Co-authored by Alyssa Moore
Part 2 of a series of pieces on DNS encryption. Read part 1: DNS Encryption - Evolution or revolution
In the circles of internet governance, many organizations are genuinely concerned about DNS over HTTPs (DoH) and the concentration of the DNS data in the hands of corporations (specifically American ones who already have so much of our data already). Are these concerns well founded? At the end of the day, someone has to see your traffic in order to ensure it gets to the right place. So the question is: Who do you love (with your data)?
Before we go any further, we’re not going to jump straight to examples like child exploitation and terrorist content to make this argument. Of course, everyone is against those things and we need to figure out ways to stop them. That said, what we need is a nuanced, rational argument about a subject that has many different perspectives. Also, as we’ve said previously, blocking malware and phishing is not censorship
If you’re not familiar with DNS encryption check out the previous blog on the subject. Short version, DNS traffic travels from the user’s browser through to the recursive and authoritative resolvers that make the internet work. For most users this starts with their ISP and the information passes in clear text for all (who have the technology to sniff the network) to see. With DNS encryption, that information is hidden–but it requires a special kind of resolver. Google, for instance is making this possible in their browser settings that sends traffic to their own DoH resolvers—which is perhaps not what the founders of the internet had in mind. We’ll cover what the various vendors out there are proposing in next blog in the series.
Simplified view - DNS over HTTPs secures DNS information on the home network and, more importantly, the internet
The “Canadian” DNS and you
In the Canadian context, most users let their ISPs recursive resolver to do lookups to the internet (i.e. browse the web). In Canada, ISPs are prohibited by regulation from using that recursive information to target you for advertising and are prohibited from selling that information—this is not the case in other countries. In the U.S., ISPs are fighting Google over DoH implementation arguing that the concentration of information is potentially harmful. However, many feel that American ISPs aren’t exactly being altruistic in their defense as deregulation in their industry has provided them with power to use that data for their own interests.
So, we have established that, unless you take specific steps to prevent it, Canadian ISPs know where you go online but they can’t use that data for any other purpose. Additionally, I think most will agree that browsing the internet in Canada is a generally consequence-free endeavor, as our government doesn’t engage in the kind of mass surveillance or mass blocking that some countries do. So we have ISPs that can only use our data for its intended purpose—to connect us to the websites we request—and a government that generally leaves us alone to browse as we please.
However, the regulatory knife cuts both ways because freedom and privacy go hand-in-hand. Recently, a federal court ordered Canada's ISPs to block access to a pirate streaming service.
If that sounds reasonable, since streaming pirated content is illegal, then consider that Quebec ISPs were also ordered to block access to online gambling sites that are not licensed in the province and compete with Lotto Quebec. While you may not personally like gambling, it is legal and actively encouraged by most governments in Canada through the lotteries and casinos they operate. What right does the government have to enforce its monopoly via court-mandated content blocking? Some consumer advocates argue that this limits consumer choice while privacy advocates question where to draw the line on censorship. Moreover, it was deemed unconstitutional.
We have spent a fair bit of time on institutional access to your private DNS data, but don’t forget that from both a privacy and a security standpoint that traditional DNS data travels in clear text over the internet. It is open for use and abuse by bad actors. DNSSEC is the solution, but in this context, by encrypting DNS traffic you can help to hide this information and perhaps make it harder to find, modify or redirect. Make no mistake, used properly DNS encryption is a great addition to the overall privacy landscape (with a nod to those who will inevitably bring up the value of a VPN or TOR if I don’t call those technologies out).
If DoH is so great, then why are people concerned?
Fundamentally, DoH is all about who you bring into your circle of trust. You have to trust someone in order to get your DNS data to the right location; all DoH does is provide users with more options. This empowers consumers to make choice where before they may not have known they had one—or even understood it was a problem.
However, when you look at who is leading the charge in implementing DoH services; it provides Canadians for reason to pause. While sharing your personal DNS data with highly regulated Canadian ISPs a currently a relatively safe proposition; how does that change when your data is going to a for-profit, cloud-service provider outside of Canada like Cloudflare or Google? Shocked? Well, I hate to tell you it is nothing new for many people who do this by choice!
Many Canadians have a love-hate relationship with their ISP, and among technical Canadians, the use of third-party DNS providers is common for reasons of privacy, performance and security. That said, I asked several of my technical friends why they use third party DNS providers, and the overwhelming response was, “because technology”. In other-words, they just liked the idea that they could.
More scientifically, I analyzed the source of a bunch of queries to our DNS servers and found that Google’s 8.8.8. service (non-DoH) has about 16 per cent of all DNS lookups in Canada and about a 90 per cent market share among third-party DNS services. Earlier this year, we surveyed our .CA registrants and found that among those that consider themselves moderately technical 13 per cent used a third-party DNS while those that considered themselves highly technical that number jumped to 40 per cent. In other words, they trust American companies like Google more than their Canadian ISP. While they are open resolvers, organizations like Google likely know enough about you to correlate IP-based associations to you, as an individual or a household.
In the case of DoH, the implications are even more dangerous. When enabled in the browser, a DoH resolver can identify a specific user and exactly where they are visiting on the internet.
To illustrate the implications, let’s consider a hypothetical law firm. Under traditional DNS, the resolver would know that this hypothetical law firm made a bunch of visits to the website of a marijuana producer. Law is a stressful profession, so it might make sense that lawyers like to unwind in the evenings. However, in the case of browser-based DoH, it is possible for someone with access to DNS data to know that Jane McCreech, head of Mergers and Acquisitions at that same law firm was also visiting the same website. What can the resolver do with that information both personally and professionally? What can a foreign government do? This is why the circle of trust is so important, and is precisely why many global privacy and internet governance advocates are worried. Transitioning to DoH has both short and long-term implications, and the impacts vary depending on what country you live in. The circle of trust might look a lot different in Canada as opposed to China.
These are only the privacy implications of DNS over HTTPS. DoH also has real implications for cybersecurity because it opens back doors to protected networks. More on that in our a future blog on this topic – we expect to be producing 4 or 5 more of these so make sure to click that social link (below) to be the first to know.