DNS over HTTPS: the point of contention

Artem Tereschenko | Published: 20 February, 2020

Back in 2018 IETF has approved a new protocol named DNS over HTTPS, but the topic gained attention of IT-community not so long ago. Not only the positive side was taken into consideration: there were heated debates about the protocol’s features and benefits among the ISPs and developers.

DNS over HTTPS (DoH) encrypts queries and responses from DNS-server. The names of the remote servers are hidden if the user accesses them using DoH.

DNS-over-HTTPS

The reason of the argument is that part of IT-community considers the protocol is adding an extra layer of Internet-security. So it is already implemented in some services and applications. On the other hand there are new difficulties and challenges in the work of system administrators.

We need to understand the mechanism of DoH protocol to get to the heart of the problem. With regular DNS the host name and address are transmitted in clear text. In DoH protocol, a query for an IP address is encapsulated in encrypted HTTPS traffic. After that it is transmitted to HTTP-server and processed with API commands.

This is an example of such a query from RFC 8484 (page 4):

   :method = GET
   :scheme = https
   :authority = dnsserver.example.net
   :path = /dns-query?
           dns=AAABAAABAAAAAAAAAWE-NjJjaGFyYWN0ZXJsYWJl
           bC1tYWtlcy1iYXNlNjR1cmwtZGlzdGluY3QtZnJvbS1z
           dGFuZGFyZC1iYXNlNjQHZXhhbXBsZQNjb20AAAEAAQ
   accept = application/dns-message

As we can see, the queries to DNS are anonymous, as they are hidden in HTTPS.

Anonymity is good. What is the problem?

The first reason to dismiss DNS over HTTPS is reduced Internet security. It will be harder for system administrators to block malicious sites, because the names cannot be removed from HTTPS traffic. Also subscribers will not be able to а use the parental control in browsers anymore.

For example the legal system in Great Britain obliges ISPs to block prohibited sites. With DOH protocol it becomes almost impossible to filter traffic. Government Communications Headquarters (GCHQ) and Internet Watch Foundation (IWF) protest against protocol popularization – these organisations’ task is to maintain a register of blocked resources.

Even modern traffic filtering systems, such as VAS Experts DPI, cannot perform a full analysis of HTTPS traffic. Such systems use classification by SSL/TLS (Common Name) or Server Name Indication (SNI), and signature analysis of traffic flow.

The second problem of DNS over HTTPS is new malware that is using protocol’s particular characteristics. For example in July 2019 Netlab security experts have discovered a new virus named Godlua that was using DoH for DDoS attacks. The virus gets text DNS records (TXT) and URLs of controlling servers from DoH.

Cybersecurity is threatened because popular antivirus solutions can not recognize the encrypted DoH queries. So new viruses are likely to appear and the situation may become worse.

The positive side

At the same time new protocol can strengthen cybersecurity. DoH might help to counteract the increasingly common DNS hijacking attacks. This is confirmed by the report of the information security company FireEye. The protocol is also supported by several other large IT-companies.

Since 2018 Google has been testing DNS over HTTPS protocol. Not so long ago the company has announced its General Availability DoH service. Google hopes that DoH distribution will increase the level of personal data security and protect against MITM attacks.

In turn since last summer Mozilla supports the full operation of DNS over HTTPS and is actively supporting the protocol. Internet Services Providers Association (ISPA) nominated Mozilla for the “Internet Villain of the Year” award; the browser representatives replied that they are disappointed by the tendency of telecom operators to abandon infrastructure upgrades and “being up to date”. Although the nomination was withdrawn after large media and some providers stood up for Mozilla and British Telecom claimed that new protocol will only increase the security of British users without affecting the quality of content filtering.

DoH-FireFox-Mozilla

Cloud providers did step in as well. Cloudflare is already offers DNS-services based on DNS over HTTPS.

Disputes will not settle down for a long time. New technology is always recepted with hostility and a lot of discussion and a widespread implementation of the new protocol can be expected probably in more than a decade. Right now you can find the list of browsers and clients that support DNS over HTTPS on GitHub.