currently a privacy net negative since anyone that could see your metadata can still see your metadata when DNS is moved to a third party.”

                                  –Bert Hubert, (published on APNIC)

If this is true then how did we get here?

First a quick primer on the domain name system (DNS). When a user or application uses the DNS to visit a website or web service they first ask where it is located using a recursive DNS resolver. For most Canadian Internet users, this resolver is located on the network of the internet service provider’s and it is not something a user thinks about. If the recursive resolver doesn’t know the information, or if it “decides” that the information it has is too old, then it starts the process of looking up the data. This starts by querying “the root,” then traverses the DNS hierarchy down to the top-level domain manager, and finally the domain holder (here is a video for those visual learners)

In this process the recursive resolver asks what are called, authoritative DNS resolvers what they know for each element of the domain name.  A good metaphor is that the recursive resolver has the Internet’s map, and for things it doesn’t have, it knows how to look it up. Fundamentally, the DNS is made up of two things: recursive and authoritative resolvers.

This system is based on Internet Engineering Task Force (IETF) RFC1034 and 1035, which were originally proposed in 1987 and are standards.

(As a side-note an RFC, or “Request for Comment” is a technical document submitted to the Internet Engineering Task Force (IETF). The entire global technical community can then contribute to it. Some RFCs  go on to become “internet standards.” If you want to know how that sausage is made then go here.)

What is important is that DNS queries are sent in clear text over the wire. And this is at the root (no pun intended) of what many think is the problem. It is based on the concept of a free and open Internet and that concept is under threat because bad actors (i.e. hackers) can take advantage of it, while the data can also be used in ways that the end user may not want from commercial entities and governments. 

In traditional DNS the queries and responses can be monitored pervasively.

The privacy revolution

While history is more nuanced, suffice to say that back in 2013 Edward Snowden asked the IETF to build, “an internet for users, not spies.” And in July of 2013 the IETF Internet Architecture Board (IAB) formally recognized the privacy consideration. The timeline looks like this:

  • July 2013 – Privacy considerations for internet protocols RFC6973
  • May 2014 – Pervasive monitoring is an attack RFC7258
  • August 2015 – Confidentiality in the face of pervasive surveillance: A threat model and problem statement RFC7624
  • March 2016 – DNS query name minimization to improve privacy RFC7816
  • May 2016 – Specification for DNS over transport layer security (TLS)  RFC7858
  • December 2018 – DNS Queries over HTTPS (DoH) Internet Draft NWG (draft-ietf-doh-dns-over-https-12)

Today, we have DoT, DoH and DNS query name minimization with architectures that look like these diagrams:

DoT was designed to enable privacy in the “riskiest” hop while giving organizations the ability to manage cybersecurity risk on their networks.
DoH is designed to encrypt the entire path from the user to the recursive resolver.
Query name minimization limits what is sent to each step in the authoritative resolver chain.

DNS query name minimization involves asking each authoritative server only the question you need to have answered by its part (e.g. asking the root, “where does .CA live?” and not, “where does “love.CA” live?”). The result is that the minimum amount of data is requested. This sounds obvious, but within the DNS you can (and often do) keep the file information shared at all layers. With query name minimization, as the query travels from server to server, anyone intercepting the package along the way will not know the full answer nor the original querier. It is arguably the smaller part of privacy – but still useful.

Where things get more interesting is the difference between DoT and DoH. This includes which is better and even whether these standards relegate other standards like DNSSEC to the dustbin of history (hint – they probably don’t). There is much to unpack here but we aren’t going to….yet.

This little historical primer is part one of a multi-part series on DNS encryption. We’ll cover the players, the standards, the security risks, and the commercial adoption. It is moving very quickly, so we will know exactly what we cover when we do. For instance, when I woke up this morning I didn’t expect Microsoft (using a blog, of all things) to announce their intentions for Windows to support DoH. Things are happening fast in a world where standards usually move slowly. What we know for sure is that for the first time ever, what is common knowledge at CIRA is now a global fact – the DNS is one sexy beast.

We started with a quote from APNIC, so we will end with one from Geoff Huston to give you an idea of what is to come, where we might stand, and what we are doing about it.

“It’s easier to sustain a case that DoH has the potential to change the parties whom you bring into your trust circle….and not necessarily in a good way.”

Part Two

DNS over HTTPs (DoH) – Who do you love?

Who are you letting into your trust circle?

Rob WilliamsonMonday, January 6, 2020Skip to next sectionCategories

Co-authored by Alyssa Moore

Part 2 of a series of pieces on DNS encryption. Read part 1: DNS Encryption – Evolution or revolution

In the circles of internet governance, many organizations are genuinely concerned about DNS over HTTPs (DoH) and the concentration of the DNS data in the hands of corporations (specifically American ones who already have so much of our data already). Are these concerns well founded? At the end of the day, someone has to see your traffic in order to ensure it gets to the right place. So the question is: Who do you love (with your data)?

Before we go any further, we’re not going to jump straight to examples like child exploitation and terrorist content to make this argument. Of course, everyone is against those things and we need to figure out ways to stop them. That said, what we need is a nuanced, rational argument about a subject that has many different perspectives. Also, as we’ve said previously, blocking malware and phishing is not censorship.

If you’re not familiar with DNS encryption check out the previous blog on the subject.  Short version, DNS traffic travels from the user’s browser through to the recursive and authoritative resolvers that make the internet work. For most users this starts with their ISP and the information passes in clear text for all (who have the technology to sniff the network) to see. With DNS encryption, that information is hidden–but it requires a special kind of resolver. Google, for instance is making this possible in their browser settings that sends traffic to their own DoH resolvers—which is perhaps not what the founders of the internet had in mind. We’ll cover what the various vendors out there are proposing in next blog in the series.

Simplified view – DNS over HTTPs secures DNS information on the home network and, more importantly, the internet

The “Canadian” DNS and you

In the Canadian context, most users let their ISPs recursive resolver to do lookups to the internet (i.e. browse the web). In Canada, ISPs are prohibited by regulation from using that recursive information to target you for advertising and are prohibited from selling that information—this is not the case in other countries. In the U.S., ISPs are fighting Google over DoH implementation arguing that the concentration of information is potentially harmful. However, many feel that American ISPs aren’t exactly being altruistic in their defense as deregulation in their industry has provided them with power to use that data for their own interests.

So, we have established that, unless you take specific steps to prevent it, Canadian ISPs know where you go online but they can’t use that data for any other purpose. Additionally, I think most will agree that browsing the internet in Canada is a generally consequence-free endeavor, as our government doesn’t engage in the kind of mass surveillance or mass blocking that some countries do.  So we have ISPs that can only use our data for its intended purpose—to connect us to the websites we request—and a government that generally leaves us alone to browse as we please.  

However, the regulatory knife cuts both ways because freedom and privacy go hand-in-hand. Recently, a federal court ordered Canada’s ISPs to block access to a pirate streaming service.

If that sounds reasonable, since streaming pirated content is illegal, then consider that Quebec ISPs were also ordered to block access to online gambling sites that are not licensed in the province and compete with Lotto Quebec. While you may not personally like gambling, it is legal and actively encouraged by most governments in Canada through the lotteries and casinos they operate. What right does the government have to enforce its monopoly via court-mandated content blocking? Some consumer advocates argue that this limits consumer choice while privacy advocates question where to draw the line on censorship. Moreover, it was deemed unconstitutional.

We have spent a fair bit of time on institutional access to your private DNS data, but don’t forget that from both a privacy and a security standpoint that traditional DNS data travels in clear text over the internet. It is open for use and abuse by bad actors. DNSSEC is the solution, but in this context, by encrypting DNS traffic you can help to hide this information and perhaps make it harder to find, modify or redirect. Make no mistake, used properly DNS encryption is a great addition to the overall privacy landscape (with a nod to those who will inevitably bring up the value of a VPN or TOR if I don’t call those technologies out).

If DoH is so great, then why are people concerned?

Fundamentally, DoH is all about who you bring into your circle of trust. You have to trust someone in order to get your DNS data to the right location; all DoH does is provide users with more options. This empowers consumers to make choice where before they may not have known they had one—or even understood it was a problem. 

However, when you look at who is leading the charge in implementing DoH services; it provides Canadians for reason to pause. While sharing your personal DNS data with highly regulated Canadian ISPs a currently a relatively safe proposition; how does that change when your data is going to a for-profit, cloud-service provider outside of Canada like Cloudflare or Google?  Shocked? Well, I hate to tell you it is nothing new for many people who do this by choice!

Many Canadians have a love-hate relationship with their ISP, and among technical Canadians, the use of third-party DNS providers is common for reasons of privacy, performance and security. That said, I asked several of my technical friends why they use third party DNS providers, and the overwhelming response was, “because technology”.  In other-words, they just liked the idea that they could.

More scientifically, I analyzed the source of a bunch of queries to our DNS servers and found that Google’s 8.8.8. service (non-DoH) has about 16 per cent of all DNS lookups in Canada and about a 90 per cent market share among third-party DNS services. Earlier this year, we surveyed our .CA registrants and found that among those that consider themselves moderately technical 13 per cent used a third-party DNS while those that considered themselves highly technical that number jumped to 40 per cent. In other words, they trust American companies like Google more than their Canadian ISP. While they are open resolvers, organizations like Google likely know enough about you to correlate IP-based associations to you, as an individual or a household.

In the case of DoH, the implications are even more dangerous. When enabled in the browser, a DoH resolver can identify a specific user and exactly where they are visiting on the internet.

To illustrate the implications, let’s consider a hypothetical law firm. Under traditional DNS, the resolver would know that this hypothetical law firm made a bunch of visits to the website of a marijuana producer. Law is a stressful profession, so it might make sense that lawyers like to unwind in the evenings. However, in the case of browser-based DoH, it is possible for someone with access to DNS data to know that Jane McCreech, head of Mergers and Acquisitions at that same law firm was also visiting the same website. What can the resolver do with that information both personally and professionally? What can a foreign government do? This is why the circle of trust is so important, and is precisely why many global privacy and internet governance advocates are worried. Transitioning to DoH has both short and long-term implications, and the impacts vary depending on what country you live in. The circle of trust might look a lot different in Canada as opposed to China.

These are only the privacy implications of DNS over HTTPS. DoH also has real implications for cybersecurity because it opens back doors to protected networks. More on that in our a future blog on this topic – we expect to be producing 4 or 5 more of these so make sure to click that social link (below) to be the first to know.

Rob Williamson

Rob brings over 20 years of experience in the technology industry writing, presenting and blogging on subjects as varied as software development tools, silicon reverse engineering, cyber-security and the DNS. An avid product marketer who takes the time to speak to IT professionals with the information and details they need for their jobs.