DNS-over-HTTPS (DoH) — privacy and security

Within the next few years, the DNS-over-HTTPS (DoH) protocol is likely to become an important component in internet connectivity. The Internet Engineering Task Force (IETF) process of getting DoH from a conceptual idea into a Request for Comments (RFC) document has been fast compared to other standards which averagely takes up two to three years [1]. It took about a year to publish the DoH RFC 8484 filed by P. Hofmann (from ICANN) and P. McManus (from Mozilla) [2].

Since DNS resolution is an integral part of users connecting to the Internet and accessing web resources, privacy becomes a concern. DoH is set to protect DNS users from surveillance and manipulation by encrypting the plain text DNS protocol over HTTPS [3]. Unlike the DNS over TLS (DoT) which uses a dedicated port, DoH cloaks DNS traffic within regular HTTPS traffic in a way that cannot be easily detected or blocked. However, from data collected to study DoH security, it is possible to fingerprint DoH traffic from regular user-generated HTTPS traffic. This is mainly possible since the payload size in DoH traffic is consistently smaller compared to regular HTTPS traffic which tends to fill the maximum transmission unit (MTU) [4]. Johannes Ullrich (2019) in his similar analysis points out that if you see long-lasting TLS connections, with payloads that rarely exceed a kilobyte, you probably got a DoH connection [5]. Padding DoH traffic might help in making it blend even better with other HTTPS traffic.

In an attempt to improve user privacy, DoH prevents eavesdropping and malicious redirection of DNS traffic [6]. The effects of DoH on an enterprise setup are however different. Security control devices that filter and monitor DNS requests for threat detection are rendered ineffective[7]. DNS data is important in unveiling malicious activities in a network where traditional security tools are bypassed, for instance in identifying data exfiltration via DNS tunneling or egress malware traffic [8]. There is a malware family already abusing DoH e.g. Godlua Backdoor [9]. A possible implication of this is that of lack of visibility on users’ online activities for legitimate reasons, both at the enterprise and ISP levels [10]. In addition, network operators who use their DNS servers to route traffic to the correct regional CDN will be hindered and might affect the Quality of Experience (QoE) for the end-users [11].

DoH has transformed DNS into an application-level service. Each individual application can use its own name server without being managed by the operating system. It would be a difficult task to troubleshoot internet connectivity in a client endpoint [12]. Software vendors are already adopting DoH, Mozilla has enabled the DoH feature on Firefox and intends to make this a default option by redirecting all DNS queries to their own name server in conjunction with Cloudflare. DoH adoption can lead to DNS name resolution being controlled by a few over-the-top (OTT) technological companies such as Cloudflare, Google, and IBM [13]. There would, therefore, seem to be a definite need for enterprises setting up their own DoH servers to manage their intranet services and getting insights into network activities within their perimeters.

DoH is fueling the trend towards OTT DNS. If all the four major browsers (Firefox, Chrome, Safari, and Internet Explorer/Edge) that have 90% of the market share set DoH as a default, it means they control 90% of the world’s Web traffic resolutions [14]. The four major browser makers are all in the same country and jurisdiction, the United States of America. When these third-party resolvers are employed, trust shifts from local DNS providers to third-party organizations which might still collect information about DNS queries for other business benefits such as geographically targeted ads[15].

Kevin Borgolte et al (2019) performed a load time comparison between default recursors and open DoH recursors operated by cloud providers with emulated conditions. Their findings show the choice of DoH provider can significantly affect the QoE to the end-users [16]. Another possible area of future research would be to investigate how client-side would be able to detect rouge DoH providers that would pose a security threat to them.

There is an exciting opportunity to advance our knowledge of DoH and its impact from a consumer point of view (an interesting area for policy*) by providing data that can further be explored to draw more insights. Users need to understand the benefits of adopting DoH and its trade-offs.

References

1 — IEFT, “RFC 8484 — DNS Queries Over HTTPS (DoH)”, 2019, https://tools.ietf.org/html/rfc8484. Accessed Dec 2019.

2 — Datatracker.Ietf.Org, “History For Draft IETF DOH-DNS-Over-HTTPS-14”, 2019, https://datatracker.ietf.org/doc/rfc8484/history/. Accessed Dec 2019.

3 — Hunter, Max. “Encrypted DNS Could Help Close The Biggest Privacy Gap On The Internet. Why Are Some Groups Fighting Against It?”. Electronic Frontier Foundation, 2019.

4 — Sandra Siby et al, DNS Privacy not so private: the traffic analysis perspective, pg 2

5 — Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute, “Is It Possible To Identify DNS Over Https Without Decrypting TLS?”. SANS Internet Storm Center (https://isc.sans.edu/diary/rss/25616), 2019.

6 — David Roth, John Worley, et al. DNS Privacy, concerns, issues and technologies, 2019.

7 — Adam Networks, “DNS over TLS or HTTPS — the rest of the story”, Sep. 2018, pg 3

8 — Drew Hjelm, “A New Needle and Haystack: Detecting DNS over HTTPS Usage”, SANS Institute, 2019.

9–360 Netlab — “An Analysis Of Godlua Backdoor”. — Network Security Research Lab At 360, 2019, https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/. Accessed Dec 2019.

10 — Andy Fidler, Potential ISP Challenges with DNS over HTTPS. BT Technology, April 2019.

11 — Alan Jones, DNS-over-HTTPS: how Does It Affect User Quality of Experience?, NetForecast, Sep. 2019.

12 — Vittorio Bertola, DNS-over-HTTPS Public Policy Briefing. Open-Xchange, Nov. 2018, pg 7

13- OX Whitepaper, 2019 DNS-over-HTTPS, and the Rise of OTT DNS.

14- Vittorio Bertola, DNS Symposium 2019. The DoH dilemma — Impacts of DNS-over-HTTPS on how the Internet works.

15- Fernando Gont, DNS Privacy — Frequently Asked Questions (FAQ). Internet Society, March 2019, pg 6

16 — Kevin Borgolte, Tithi, et al. How DNS over HTTPS is Reshaping Privacy, performance, and Policy in the Internet Ecosystem. Princeton University and The University of Chicago, 2019 pg 4–5.

If I was a writer I’d have nice words to put here :) Purple Teamer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store