Simplified view – DNS over HTTPs secures DNS information on the home network and, more importantly, the internet
The “Canadian” DNS and you
In the Canadian context, most users let their ISPs recursive resolver to do lookups to the internet (i.e. browse the web). In Canada, ISPs are prohibited by regulation from using that recursive information to target you for advertising and are prohibited from selling that information—this is not the case in other countries. In the U.S., ISPs are fighting Google over DoH implementation arguing that the concentration of information is potentially harmful. However, many feel that American ISPs aren’t exactly being altruistic in their defense as deregulation in their industry has provided them with power to use that data for their own interests.
So, we have established that, unless you take specific steps to prevent it, Canadian ISPs know where you go online but they can’t use that data for any other purpose. Additionally, I think most will agree that browsing the internet in Canada is a generally consequence-free endeavor, as our government doesn’t engage in the kind of mass surveillance or mass blocking that some countries do. So we have ISPs that can only use our data for its intended purpose—to connect us to the websites we request—and a government that generally leaves us alone to browse as we please.
However, the regulatory knife cuts both ways because freedom and privacy go hand-in-hand. Recently, a federal court ordered Canada’s ISPs to block access to a pirate streaming service.
If that sounds reasonable, since streaming pirated content is illegal, then consider that Quebec ISPs were also ordered to block access to online gambling sites that are not licensed in the province and compete with Lotto Quebec. While you may not personally like gambling, it is legal and actively encouraged by most governments in Canada through the lotteries and casinos they operate. What right does the government have to enforce its monopoly via court-mandated content blocking? Some consumer advocates argue that this limits consumer choice while privacy advocates question where to draw the line on censorship. Moreover, it was deemed unconstitutional.
We have spent a fair bit of time on institutional access to your private DNS data, but don’t forget that from both a privacy and a security standpoint that traditional DNS data travels in clear text over the internet. It is open for use and abuse by bad actors. DNSSEC is the solution, but in this context, by encrypting DNS traffic you can help to hide this information and perhaps make it harder to find, modify or redirect. Make no mistake, used properly DNS encryption is a great addition to the overall privacy landscape (with a nod to those who will inevitably bring up the value of a VPN or TOR if I don’t call those technologies out).
If DoH is so great, then why are people concerned?
Fundamentally, DoH is all about who you bring into your circle of trust. You have to trust someone in order to get your DNS data to the right location; all DoH does is provide users with more options. This empowers consumers to make choice where before they may not have known they had one—or even understood it was a problem.
However, when you look at who is leading the charge in implementing DoH services; it provides Canadians for reason to pause. While sharing your personal DNS data with highly regulated Canadian ISPs a currently a relatively safe proposition; how does that change when your data is going to a for-profit, cloud-service provider outside of Canada like Cloudflare or Google? Shocked? Well, I hate to tell you it is nothing new for many people who do this by choice!
Many Canadians have a love-hate relationship with their ISP, and among technical Canadians, the use of third-party DNS providers is common for reasons of privacy, performance and security. That said, I asked several of my technical friends why they use third party DNS providers, and the overwhelming response was, “because technology”. In other-words, they just liked the idea that they could.
More scientifically, I analyzed the source of a bunch of queries to our DNS servers and found that Google’s 8.8.8. service (non-DoH) has about 16 per cent of all DNS lookups in Canada and about a 90 per cent market share among third-party DNS services. Earlier this year, we surveyed our .CA registrants and found that among those that consider themselves moderately technical 13 per cent used a third-party DNS while those that considered themselves highly technical that number jumped to 40 per cent. In other words, they trust American companies like Google more than their Canadian ISP. While they are open resolvers, organizations like Google likely know enough about you to correlate IP-based associations to you, as an individual or a household.
In the case of DoH, the implications are even more dangerous. When enabled in the browser, a DoH resolver can identify a specific user and exactly where they are visiting on the internet.
To illustrate the implications, let’s consider a hypothetical law firm. Under traditional DNS, the resolver would know that this hypothetical law firm made a bunch of visits to the website of a marijuana producer. Law is a stressful profession, so it might make sense that lawyers like to unwind in the evenings. However, in the case of browser-based DoH, it is possible for someone with access to DNS data to know that Jane McCreech, head of Mergers and Acquisitions at that same law firm was also visiting the same website. What can the resolver do with that information both personally and professionally? What can a foreign government do? This is why the circle of trust is so important, and is precisely why many global privacy and internet governance advocates are worried. Transitioning to DoH has both short and long-term implications, and the impacts vary depending on what country you live in. The circle of trust might look a lot different in Canada as opposed to China.
These are only the privacy implications of DNS over HTTPS. DoH also has real implications for cybersecurity because it opens back doors to protected networks. More on that in our a future blog on this topic – we expect to be producing 4 or 5 more of these so make sure to click that social link (below) to be the first to know.