DNS over HTTPS (DoH) has recently taken the DNS world by storm, sparking philosophical and practical debates around privacy, cybersecurity, business interests, and the state of the internet for many people.
Having trouble wrapping your head around all the DoH argument rabbit holes? Then you’ve come to the right place. The goal of this blog post isn’t to sway you one way or the other, but instead to untangle and organize the arguments surrounding it.
If you wanna stir up trouble among infrastructure nerds, gather them together, and then take a position on DNS over HTTPS.
Entertainment factor gets a 3x-10x multiplier when alcohol is involved.
— Ethan Banks @ KubeCon (@ecbanks) November 15, 2019
“What is DNS over HTTPS?”
Let’s start with the basics: DNS. Remember, DNS is the internet protocol that helps devices find and access the web servers they’re looking for.
For example, how does your web browser know to find and access the exact server that hosts bluecatnetworks.com’s content? DNS. How does a payroll administrator’s computer know which internal server to access for employee compensation data? DNS.
DNS works when a device asks a nearby DNS server a question. ‘What’s the IP address for bluecatnetworks.com?’ If that server doesn’t immediately know, it asks the same question to its friendly neighborhood DNS server, and so on and so forth, until someone comes up with the answer (or doesn’t, in the case of an IP address that doesn’t exist).
DNS over HTTPS is simply that, but encrypted through the HTTPS protocol so that those watching the hot-potato of DNS questions get passed on can’t tell what’s being asked.
It gets more technical than that, but more or less, you should get the gist. It’s an IETF proposed standard as RFC 8484, if you want to learn the details.
“Who cares about DNS queries, anyway?”
There are many reasons to be looking at DNS queries. Many of those in charge of network operations use the information found in DNS queries to short-circuit the game of hot-potato played by a chain of curious servers when answering a common question. Internet service providers are said to be watching DNS queries of users, because they signal users browsing patterns. DNS queries are also inspected for cybersecurity reasons. For example, if a Point of Sale device is asking for the IP address of a secret finance server outside of store hours, that’s a good hint that it’s infected.
“What are the major arguments surrounding DoH?”
“DNS over HTTPS improves user privacy”
One of the major arguments for DoH is that it protects individual users’ DNS queries by encrypting them from view by ISPs. It’s a simple argument, but a powerful one.
“DNS over HTTPS does not improve privacy”
The quick retort to the first argument above is that DoH doesn’t protect individual users’ DNS data from everybody because DoH providers (who encrypt and resolve DNS queries) still handle and see the data. In addition, there are other protocols involved in internet browsing that an ISP could use to track user browsing.
DoH encrypts precisely zero data that is not already present in unencrypted form. As it stands, using DoH only provides *additional* leaks of data. SNI, IP addresses, OCSP and remaining HTTP connections still provide the rest. It is fake privacy in 2019.
— Bert Hubert ?? (@PowerDNS_Bert) September 22, 2019
“DNS over HTTPS sabotages enterprise security and network operations”
On the enterprise side, resolving DNS over HTTPS can render cybersecurity solutions blind, since many rely on analyzing DNS data to protect an organization. Where before, organizations could use DNS as a vector for policy-based security action, they no longer can. SANS Institute’s Drew Hjelm echoes this in a recent paper, as do internet pioneer Paul Vixie and others.
Pretty straight forward, but some good readings:
— Steve Miller (@stvemillertime) October 24, 2018
Also, network configurations use information in a DNS query to re-route users or applications based on what’s most efficient. This happens for home internet users as well. For example, certain popular media companies now keep servers in ISP data centers to give users the ability to resolve their queries without going all the way to their in-house resources.
“DNS over HTTPS centralizes the internet”
DNS, because it is a decentralized system, keeps the internet resilient. If one set of servers goes down, the blast radius isn’t large. When a small number of servers start resolving a large amount of DNS traffic, which could happen because there are only 2 big DoH resolvers (Mozilla sends DoH queries to CloudFlare for resolution), the impact of an outage could now affect a disproportionately larger amount of people.
“Who cares about DoH?”
Lots of people. Here’s the who and the why.
DNS over HTTPS providers: these are the organizations who encrypt DNS over HTTPS for internet users. For example, CloudFlare, OpenDNS, Quad9. The others are listed here.
Why they care: because, well, they’re providing the service. They must see some value in resolving DNS queries over HTTPS for people.
Internet browsers: internet browsers control how DNS queries flow, either to DoH servers, or otherwise. For example, Mozilla’s Firefox automatically sends DoH queries to CloudFlare’s servers for resolution.
Why they care: because aligning to the interests of their users is good for business.
P.S. Firefox, which is used by less than 5% of internet browsers, automatically resolves personal internet user queries with CloudFlare’s DoH now, but gives users an opportunity to opt-out. On enterprise networks, Firefox has not automatically enabled DoH.
P.P.S. Google was planning to test DoH in its Chrome browser this month by enabling it automatically, assuming a certain set of conditions in its v78. An opt-out option is available. If you’re wondering why Google let Mozilla beat it to DoH adoption, keep in mind that Chrome is used by more than 60% internet browsers. The impact of a change in Chrome is much larger than Firefox (sorry, Firefox).
Internet service providers (ISPs): self explanatory, but here’s why ISPs are relevant here. ISPs traditionally resolved (and therefore had access to) internet user DNS data before DoH. They still do, for those not using DoH.
Why they care: because DoH has the potential to shift how they run their business.
Personal internet users: people like you and me, who create the queries that need to be resolved (and therefore data that can be analyzed).
Why they care: they expect a level of privacy around their internet usage, and DoH impacts that.
Enterprise internet users: like personal internet users, enterprises use the internet and, therefore, create DNS query data. Unlike personal internet users, this group ought to have no expectation of privacy surrounding data created while they are at work, because their organization owns what happens on its network.
Why they care: they don’t, but they’re part of this because they might unwittingly be using DoH on the job anyway.
Enterprise cybersecurity teams: also unlike personal internet users, enterprise internet users are minded by a cybersecurity and network operations team at their organization. These groups are responsible for ensuring enterprise internet users have access to the resources they need, can’t access what they don’t need, and are secure.
Why they care: because DoH changes how they do their job.
Governing bodies: because DoH has the potential to impact such a large amount of people, the Department of Justice has stepped in to make sense of DoH, its potential impacts, and look at some best practices for its continued use.
Why they care: it’s their job to care how their people are affected.
Public interest groups: as with most hot topics, there will be a group of people who oppose and who support an issue. With DoH, many of the groups aren’t specifically named in the news, but know that they exist.
Why they care: different reasons. One example is the Encrypted DNS Deployment Initiative (EDDI), who cares about keeping the implementation of encrypted DNS as safe as possible for the internet. (More on this in a minute.)
(Updated 11/23/2019) Operating system vendors: operating systems are used by both individual and enterprise internet users, and have a serious ability to impact the way DNS queries pass through its OS. The first example here is Microsoft, who recently announced support for DoH in its Windows operating system. (Granted, Windows offers more flexibility for administrators to configure DNS settings.)
Why they care: ignoring DoH and its potential impacts on privacy and security is no longer an option. OS vendors are recognizing that.
See For Yourself: More Big Takes on DNS over HTTPS
WIRED’s Lily Hay Newman does a really patient job of walking people through DoH and why it’s so controversial.
If you want an audio version, check this episode of Cyber Work. In it, host Chris Sienko and BlueCat Chief Strategy Officer dive into it.
A summary of the big DoH counter-arguments, delivered by ZDNet’s Catalin Cimpanu, who took a lot of opposition on Twitter for this.
Looking for a heated, charged opinion? Cory’s got your back. You don’t need to read far into it to get real clear on what his opinion is.
Remember I told you the government’s gotten involved? Yeah.
And yep, DoH’s got implications for law enforcement. Children’s rights groups won’t let this one go easy.
You probably assumed this, but those pushing DoH forward are on the opposite side of the debate as ISPs.
Critical conversations on critical infrastructure
Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.
Six non-hype network automation lessons from IT pros
Five IT pros get real about network automation during the first Critical Conversation on Critical Infrastructure hosted in the Network VIP community.
BlueCat’s DDI Adaptive Plugins and Applications help IT teams better leverage ServiceNow, Ansible, Microsoft, and more
A growing suite of Adaptive Plugins and Applications will help automate existing BlueCat capabilities along with adjacent customer technologies.
BlueCat Overlay for Microsoft
With BlueCat Overlay for Microsoft, get visibility into Microsoft DNS and DHCP servers by relaying information back to your BlueCat Address Manager server.
With the ServiceNow Adaptive Plug-in, enable self-service IT requests with automated fulfillment, such as hostname and IP address provisioning.