DNS over HTTPS

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks[1] by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. Encryption by itself does not protect privacy, encryption is simply a method to obfuscate the data. By March of 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS.[2][3] In February 2020, Mozilla launched a version of Firefox that encrypts domain names by default for US-based users.[4]

DNS over HTTPS
Communication protocol
Purposeencapsulate DNS in HTTPS for privacy and security
IntroducedOctober 2018 (2018-10)
OSI layerApplication Layer
RFC(s)RFC 8484
Internet security
protocols
Key management
Application layer
Domain Name System
Internet Layer

In addition to improving security, another goal of DNS over HTTPS is to improve performance: testing of ISP DNS resolvers has shown that many often have slow response times, a problem that is exacerbated by the need to potentially have to resolve many hostnames when loading a single web page.[1]

Technical detail

DoH is a proposed standard, published as RFC 8484 (October 2018) by the IETF. It uses HTTP/2 and HTTPS, and supports the wire format DNS response data, as returned in existing UDP responses, in an HTTPS payload with the MIME type application/dns-message.[1][5] If HTTP/2 is used, the server may also use HTTP/2 server push to send values that it anticipates the client may find useful in advance.[6]

DoH is a work in progress. Even though the IETF has published RFC 8484 as a proposed standard and companies are experimenting with it,[7][8] the IETF has yet to determine how it should best be implemented. The IETF is evaluating a number of approaches for how to best deploy DoH and is looking to set up a working group, Adaptive DNS Discovery (ADD), to do this work and develop a consensus. In addition, other industry working groups such as the Encrypted DNS Deployment Initiative, have been formed to "define and adopt DNS encryption technologies in a manner that ensures the continued high performance, resiliency, stability and security of the Internet’s critical namespace and name resolution services, as well as ensuring the continued unimpaired functionality of security protections, parental controls, and other services that depend upon the DNS".[9]

Many issues with how to properly deploy DoH are still being resolved by the internet community including but not limited to:

  • Parental controls and content filters
  • Split DNS in Enterprises
  • CDN Localization
  • Interoperability with 5G networks

Deployment scenarios

DoH is used for recursive DNS resolution by DNS resolvers. Resolvers (DoH clients) must have access to a DoH server hosting a query endpoint.[6]

DoH lacks native support in operating systems. Thus, a user wishing to use it must install additional software. Three usage scenarios are common:

  • Using a DoH implementation within an application: Some browsers have a built-in DoH implementation and can thus perform queries by bypassing the operating system's DNS functionality. A drawback is that an application may not inform the user if it skips DoH querying, either by misconfiguration or lack of support for DoH.
  • Installing a DoH proxy on the name server in the local network: In this scenario client systems continue to use traditional (port 53 or 853) DNS to query the name server in the local network, which will then gather the necessary replies via DoH by reaching DoH-servers in the Internet. This method is transparent to the end user.
  • Installing a DoH proxy on a local system: In this scenario, operating systems are configured to query a locally running DoH proxy. In contrast to the previously mentioned method, the proxy needs to be installed on each system wishing to use DoH, which might require a lot of effort in larger environments.
  • Installing a DoH resolving plugin for the operating system

In all of these scenarios, the DoH client does not directly query any authoritative name servers. Instead, the client relies on the DoH server using traditional (port 53 or 853) queries to finally reach authoritative servers. Thus DoH does not qualify as an end-to-end encrypted protocol, only hop-to-hop encrypted and only if DNS over TLS is used consistently.

Public DNS servers using DoH

DNS over HTTPS server implementations are already available free of charge by some public DNS providers[10]. See public recursive name server for an overview.

Operating system support

Windows

In November 2019, Microsoft announced plans to implement support for encrypted DNS protocols in Microsoft Windows, beginning with DoH.[11] In May 2020, Microsoft released Windows 10 Insider Preview Build 19628 that included initial support for DoH.[12]

DNS queries can be upgraded to DoH for any server which supports DoH using four steps (subject to change).[13] For example to upgrade queries to DoH for Google DNS:

  1. Create a Registry DWORD named EnableAutoDoh with a value of 2 in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
  2. In an elevated Command Prompt, type: netsh dns add encryption server=8.8.8.8 dohtemplate=https://dns.google/dns-query
  3. Change the DNS resolver in Windows to 8.8.8.8
  4. Reboot to restart the DNS client service

Criticism

Information disclosed in plain-text DNS is also available in other plain-text communications

DoH only encrypts the communication with DNS resolver, but not how this information is used by other protocols. The requested domain names from DNS requests can be disclosed in non-encrypted portions of TLS request handshakes, such as Server Name Indication and unencrypted server certificate in older TLS protocols (prior to TLS 1.3).[14][15] The IP addresses that were sent in DNS response payloads can still be inferred by the network-based observer once the client initiates communications with that IP address. For this reason, some technology journalists (e.g., Lee Hutchinson, Senior Technology Editor at Ars Technica) argued that DoH provides a false sense of security.[16]

Advocates of DoH acknowledge this problem and say those plaintext protocols should be updated as well. For example, web servers configured to use both TLS 1.3 and the Encrypted Client Hello (ECH) extension (previously known as ECHO and Encrypted Server Name Indication (ESNI)) will allow the client to encrypt the entirety of the exchange, including the SNI field and the certificate.

Shifting origin of trust

Any DNS client implicitly trusts the DNS resolver(s) that it uses. DoH merely ensures authenticity, integrity and confidentiality of communications with DNS resolvers, but can not ensure honesty of the resolver itself.

Currently, DoH implementations in web browsers rely on third-party DNS providers, which is contrary to the decentralized nature of DNS and may have privacy implications.[15] OpenBSD has disabled DoH by default in their builds of Firefox due to use of Cloudflare services for this feature.[17] Chrome will use DoH only if the user's chosen DNS provider is known to support it, although it did face accusations by U.S. ISPs that it was using the implementation to force users onto its Google Public DNS service.[15][18][19]

The DNS server assigned by Internet Service Providers is typically located in the country where the user lives, and is thus in the same jurisdiction. DNS over HTTPS implemented in browsers uses, as of May 2020, exclusively DOH servers hosted by American companies. Due to US law extending to all servers operated by American companies regardless of the physical location of the data, non-US persons using such services may thus have less privacy protection than what their own country would offer.[20]

Interoperability with Parental Controls and DNS-level content filters

DoH can impede analysis and monitoring of DNS traffic for cybersecurity purposes; the 2019 DDoS worm Godula used DoH to mask connections to its command-and-control server.[15][21] It is argued that DoH could bypass content-control software and enterprise DNS policies.[15]

The Internet Service Providers Association (ISPA)—a trade association representing UK ISPs—and the Internet Watch Foundation have criticized Mozilla, developer of the Firefox Web browser, for supporting DoH, as they believe that it will undermine web blocking programs in the country, including ISP default filtering of adult content, and mandatory court-ordered filtering of copyright violations. The ISPA nominated Mozilla for its "Internet Villain" award for 2019 (alongside the EU Directive on Copyright in the Digital Single Market, and Donald Trump), "for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK." Mozilla responded to the allegations by the ISPA, arguing that it would not prevent filtering, and that they were "surprised and disappointed that an industry association for ISPs decided to misrepresent an improvement to decades-old internet infrastructure".[22][23] In response to the criticism, the ISPA apologized and withdrew the nomination.[24][25] Mozilla subsequently stated that DoH will not be used by default in the UK market until further discussion with relevant stakeholders, but stated that it "would offer real security benefits to UK citizens".[26]

Software support

Firefox

In 2018 Mozilla partnered with Cloudflare to deliver DoH for users that enable it. Firefox 73 added another resolver in the options, NextDNS.[27] On February 25, 2020, Firefox started enabling DNS over HTTPS for all US-based users, relying on Cloudflare resolver.[28] On June 3, 2020 Firefox 77.0.1 disabled NextDNS by default because the high load on the NextDNS servers caused by Firefox users was "effectively DDoS'ing NextDNS" (NextDNS is still available in the settings, just not enabled by default).[29] In June 2020, Mozilla announced plans to add Comcast to the list of trusted DoH resolvers (this comes as a surprise since previously Comcast fought DoH, lobbying US congress with letters and presentations).[30]

dnscrypt-proxy

dnscrypt-proxy was the first mainstream opensource client implementation of the DoH specification. The software already implemented DNS encryption using the DNSCrypt protocol, along with features such filtering and caching, and version 2 had been designed from the ground up to support additional protocols. DoH support was added when the first draft was published, and kept being updated immediately after new revisions were made. DNS Stamps, a specification to encode a set of parameters to connect to DoH servers as a short string, was designed. Simultaneously, the DNSCrypt organization responsible for the project developed an opensource DoH server, and deployed the doh.crypto.sx service, demonstrating that DoH could work over a CDN (Cloudflare). Cloudflare announced their own DNS and DoH service a couple weeks later.

YogaDNS

In 2019 Initex, the developer of Proxifier app, made first beta release of YogaDNS for Windows. In 2020 it is still in beta phase. It includes system wide support for DNS over HTTPS, DNS over TCP, and secure dns (ssdns). Additional features are adding hosts file, log to screen and file, using several DNS servers at once, and making rules which domains to resolve over which server with prioritizing ability. This app only works on Windows 7 and later.

Acrylic DNS Proxy

In 2019 Acrylic added support for DoH next to its existing support for DNS over TCP, UDP, and SOCKS5. The app is available in installable and portable edition. This app works on Windows XP and later.

Chrome

DNS over HTTPS is enabled in Chrome 83 for a small number of users, configurable via the chrome://flags URL. If the operating system is configured with a supported DNS server, Chrome will upgrade DNS queries to be encrypted.[31]

Opera

Opera has support for DoH, configurable via the opera://flags URL. By default, DNS queries are sent to Cloudflare servers.[32]

Nebulo

Nebulo is app for DoH support for Android. It works as VPN service app, just like many DNS and VPN apps. It is still in beta phase.

Edge

Edge has support for DoH, configurable via the edge://flags URL. If the operating system is configured with a supported DNS server, Edge will upgrade DNS queries to be encrypted.[32]

See also

References
  1. Chirgwin, Richard (14 Dec 2017). "IETF protects privacy and helps net neutrality with DNS over HTTPS". The Register. Retrieved 2018-03-21.
  2. "DNS-over-HTTPS | Public DNS | Google Developers". Google Developers. Retrieved 2018-03-21.
  3. Cimpanu, Catalin (2018-03-20). "Mozilla Is Testing "DNS over HTTPS" Support in Firefox". BleepingComputer. Retrieved 2018-03-21.
  4. ""A long-overdue technological shift toward online privacy": Firefox encrypts domain names. Google to follow". What’s New in Publishing | Digital Publishing News. 2020-02-26. Retrieved 2020-02-26.
  5. Hoffman, P; McManus, P. "RFC 8484 - DNS Queries over HTTPS". datatracker.ietf.org. Retrieved 2018-05-20.
  6. Hoffman, P; McManus, P. "draft-ietf-doh-dns-over-https-08 - DNS Queries over HTTPS". datatracker.ietf.org. Retrieved 2018-05-20.
  7. "Experimenting with same-provider DNS-over-HTTPS upgrade". Chromium Blog. Retrieved 2019-09-13.
  8. Deckelmann, Selena. "What's next in making Encrypted DNS-over-HTTPS the Default". Future Releases. Retrieved 2019-09-13.
  9. "About". Encrypted DNS Deployment Initiative. Retrieved 2019-09-13.
  10. "DNS over HTTPS Implementations". 2018-04-27. Retrieved 2018-04-27.
  11. Gallagher, Sean (2019-11-19). "Microsoft says yes to future encrypted DNS requests in Windows". Ars Technica. Retrieved 2019-11-20.
  12. "Announcing Windows 10 Insider Preview Build 19628". 13 May 2020. Retrieved 13 May 2020.
  13. "Windows Insiders can now test DNS over HTTPS". Retrieved 12 June 2020.
  14. "A Controversial Plan to Encrypt More of the Internet". Wired. ISSN 1059-1028. Retrieved 2019-11-19.
  15. Cimpanu, Catalin. "DNS-over-HTTPS causes more problems than it solves, experts say". ZDNet. Retrieved 2019-11-19.
  16. "Firefox turns encrypted DNS on by default to thwart snooping ISPs". ArsTechnica. Retrieved 2020-02-25.
  17. "Google Unveils DNS-over-HTTPS (DoH) Plan, Mozilla's Faces Criticism". BleepingComputer. Retrieved 2019-09-14.
  18. Tung, Liam. "DNS over HTTPS: Google hits back at 'misinformation and confusion' over its plans". ZDNet. Retrieved 2019-11-19.
  19. Lee, Timothy B. (2019-09-30). "Why big ISPs aren't happy about Google's plans for encrypted DNS". Ars Technica. Retrieved 2019-11-19.
  20. "Centralised DoH is bad for Privacy, in 2019 and beyond". Retrieved 2020-05-07.
  21. Cimpanu, Catalin. "First-ever malware strain spotted abusing new DoH (DNS over HTTPS) protocol". ZDNet. Retrieved 2019-11-19.
  22. Cimpanu, Catalin. "UK ISP group names Mozilla 'Internet Villain' for supporting 'DNS-over-HTTPS'". ZDNet. Retrieved 2019-07-05.
  23. "Internet group brands Mozilla 'internet villain' for supporting DNS privacy feature". TechCrunch. Retrieved 2019-07-19.
  24. "British ISPs fight to make the web LESS secure". IT PRO. Retrieved 2019-09-14.
  25. Patrawala, Fatema (2019-07-11). "ISPA nominated Mozilla in the "Internet Villain" category for DNS over HTTPs push, withdrew nominations and category after community backlash". Packt Hub. Retrieved 2019-09-14.
  26. Hern, Alex (2019-09-24). "Firefox: 'no UK plans' to make encrypted browser tool its default". The Guardian. ISSN 0261-3077. Retrieved 2019-09-29.
  27. Mozilla. "Firefox Announces New Partner in Delivering Private and Secure DNS Services to Users". The Mozilla Blog. Retrieved 2020-02-25.
  28. Deckelmann, Selena. "Firefox continues push to bring DNS over HTTPS by default for US users". The Mozilla Blog. Retrieved 2020-05-28.
  29. "Firefox 77.0.1 will be released today to fix one issue - gHacks Tech News". www.ghacks.net. Retrieved 2020-06-09.
  30. Brodkin, Jon (2020-06-25). "Comcast, Mozilla strike privacy deal to encrypt DNS lookups in Firefox". Ars Technica. Retrieved 2020-06-26.
  31. "DNS over HTTPS (aka DoH)". Retrieved 23 May 2020.
  32. "Here's how to enable DoH in each browser, ISPs be damned". Retrieved 28 May 2020.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.