Post on 05-Jan-2020
The DoH dilemmaImpacts of DNS-over-HTTPS on how the Internet works
Vittorio Bertola, DNS Symposium 2019
2
1.What does DoH do?
33
What is DoH?
DNS-over-HTTPS (RFC 8484)New IETF standard by Web people (thatalso operate public resolvers)Transmits DNS queries to the resolverover an HTTPS connection (encrypted)Can be used by any HTTPS-speakingapp, bypassing the OS and its settingsRequires upgraded DNS / Web servers
44
Three main changes to resolution
1. The device-to-resolver connection isencrypted and hidden inside Web traffic
2. Each application can use a differentresolver (DNS becomes an applicationlevel service, not a network one)
3. Each application maker gains control of resolver choice and can hardwire a remote resolver list
Protocoldesign choices
Deployment and policy
choices
Only one in common
with DNS-over-TLS
5
2.A note on terminology
66
A debate on words
Debate over which defining feature isthe root of (most) issues, and how do wename it□ Unencrypted vs encrypted?□ Business model – ISP vs OTT?□ Concentrated vs distributed?□ «DNS-over-cloud»?My choice is «local» vs «remote»
7
Local DNS resolution
Home LAN ISP The Internet
AuthoritativeDNS server(s)
Applications
OSStub
resolver
Resolver(«name server»)
88
Why «local»?
The ISP’s network is the first that youtraverse to get to the Internet, no matter where you goThe ISP is normally in the same country, usually in the same city□ Same jurisdiction□ Same language□ Maybe they suck, but you know how to
reach them
9
Remote DNS resolution
Home LAN ISP The Internet
AuthoritativeDNS server(s)
Applications
OSStub
resolverResolver
(«name server»)
1010
Why «remote»?
It is topologically distant from you□ Often in another countryIt is run by a third party□ For free («public resolver»)
E.g. 8.8.8.8, 9.9.9.9, 1.1.1.1□ Or as a paid premium service
E.g. Cisco Umbrella/OpenDNS
11
3.Consequences of DoH’sdeployment
1212
#1The device-to-resolver connection
is encrypted and hiddeninside Web traffic
13
Remote DNS resolution, intercepted
Home LAN ISP The Internet
AuthoritativeDNS server(s)
Applications
OSStub
resolverResolver
(«name server»)
14
Local DNS resolution, not intercepted unless the ISP is hacked
Home LAN ISP The Internet
AuthoritativeDNS server(s)
Applications
OSStub
resolver
Resolver(«name server»)
15
Remote DNS resolution, proxied by the ISP
Home LAN ISP The Internet
AuthoritativeDNS server(s)
Applications
OSStub
resolverResolver
(«name server»)
TransparentDNS proxy
1616
Is this good or bad?
GoodIf you use remote resolution and are attacked or trackedIf you don’t trust your ISP / itdoes bad thingsto you
IndifferentIf you use localresolution and are attacked or tracked, unlessthe attacker ison the ISP’snetwork
BadIf you trust yourISP / it doesgood things for you
17
It depends.But mostly good.
1818
#2Each application can use a different
resolver (DNS becomesan application level service,
not a network one)
1919
Is this good or bad?
GoodIf the applicationmaker is smarterthan the user, and is honestIf you don’t trust your OSIf the OS’s DNS implementationis not goodenough
IndifferentIf all DoHapplicationsused the OS settings
BadIf the applicationmaker issmarter thanthe user, and isdishonestIf the user issmarter thanthe applicationmaker
2020
Is this good or bad?
BadIf eachapplication startspointing you to different IPs for the same nameIf eachapplication startsusing its own(augmented) namespace
BadIf the applicationdoesn’t let youconfigure the DoH serverIf the remote DoH server provided by the applicationmaker fails
BadIf the applicationmaker’sinterests and the user’sinterests are opposite
21
Bad.«Crossing the streams» bad!
2222
#3Each application maker gains
control of resolver choice and can hardwire a remote resolver list
23
A consequence of deployment policies
Mozilla’s announcement from May 2018
24
Mozilla’s resolver accreditation policyBromite’s
configurationscreen
2525
The real change
Now (and for the last 20 years)
Local resolution is the defaultYou get the nearestresolver when youconnectYou can set your resolveronce for all in your OS
In the DoH futureRemote resolution with multiple servers is the defaultYou get the applicationmaker’s resolver whenyou install the appYou have to set yourresolver for every new application
2626
What does this mean?
2727
New gatekeepers + Concentration
NowDNS traffic is spread across hundreds of thousands of serversAnd they are everywhereacross the worldAnd you can easily pickthe server you want
In the DoH futureFour browser makersthat have 90% of the market control 90% of the world’s Web trafficresolutionsAnd they are all in the same country and jurisdictionHow easily can youchoose?
2828
Privacy ?
NowYour queries can be sniffedYou are covered by yourown country’s privacy, law enforcement and neutrality rulesYour DNS is normallysupplied by a company that does not live off targeted advertising
In the DoH futureYour queries cannot be sniffedYour DNS data will be subject to the resolver’sprivacy, law enforcementand neutrality rulesMany of the likely DNS providers live off data monetization (and use cookies / fingerprinting)
2929
Freedom from censorship ?
NowYou get the DNS-basedcontent filters mandatedby the law of yourcountry
In the DoH futureYou get the DNS-basedcontent filters mandatedby the law of the remote resolver’s countryAnd your country maystart mandating IP address filters as a response
3030
Network neutrality ?
NowYour ISP may break network neutrality, unlessthere are laws to preventthis
In the DoH futureYour application maker or resolver operator maybreak network neutrality, unless there are laws to prevent this
3131
Performance ?
NowThe application has to wait for the OSYour local resolver isnear, though it can be slow and unreliableYour local resolver getsthe topologically betterresult from CDNs
In the DoH futureThe application doesn’thave to wait for the OSYour remote resolver isfar, but it could stillperform betterYour remote resolvercannot get the topologically betterresult from CDNs unlessit violates your privacy
3232
Security ?
NowYour ISP can blockbotnets and malwarewith localized DNS filtersYour ISP can detectnetwork problems and infections via the DNSYour ISP can use split horizon, local names…
In the DoH futureWill your remote resolverget real-time threatfeeds for your country?Your ISP will be blindLocal names won’t work any moreDoH can be used for data exfiltration
3333
User empowerment ?
NowYou can easily pick a different serverYou can get DNS-basedservices (parental control…) from whomever you wantYou can easily know whereall your queries goSmarter users expectthings to work this way
In the DoH futureYou have to change the server in each app, and not all apps may let youAll other DNS-basedservices stop workingYour queries go whereverthe app wantsNo one expects or understands the change
3434
Privacy in transport != Privacy
Concentration + Less user control = Surveillance point
Changing the entity in charge !=More freedom
3535
Is this good or bad?Good
If you are a dissidentwithout a clueIf you trust Google/Apple/ Mozilla/Cloudflare more than your ISPIf you trust the U.S. government and lawsmore than yoursIf you don’t care aboutcentralization
BadIf you are ok with yourcurrent resolverIf you like to control DNS If you trust your ISP more than Google etc.If you trust your owngovernment and laws more than the U.S. onesIf you are worried about the centralization of the net
36
It depends.But mostly bad.
Especially without appropriate policies.
37
4.The DoHdilemma(s)
3838
The user? The ISP? The browser?
Who should choosethe device’s resolver?
3939
Who should be entitledto apply policies to your DNS?
The network administrator?
The resolver?The government?
4040
Where shouldthe issues be discussed?
By regulators?
At ICANN?At IETF?
4141
Work to do
TechnicalDiscoveryprotocolPending IETF drafts: server BCPs, client BCPs…Missing piecesMonitoring and research
Policy / CommunityIndependenttrusted resolveraccreditationDeployment promotion and user educationEx post analysison IETF processshortcomings
RegulatoryJurisdictionissuesLaw enforcementmechanismsContent control responsibilitiesService liabilities
EuroDIGworkshop
June 20, The Hague
42
Thanks!Any questions?You can find me at
@vittoriobertolavittorio.bertola@open-xchange.com
Credits: Original presentation template by SlidesCarnival modified by myself License: This presentation is distributed under a Creative Commons Attribution (CC-BY) license