Skip to main content
  • Cybersecurity

DNS over HTTPS: What about the application layer?

By Rob Williamson
Marketing Manager

So far, it appears that DoH application development, after some initial hiccups, is respecting the intent of the standard – which is to deliver privacy in the DNS.

If you clicked on this headline you probably fall into one of three camps:

  1. You are a DoH expert and can probably add more detail to this summary article
  2. You have read a bunch of DoH headlines and formed an opinion
  3. What’s DoH?

If you fall into the second or third group, then consider first reading the previous parts of this blog series:

Part 1 – DNS Encryption – Evolution or Revolution

Part 2 – DNS over HTTPS – Who do you love (with your data)

The role of standards like DoH: a.k.a. standards aren’t applications

Before we dig into the application layer, let’s quickly remind everyone about the role of standards bodies, like the Internet Engineering Task Force(IETF). These are typically bottom-up global organizations that effectively let anyone submit an idea through a process called “Request for Comments.” This consensus approach to defining technology sounds painful, but in reality, it has paved the way for the tremendous innovation we see on the internet today. It can be considered a method of balancing the wild west of application development in matters of interoperability.

These standards are not designed to solve all the internet’s problems; instead, they are intended to be part of the broader solution.. It is how we implement these standards alongside other technologies that determines success.

So far, it appears that DoH application development, after some initial hiccups, is respecting the intent of the standard – which is to deliver privacy in the DNS.

What has happened in recent history

Back when Mozilla first announced support for DoH in the Firefox browser, their public plans were a little fuzzy. This led the U.K. Internet Service Providers Association to declare them an “internet villain”, claiming it would allow users to bypass the U.K.’s filtering obligations and stop a parent’s ability to set parental controls for their children. The move was also criticized by the U.K.’s spy agency and the Internet Watch Foundation. Similar complaints against Google were levied by big ISPs in the United States. Our scenario is quite different in Canada as it relates to what ISPs are doing with your personal DNS data (see part 2 of this blog series).

With DoH implemented in the application layer, browsers and other software would bypass traditional DNS and use port 443 to make encrypted requests. The hyperbolic argument against this is that it will result in the end of days for security, and everyone’s internet experience would become rife with drive-by bitcoin miners, child exploitation, terrorism, ransomware and illegal storefronts. This is not where we are going to wade into this debate.

Since then, the most implementation noise has been made by Google, Microsoft and the other American mega-corporations that have come to dominate our desktop and mobile experiences.

How DoH is implemented and communicated can exacerbate the problem

One of the challenging aspects of DoH implementations is that application and infrastructure providers have difficulty marketing DNS encryption to a general audience. I can tell you straight-up that it is darn near impossible with the launch of DoH support in CIRA’s Canadian Shield.

The development team hands the marketing team a technology that uses words like “DNS over HTTPS”, “Port 443”, “192.168.0.1” and then tells them that everyone in the world benefits from this great innovation. What comes out is a bit of a disaster because 90 per cent of regular humans are simply not going to take the time to understand DoH. In the name of message simplification, the benefits get oversold — and the risks undersold.

The best example of this message simplification is CloudFlare adding DoH to its 1.1.1.1. recursive resolver service. It states, “1.1.1.1 is a fast and private way to browse the internet” while the mobile application says it “makes your internet more private.” There is some criticism from cybersecurity and I.T. people that feel this oversells the privacy to people who don’t understand it. This criticism is a little unfair because using TOR browsers and a private VPN are not reasonable options for most people.

When properly implemented, DoH provides additional privacy options that are a net positive for the internet because it gives consumers a choice. However, when done incorrectly, it could be a potential net negative by concentrating DNS resolution in the hands of a few powerful, multinational corporations.

A quick digression about the DNS

Time to dig out the old fashioned DOS-like interface. A DNS lookup is a plain-text record of all your activity online. It relates your I.P. address, and can be easily used to link you to everything you surf online. Here is a snapshot of the results running tcpdump to packet capture queries and responses between an employee laptop and their recursive resolver when visiting Facebook (full disclosure, we edited this to obfuscate the real I.P. address). In it, you can see not only the direct activity but app and ad network lookups that occur from his I.P. address to the service. What is really important here is that this information passes in clear text over the internet. In other words, not only does the resolver know everything, but it also all travels over the wire and through all the hoops on the internet like this.

I turned on our commercial service (CIRA DNS Firewall) at home, and had a ton of fun looking at how much DNS activity happened when I wasn’t around. I could see my operating system, Roomba, smart speaker and other smart devices all communicating back to their host systems. Again, in clear text and over the internet. This is possible because with our commercial service, IT managers generally need to monitor what happens on their network and in this context I was my home IT manager.

Is DNS concentration in the hands of big corporations a problem?

Application implementation of DoH is happening in a way that hides the nuance from the user. This results in message boards and comment sections getting filled with negative opinions, like one commenter saying, “the guys pushing for DNS-over-HTTPS are the worst privacy offenders out there (Google, Cloudflare).”

Regardless of your opinion of any big company, the trend towards pervasive information gathering and marketing has probably led to the growth of search alternatives like Duck Duck Go and increasing marketing by browser alternatives centered on privacy. For example, Microsoft is taking a very strong privacy stance with their latest Edge browser, while Mozilla has been touting its privacy capabilities for a long time now.

Arguments against corporate control often point to corporate histories littered with long, complicated licensing agreements and best intentions that have a tendency to slip over time. However, with DoH implemented correctly, it doesn’t really matter because it gives the consumer the choice to stay or switch at any time.

The other side of the corporate coin is the impact on large telcos. In the U.S., telecommunications deregulation has enabled ISPs to, in theory, use internet behavior to track and market to their customers. On this note, it is very important to point out that this is not happening in Canada. ISPs are not prohibited from using customer DNS data for commercial purposes; however, to do so they must clearly inform their customers as opposed to burying it in the terms and conditions. If a Canadian ISP were to begin this practice, it would likely be a public relations and sales nightmare. Frankly, Canadian ISPs deserve kudos for their hands-off approach. That said, we can’t forget that they aren’t always perfect when it relates to the DNS. Both Rogers and Bell have been accused in the past of overstepping marketing using DNS-based activities.

As a top level domain, CIRA participates in a number of global internet governance activities, and we have heard some rumblings in the halls about DNS concentration through DoH. Traditional DNS resolvers (like Google 8.8.8.8) were never an issue, it is the move to the application layer that has raised this concern. This is likely due to an already highly-concentrated market at that layer where only four companies control more than 93 per cent of the web browser market share in Canada.

So now that we understand the marketing and criticisms at the application layer – how is implementation happening?

Mozilla

Mozilla was first out of the gate when they made DoH the default setting in Firefox using Cloudflare as the chosen resolver. After rolling out the change in the U.S., the company is taking a country-by-country approach and are allowing users to change their default resolver.

Mozilla has recognized that there are situations where defaulting to DoH is not appropriate. This includes networks that are using DNS filtering for malware or parental controls. It is an issue that was particularly critical for enterprises due to serious cybersecurity threats from unfiltered internet access. Since the standard didn’t address this issue, Mozilla implemented a canary domain before it is enabled. If the browser can resolve the canary domain of a known and approved DNS provider, then it will not enable DoH by default. It will also check the Windows and macOS settings for parental controls in the operating system. If an end-user manually enables DoH then the signal from the network will be ignored, and the user setting will predominate.  For I.T. administrators, we recommend that they implement network-based systems for updating config files across the network to use approved resolvers to limit the risk of this activity. We also recommend choosing (if relevant) a DoH provider that provides a level of network security in the form of a DNS firewall or similar (we might know one you will like).

Mozilla has also developed a Trusted Recursive Resolver program with specific privacy, transparency, and censorship requirements that must be met. These requirements are well designed for the good of end-user privacy.

Chrome

Chrome is the big daddy of the browser market, and its approach has been different. DoH will not be a default setting for enterprise versions of the browser; they will continue to get instructions from Active Directory. For other users, the browser will recognize the presence of recursive resolver filtering and keep that default when present. This means that if, for instance, your ISP supported a DoH equivalent and Chrome was aware of it, then they will switch to DoH. It is an interesting approach that considers the on-path encryption of the DNS to be the primary benefit versus the question of who gets that data at the end of the path. That said, it is certainly less intrusive to the end-user.

They are in the experimental phase with a small number of American providers. Chrome will maintain a table to map non-DoH DNS servers to their equivalent DoH servers. As of the date of publication of this blog, they have not published plans to implement a canary domain similar to Mozilla.

Windows and Edge

Edge and Windows go hand in hand, and so it makes sense that they are looking to implement DNS at the OS level.

Their design strategy is that the Windows DNS needs to be as private and functional as possible without the need for user admin or configuration. In this way, they are taking a similar approach to Chrome. Of course, being an operating system-focused approach, they do want power users to continue to be able to manage the settings with as much flexibility as is available.

The first milestones will be for Windows to ship with a list of configuration mappings for DNS IP addresses to DoH URIs. All queries will use the DoH address when needed. This means that no user involvement is necessary to support DoH when it is an available option for DNS privacy. If a DoH capable server is not on the list, then it will require manual configuration, so this is a recognized first step to the future. The one disadvantage to this principle is that users can’t be educated on the value of DNS privacy.

Safari

Crickets chirping (yeah, we haven’t heard much).

However, for those using macOS, DNS over HTTPS would require the installation of a proxy switcher. This is definitely not something an average user would be comfortable doing. Again, not a lot of information on OS level implementation from Apple. 

What else?

It is certainly reasonable that critical applications (like banking tools) could use an encrypted DNS to communicate directly to their servers. Still, we don’t know of any public plans to take this approach. It is an interesting idea to help protect privacy and security. On the same note malware can, and already has done the same.

What remains to be seen is whether these moves to protect privacy with DoH and other technologies can make a difference in the browser market share and can help Microsoft and Mozilla to claw back into the market.

We are still early days, but from all indications, the major software companies are taking reasoned approaches to balance security, privacy and the circle of trust as it relates to the DNS. It is up to the consumer to make a choice – and that is a good thing.

About the author
Rob Williamson

Rob brings over 20 years of experience in the technology industry writing, presenting and blogging on subjects as varied as software development tools, silicon reverse engineering, cyber-security and the DNS. An avid product marketer who takes the time to speak to IT professionals with the information and details they need for their jobs.

Loading…