The DoH dilemmaImpacts of DNS-over-HTTPS on how the Internet works

Vittorio Bertola, DNS Symposium 2019

2

1.What does DoH do?

33

What is DoH?

DNS-over-HTTPS (RFC 8484)New IETF standard by Web people (thatalso operate public resolvers)Transmits DNS queries to the resolverover an HTTPS connection (encrypted)Can be used by any HTTPS-speakingapp, bypassing the OS and its settingsRequires upgraded DNS / Web servers

44

Three main changes to resolution

1. The device-to-resolver connection isencrypted and hidden inside Web traffic

2. Each application can use a differentresolver (DNS becomes an applicationlevel service, not a network one)

3. Each application maker gains control of resolver choice and can hardwire a remote resolver list

Protocoldesign choices

Deployment and policy

choices

Only one in common

with DNS-over-TLS

5

2.A note on terminology

66

A debate on words

Debate over which defining feature isthe root of (most) issues, and how do wename it□ Unencrypted vs encrypted?□ Business model – ISP vs OTT?□ Concentrated vs distributed?□ «DNS-over-cloud»?My choice is «local» vs «remote»

7

Local DNS resolution

Home LAN ISP The Internet

AuthoritativeDNS server(s)

Applications

OSStub

resolver

Resolver(«name server»)

88

Why «local»?

The ISP’s network is the first that youtraverse to get to the Internet, no matter where you goThe ISP is normally in the same country, usually in the same city□ Same jurisdiction□ Same language□ Maybe they suck, but you know how to

reach them

9

Remote DNS resolution

Home LAN ISP The Internet

AuthoritativeDNS server(s)

Applications

OSStub

resolverResolver

(«name server»)

1010

Why «remote»?

It is topologically distant from you□ Often in another countryIt is run by a third party□ For free («public resolver»)

E.g. 8.8.8.8, 9.9.9.9, 1.1.1.1□ Or as a paid premium service

E.g. Cisco Umbrella/OpenDNS

11

3.Consequences of DoH’sdeployment

1212

#1The device-to-resolver connection

is encrypted and hiddeninside Web traffic

13

Remote DNS resolution, intercepted

Home LAN ISP The Internet

AuthoritativeDNS server(s)

Applications

OSStub

resolverResolver

(«name server»)

14

Local DNS resolution, not intercepted unless the ISP is hacked

Home LAN ISP The Internet

AuthoritativeDNS server(s)

Applications

OSStub

resolver

Resolver(«name server»)

15

Remote DNS resolution, proxied by the ISP

Home LAN ISP The Internet

AuthoritativeDNS server(s)

Applications

OSStub

resolverResolver

(«name server»)

TransparentDNS proxy

1616

Is this good or bad?

GoodIf you use remote resolution and are attacked or trackedIf you don’t trust your ISP / itdoes bad thingsto you

IndifferentIf you use localresolution and are attacked or tracked, unlessthe attacker ison the ISP’snetwork

BadIf you trust yourISP / it doesgood things for you

17

It depends.But mostly good.

1818

#2Each application can use a different

resolver (DNS becomesan application level service,

not a network one)

1919

Is this good or bad?

GoodIf the applicationmaker is smarterthan the user, and is honestIf you don’t trust your OSIf the OS’s DNS implementationis not goodenough

IndifferentIf all DoHapplicationsused the OS settings

BadIf the applicationmaker issmarter thanthe user, and isdishonestIf the user issmarter thanthe applicationmaker

2020

Is this good or bad?

BadIf eachapplication startspointing you to different IPs for the same nameIf eachapplication startsusing its own(augmented) namespace

BadIf the applicationdoesn’t let youconfigure the DoH serverIf the remote DoH server provided by the applicationmaker fails

BadIf the applicationmaker’sinterests and the user’sinterests are opposite

21

Bad.«Crossing the streams» bad!

2222

#3Each application maker gains

control of resolver choice and can hardwire a remote resolver list

23

A consequence of deployment policies

Mozilla’s announcement from May 2018

24

Mozilla’s resolver accreditation policyBromite’s

configurationscreen

2525

The real change

Now (and for the last 20 years)

Local resolution is the defaultYou get the nearestresolver when youconnectYou can set your resolveronce for all in your OS

In the DoH futureRemote resolution with multiple servers is the defaultYou get the applicationmaker’s resolver whenyou install the appYou have to set yourresolver for every new application

2626

What does this mean?

2727

New gatekeepers + Concentration

NowDNS traffic is spread across hundreds of thousands of serversAnd they are everywhereacross the worldAnd you can easily pickthe server you want

In the DoH futureFour browser makersthat have 90% of the market control 90% of the world’s Web trafficresolutionsAnd they are all in the same country and jurisdictionHow easily can youchoose?

2828

Privacy ?

NowYour queries can be sniffedYou are covered by yourown country’s privacy, law enforcement and neutrality rulesYour DNS is normallysupplied by a company that does not live off targeted advertising

In the DoH futureYour queries cannot be sniffedYour DNS data will be subject to the resolver’sprivacy, law enforcementand neutrality rulesMany of the likely DNS providers live off data monetization (and use cookies / fingerprinting)

2929

Freedom from censorship ?

NowYou get the DNS-basedcontent filters mandatedby the law of yourcountry

In the DoH futureYou get the DNS-basedcontent filters mandatedby the law of the remote resolver’s countryAnd your country maystart mandating IP address filters as a response

3030

Network neutrality ?

NowYour ISP may break network neutrality, unlessthere are laws to preventthis

In the DoH futureYour application maker or resolver operator maybreak network neutrality, unless there are laws to prevent this

3131

Performance ?

NowThe application has to wait for the OSYour local resolver isnear, though it can be slow and unreliableYour local resolver getsthe topologically betterresult from CDNs

In the DoH futureThe application doesn’thave to wait for the OSYour remote resolver isfar, but it could stillperform betterYour remote resolvercannot get the topologically betterresult from CDNs unlessit violates your privacy

3232

Security ?

NowYour ISP can blockbotnets and malwarewith localized DNS filtersYour ISP can detectnetwork problems and infections via the DNSYour ISP can use split horizon, local names…

In the DoH futureWill your remote resolverget real-time threatfeeds for your country?Your ISP will be blindLocal names won’t work any moreDoH can be used for data exfiltration

3333

User empowerment ?

NowYou can easily pick a different serverYou can get DNS-basedservices (parental control…) from whomever you wantYou can easily know whereall your queries goSmarter users expectthings to work this way

In the DoH futureYou have to change the server in each app, and not all apps may let youAll other DNS-basedservices stop workingYour queries go whereverthe app wantsNo one expects or understands the change

3434

Privacy in transport != Privacy

Concentration + Less user control = Surveillance point

Changing the entity in charge !=More freedom

3535

Is this good or bad?Good

If you are a dissidentwithout a clueIf you trust Google/Apple/ Mozilla/Cloudflare more than your ISPIf you trust the U.S. government and lawsmore than yoursIf you don’t care aboutcentralization

BadIf you are ok with yourcurrent resolverIf you like to control DNS If you trust your ISP more than Google etc.If you trust your owngovernment and laws more than the U.S. onesIf you are worried about the centralization of the net

36

It depends.But mostly bad.

Especially without appropriate policies.

37

4.The DoHdilemma(s)

3838

The user? The ISP? The browser?

Who should choosethe device’s resolver?

3939

Who should be entitledto apply policies to your DNS?

The network administrator?

The resolver?The government?

4040

Where shouldthe issues be discussed?

By regulators?

At ICANN?At IETF?

4141

Work to do

TechnicalDiscoveryprotocolPending IETF drafts: server BCPs, client BCPs…Missing piecesMonitoring and research

Policy / CommunityIndependenttrusted resolveraccreditationDeployment promotion and user educationEx post analysison IETF processshortcomings

RegulatoryJurisdictionissuesLaw enforcementmechanismsContent control responsibilitiesService liabilities

EuroDIGworkshop

June 20, The Hague

42

Thanks!Any questions?You can find me at

@vittoriobertolavittorio.bertola@open-xchange.com

Credits: Original presentation template by SlidesCarnival modified by myself License: This presentation is distributed under a Creative Commons Attribution (CC-BY) license