How does DNS work over HTTPS and who needs it?

Table of Contents

Mozilla and Google are investing heavily in the implementation of DoH (DNS over HTTPS) technology, promising users greater security and privacy. In Firefox, it is already enabled, in Chrome they will test it in version 79, and even in Microsoft they promise to implement it in Windows. But at the same time, many criticize the technology, and Mozilla for his efforts received a nomination for the title of “Internet Villain of the Year.” Let’s see how DNS works over HTTPS and who does not benefit from its implementation.

Related article: How to enable DNS over HTTPS in Firefox

How DNS works

For order and connectivity, we briefly recall the basics. The DNS Domain Name System is one of the technologies at the heart of the Internet today. With this technology, numerical IP addresses and human-friendly domain names are correlated. It works according to the hierarchical interaction principle of DNS servers.

An important point: this system was developed in 1983 and therefore has some security issues. After all, the Internet, as you know, was a network connecting American scientific and military institutions, and there were no plans to connect anyone.

DNS query and DNS response on the base system device

In short, the gist of the problem is that the underlying DNS system receives and transmits any requests that come in. Like many other decisions that appeared at the dawn of the Internet, there is no protection against malicious use. In those days, it was believed that the main thing is simplicity and scalability.

As a result, different attack vectors appeared on DNS servers (for example, DNS cache poisoning or DNS interception). The result of such attacks is the redirection of the client’s browsers to somewhere where the users would not reach.

More on the topic: Possiable HTTPS Attacks

To combat these problems, the Internet Engineering Council developed a set of DNSSEC extensions that added public key cryptography-based signature authentication to DNS queries. But this set of extensions has been developed for a long time. The problem became apparent in the early 1990s, the direction of work on the problem was determined in 1993, the first version of DNSSEC was prepared in 1997, they tried to implement, they began to make changes …

In general, a suitable version was created in 2005 for general use, and they began to implement it, distributing a chain of trusted keys in Internet zones and DNS servers. They also implemented it for a long time, for example, only in March 2011 the .com zone was signed.

If you want to understand in more detail what threats DNSSEC was supposed to protect DNS, you can read the 2004 Internet Engineering Council’s Threat Analysis Report. As the authors write, ten years after the start of the paper, It’s time to report on what problems and how exactly we are going to fight.

If you want to understand in more detail what threats DNSSEC was supposed to protect DNS, you can read the 2004 Internet Engineering Council's Threat Analysis Report. As the authors write, ten years after the start of the paper, It's time to report on what problems and how exactly we are going to fight.

But DNSSEC solves only part of the problem: it guarantees the authenticity and integrity of the data, but not your privacy. In the fight for this goal, encryption is a logical means. The question is how to implement it.

DNS encryption options


Several development groups have proposed their own technology solutions. Among them, there are those that use original encryption methods, like DNSCrypt or DNSCurve, that uses encryption using elliptic curves. But the solutions, which turned out to be more popular, are based on the widely used DNS over TLS security protocol. These solutions are DoT (DNS over TLS) and DoH, the main topic of this article.

DoT, as its name implies, uses the TLS protocol for the encrypted transmission of DNS queries. This implies a change in the main ports and protocols: instead of UDP on port 53, TCP is used on port 853.

DoH is different and uses TLS differently. In DoH, TLS encryption is applied at the HTTPS protocol level, using HTTPS requests and accessing the HTTP ports of the DNS server.

Sounds complicated? Jan Schauman talks about this with great precision and intelligibility:

Since HTTPS uses TLS, it would be possible to roam around and show that, technically, DoH is also DNS over TLS. But that would be wrong. DoT sends basic DNS protocol requests over a TLS connection on a separate dedicated port. DoH uses HTTP at the Application Layer Protocol (HTTP) layer to send requests to the server's HTTPS port using and including all elements of regular HTTP messages.

DoH: DNS messages wrapped in HTTPS

DNS over HTTPS

It is reasonable to ask a question: what could be the problem here? The more security, the better, right?

The answer to this question lies in the nuances of the selected solutions, their strengths and weaknesses. That is, how the new technology interacts with different participants in the DNS system, which of them its developers consider to be conditionally reliable and who, as sources of threat. And now it’s not even about hackers who have overtly criminal targets.

The point is that there are intermediaries between the user’s device and the end site. Network administrator, firewall, Internet provider: all of them can, in their interest, interact with the DNS system by configuring their DNS solvers with the configuration for which the requests must monitor, block and modify. So you can insert ads, cut malicious content and prevent them from accessing certain resources …

The client to server request path can go through many resolvers
DoT, working through TLS with its trusted certificate system, you also need a DNS resolvers that you can trust. There is a flexible ability to configure the list of trusted solvers, the ability to centrally change settings in a trusted environment (for example, corporate), as well as the ability to return to basic DNS if problems with the new version arise.

Since DoT uses a new dedicated port, it is possible to notice the transmitted traffic and monitor its volume, encryption will not prevent it. If you want, you can even block it entirely.

In general, DoT needs to be configured correctly, but it contains some extremely useful features for system administrators and network engineers. Therefore, many of the professionals praise DoT for this.

With DoH, the story is different. This technology was developed with the expectation of user applications, namely browsers. This is a key detail in this whole story. That means this. When DoH is used, all the traffic that is not related to the browsers goes through the base DNS, but the browser traffic ignores any DNS settings (in the operating system, the local network and the provider levels) and skips the steps intermediates, it passes through HTTPS directly to DoH DNS resolution support.


And there are a number of serious questions to this scheme.

More on the topic: Internet forwarding via DNS

 

DNS over HTTPS and conspiracy theories


So we get to the story of who nominated Mozilla for the “Internet Villains of the Year”. This is the British Association of Internet Service Providers and the British Foundation for Internet Surveillance. These organizations are responsible for blocking inappropriate content for UK Internet users. They mainly fight against child pornography, but they are also interested in piracy, extremism and any other crime. And once again they tried to ban BDSM pornography from British internet users, but failed.

Therefore, these organizations believe that implementing DoH will significantly reduce their ability to control access to content. Their concerns are shared not only by providers from other countries, but also by cybersecurity professionals who point out that developers of firewalls and DNS monitoring systems will face the same problems. And the protection of corporate networks will suffer from this, and employees will have new opportunities to download the virus through a phishing link. Not only that, there are already examples of how attackers abuse DoH capabilities.

In the United States, Google and Mozilla have entered into a legal war with providers over DoH. First, providers asked the United States Congress to pay attention to the possible consequences of DoH implementation. Google managers were quick to assure everyone that the dangers were exaggerated. But Mozilla representatives addressed Congress with a request to study the practice of collecting user data from providers, openly hinting that providers are defending their specific interests.

But with the commercial interests of the suppliers, everything is clear. What are the interests of advocates of early DoH implementation? Why are Google and Mozilla employees, in every possible way, making sure this is all just an experiment so far, and that if UK users need to be protected from pornography, they won’t be included in the experiment and just want to grant it? in users (including residents of authoritarian countries) Internet controls) more privacy and security?

Some experts believe the problem is DNS solvers with DoH support. Both Google and Mozilla claim that their browsers will use a full list of such solvers, but in practice: Google has its own DNS server and Mozilla is developing its solution in close collaboration with Cloudflare. That also provides its own DNS.

If in addition to this, remember that Chrome is now the most popular browser, then a not so nice picture emerges. In a decentralized and distributed DNS system, a large segment controlled by Google and a smaller segment owned by Cloudflare will appear overnight. Nothing personal.

Browser market share. Chrome leads by a large margin, followed by Safari, everyone else lags far behind

Mozilla, in its Frequently Asked Questions about DoH implementation, states that Cloudflare’s DNS solver was not chosen because Cloudflare pays money for it. Mozilla and Cloudflare allegedly have no intention of monetizing the data passing through their servers, and are only interested in the fight for privacy and security of Internet use.

Well, by Cloudflare corporate standards, it is at least a bit of a sincere ally in this fight: The company has repeatedly declared its commitment to the values of internet freedom, net neutrality and freedom. of expression, and in his case the statements work for his image as a major player in the rapidly growing and emerging digital privacy and security market. But with Google, things look different.

We remind you separately and especially: no single technology can give you absolute security on the Web. This article is only about DNS security. The security of other protocols and scenarios for Internet use will not be canceled! The worst enemy of security is the belief that you have done enough.

Google is moving fast to monopolize key internet services, and some are already monopolized. And in addition to the economic and political aspects, there are also purely technical aspects. The lack of centralization is intentionally established in Internet protocols; after all, the modern Internet has emerged from American military development, one of whose goals was to maintain communication among its participants after the atomic attacks. If some kind of disaster physically destroys part of data centers, servers, or communication lines, the Internet must survive.

But if several companies start to provide important functions exclusively, what will happen, for example, in case of bankruptcy of one of them? These, of course, are all purely philosophical questions, but they are worth considering. For example, employees of the Asia-Pacific Network Information Center (APNIC) believe that the implementation of DoH is an occasion to conduct serious studies on the degree of centralization of the DNS system, and intend to closely monitor the process .

Recommendations


To sum up. And let’s start with what can be discussed with full confidence.

DoH technology will complicate the lives of all those who want or are forced to monitor users’ DNS traffic. These include providers, system administrators, developers and operators of firewalls and content filters, government Internet surveillance agencies.

How much will DNS over HTTPS complicate their lives? No one can say for sure: it all depends on the pace of implementation and the sophistication of technological solutions.

Does the Internet need this technology? Difficult question. Experts agree that there is a need to improve DNS security, but disagree on how, and very much regret that the development of new solutions is unnecessarily rushed, is being implemented with difficulty, and as a result becomes complicated again. The technical device to the point that it is not clear even for professionals.

Do you personally need DoH? As in many other cases, the question is rather which threat seems to you a higher priority. If it’s providers that do something you don’t like or content filters you didn’t ask for (for example, government filters), perhaps another tool is helpful. If you are more concerned with intruders or need to make sure some users are not going where they shouldn’t be, it is worth carefully examining how this technology will interact with your tasks.

“Why do I need all this nonsense? Do I have a good proxy and Tor for backup?” – you ask. If so, then you really don’t need all of this. But it is not necessary, it does not mean that it is not interesting. Fortunately or unfortunately, on the Internet we are made up of billions of unspecialized ordinary users, inhabitants of corporate networks, silent and discrete devices of network infrastructure and fashionable representatives of the “Internet of Things”. And everything described in the article can seriously affect them. And exactly how and with what consequences, nobody knows yet.

And finally: Mozilla experts say that in some cases, using DNS over HTTPS significantly speeds up DNS query processing. If they are right, they will become “Internet Villain of the Year” into “Internet Superheroes”. And, as the stories of heroes and villains say, it will continue.

Leave a Reply

Your email address will not be published. Required fields are marked *