DNS requests are usually made over UDP, in plaintext. In a bid to introduce more privacy in DNS traffic, DNS-over-HTTPS (DoH) was published in Oct 2018 (RFC 8484). The DNS traffic will be encrypted, and appear to be like normal HTTPS traffic.
Companies are marketing DoH as a way to prevent ISPs from tracking users’ web traffic, and as a way to bypass censorship in (some) countries. However, there is more to this story…
DoH doesn’t actually prevent ISPs from tracking your traffic! #
Yes, your DNS traffic remains encrypted… but
- For HTTP traffic, the destination site is in plaintext
- For HTTPS traffic, the ISP can look at the Server Name Identification (SNI) field, which is where the client indicates the hostname it wants to connect to during the TLS handshake. (The SNI field is an optional extension of TLS)
- Of course, people have also proposed encrypting the SNI field
The traffic is encrypted, but using the HTTPS layer is not doing useful protection of any data.
DoH has implications on security policies, and could benefit the wrong people #
Since DNS traffic is now encrypted, companies will find it harder to implement security policies (e.g. no facebook at work), possibly facilitating the spread of malware.
- Example: The malware Godlua has abused DoH to communicate with its command and control without being easily detected.
- Example: It would be harder to filter content like child abuse.
So, given these concerns, do we forego DNS-over-HTTPS? #
DNS-over-HTTPS has roused the security community, but the general concensus seems to be that its benefits have been overstated.
There are other proposals like DNSSEC (RFC 4033) and DNS-over-TLS (DoT, RFC 7858), DNSCrypt, but these also have their own security concerns.
Privacy in our DNS traffic is important, and this is currently still a work in progress in security research! Just maybe not using DNS-over-HTTPS.
Readings #
- A quick read
- An elaborate discussion on privacy; also contains information on metadata leaks like SNI
I do recommend reading and comparing the different schemes proposed to introduce privacy in DNS traffic.