Recent announcements by both Mozilla Firefox and Google Chrome, have put DNS privacy into the spotlight. Changes in how DNS privacy is handled is a major change to the way the internet works but is little understood by the average user. So, what is DNS privacy and DNS over HTTPS and what effect will it have on internet use?
The changes announced by Firefox and Chrome concern the technical process by which web-pages are found when a user types in a web address (URL) into their browser and hits the Enter Key. A process that the vast majority internet users would not be aware is happening.
What is DNS
When an internet user types the domain name they want to visit into their browser, a resolver (usually run by their Internet Service Provider (ISP) or mobile operator e.g. Virgin Media or EE), will match it to a corresponding IP address. The IP address can then be used to locate the web-server where the domain is hosted. Its like a telephone directory, which allows you to find someone’s phone number by looking up their name. This process happens very quickly every time you display a web page.
Normal DNS traffic is not encrypted, which means that your ISP can see the websites that you try to connect to. It also means that a man-in-the middle that has access to any network carrying the DNS request could intercept it and redirect you to another, potentially malicious, site.
What is DNS over HTTPS (DoH)
With DNS over HTTPS (DoH), a web browser like Firefox or Chrome, will bypass the ISP’s DNS resolver and instead send an encrypted DNS query to a different DoH resolver. The DoH resolver will look up the IP address of the required site as usual and the user will be directed to the required website.
This means that your ISP can only see an encrypted version of the DNS request. Similarly, a man-in-the-middle would not be able to decipher the DNS query. If the website pages themselves are also delivered by HTTPS, as most are these days, the ISP would not be able to see which sites were being visited.
Are there other methods of secure DNS
DoH is not the only approach to securing DNS. DNS over a Transport Layer Security (TLS) protocol, known as DoT, is another alternative, and there are arguments for and against each method but that is beyond the scope of this article. Currently, attention is focussed on DoH as it about to be rolled out as an option in both Firefox and Chrome browsers and so is likely to have the wider impact in the near future.
Potential Issues with DoH
Firefox and Google Chrome browsers, which between them have a market share of over 70%, are both looking to make DoH available to all users in the near future. The question now is how they implement it, who they use as resolvers, and what policies are put in place.
DoH means encrypted traffic, which prevents eavesdropping or interception of DNS queries. However, DoH raises some questions which need careful consideration as it is introduced.
Some internet safety and security measures that have been introduced over many years require visibility of DNS. For example, parental controls, rely on the ISP blocking certain domains for their customers. The Internet Watch Foundation https://www.iwf.org.uk/ also ask ISPs to block domains that are hosting child sexual abuse material.
There could also be problems for law enforcement wishing to use DNS data to track criminals and many organisations secure their networks with security systems that use DNS information to block known malicious domains. All of these measures could be severely impacted by the introduction of DoH.
If DoH potentially blocks safety measures that have been introduced over many years, it is incumbent on browsers providers and DoH resolvers who implement DoH, to take up these responsibilities, to maintain the current level.
Users will need to be educated on the way in which their data use is changing so they can give their informed consent to this new approach. If users are not aware that their DNS queries are being sent somewhere other than to their ISP, they can’t make an informed choice. It needs to be made clear and DoH needs to be an easily configurable option. Users also need clarity on who would see the data, who can access the data and under what circumstances.
DNS privacy needs to be implemented with the full involvement of international governments and law enforcement. This may require the setup of local DoH resolvers in individual countries to allow for application of local law.
This new approach to resolving requests can bring some real improvement in the digital world but it needs to be done carefully and responsibly to maximise the benefits and minimise the potential problems.
If your organisation may be affected by the internet privacy and security issues discussed above and would benefit from expert assistance, please feel free to contact us via our contact page.