Credit to Author: Lily Hay Newman| Date: Wed, 09 Oct 2019 11:00:00 +0000
The road to routing all Domain Name System lookups through HTTPS is pocked with disagreements over just how much it will help.
The security community generally agrees on the importance of encrypting private data: Add a passcode to your smartphone. Use a secure messaging app like Signal. Adopt HTTPS web encryption. But a new movement to encrypt a fundamental internet mechanism, promoted by browser heavyweights like Google Chrome and Mozilla's Firefox, has sparked a heated controversy.
The changes center around the Domain Name System, a decentralized directory that acts essentially as the internet's address book. When you send data to or request it from a server, a DNS lookup ensures that it goes to and comes from the right place. Google and Mozilla plan to encrypt those interactions sometime this year. Which sounds straightforward enough—but not everyone is convinced that the shift solves more problems than it potentially creates.
The concept of DNS was developed in the mid-1980s, and hasn't evolved much since the early 1990s. Like many foundational internet protocols, DNS has been remarkably flexible and serviceable over the years. But having roots that predate the rise of the modern internet has led to inevitable problems, one of which is that those address lookups aren't encrypted. That’s a big deal. Any time your browser attempts a DNS lookup, that request can pass across multiple servers. Your internet service provider, lurking government snoops, and just anyone on the same Wi-Fi network can see what websites you visit, even if they can't see what you do once you actually load the sites.
It gets even worse. Since DNS requests are unencrypted, bad actors can manipulate them to strategically send you to the wrong website. It’s like listing your address under someone else's name, and getting all their packages delivered to your house. This type of attack, known as DNS hijacking, has been on the rise; in January, the Department of Homeland Security even issued an emergency directive about the threat.
"Yeah it’s going to be work, but that’s fine, just do the work."
Matthew Prince, Cloudflare
Which explains the push for encrypted DNS: It would make those types of surveillance and misdirection much harder. The Internet Engineering Task Force standards body has already codified a few different methods for implementing it, namely “DNS over HTTPS” (DoH) and “DNS over TLS” (DoT). Both protocols apply ubiquitous web encryption to DNS requests. The two standards are very similar, except DoT separates encrypted DNS traffic into its own recognizable channel (an attribute network defenders largely prefer), while DoH intermingles encrypted DNS traffic with general HTTPS encrypted web traffic so they're indistinguishable (an additional privacy benefit to some). Each approach has its pros and cons, but both Mozilla and Google have elected to go with DoH in their browsers.
No matter which version you choose, though, adding a layer of encryption to DNS requires some systemic rejiggering. It's like writing down your order at a restaurant, locking it in a small safe, and then handing the safe to the waiter to take back to the kitchen. You won't give away any personal information about your culinary preferences, but you also won't get the right meal.
To get around this complication, secure DNS protocols rely on intermediaries called "resolvers," which can still see the requests unencrypted as they come through. Mozilla has piloted its encrypted DNS with the internet infrastructure company Cloudflare acting as the main resolver. Cloudflare has already been offering encrypted DNS with a service called 220.127.116.11 for more than a year. Mozilla chose the company because it pledged to delete all DNS logs after 24 hours, never share data with third parties, and submit to audits to confirm that data is really being deleted. But users can set Firefox to default to any resolver that supports DoH. Similarly, Chrome is starting out by offering DoH with six resolvers, including Cloudflare and Google itself.
That centralization of DNS requests worries detractors. Unlike end-to-end encrypted messaging, in which only you and the person you’re talking to can read the messages on each of your devices, encrypted DNS doesn’t quite succeed at boxing everyone out. It cuts telecoms and governments out of the equation in one way, but introduces new tech giants and third parties in another.
"I would love it if there were 100 other encrypted DNS providers that customers could choose from," says Cloudflare CEO Matthew Prince. "We think that would be great. I get that there being a limited set of choices doesn’t feel good. But there's nothing proprietary about this. You can download open source software and run this today."
The pro-privacy Electronic Frontier Foundation has acknowledged the concerns about consolidating DNS with so few resolvers, but recently suggested that the potential privacy benefits are worth the downside so long as more entities get into the space. Specifically, EFF called on internet service providers to start acting as encrypted DNS resolvers themselves. Ideally, this would involve getting ISPs to sign on to strict privacy protections like those Cloudflare has promised to adhere to as part of the process of adding support for DoH.
That may not happen anytime soon, though. And even if it did, you can see how it would be difficult in practice to get entities already making money off of mining DNS data to really change their ways. A consortium of telecommunications trade associations wrote a letter to Congress in September opposing encrypted DNS and calling Google anti-competitive for starting to support it in Chrome. This argument seems specious at best, given that Chrome will be able to use a number of resolvers, not just Google’s. The overall effort, though, reflects how invested ISPs are in protecting their access to DNS data, seemingly so they can mine it to fuel targeted advertising. ISPs do also use insight into DNS requests to offer services like content filtering for children. House of Representatives investigators are currently assessing the letter’s claims.
The ranks of DoH opponents aren't filled only with self-interested corporations. Cybersecurity professionals argue that encrypting DNS requests will make it harder to spot intrusions and malware on their networks, without truly giving web users a more private experience. Meanwhile, encrypted DNS advocates say that these concerns are overblown, especially for large companies that can just set up their own encrypted DNS resolver to access local traffic as before—although those measures aren’t necessarily feasible for the majority of organizations.
“There are real operational and security implications of both DoH and DoT,” says Roland Dobbins, a principal engineer at Netscout Arbor. “Everyone needs to consider that things like identifying compromised devices and defending DNS infrastructure from DDoS attacks could become much more complex and costly.”
DDoS attacks on DNS servers can have very real consequences. For example, a massive 2016 assault on the DNS provider Dyn caused widespread connectivity outages on the East Coast of the United States and around the country.
"We're just trading who can potentially track us."
Jake Williams, Rendition Infosec
Researchers have already spotted malware built to evade detection by connecting to command and control servers using encrypted DNS requests. And another major concern is that if hackers were to compromise a trusted DNS resolver, they would be able to pull off devastating DNS hijacking attacks that wouldn't be detectable to the outside world. A similar issue already exists when hackers compromise the “certificate authorities” that underpin general HTTPS web encryption.
Firefox and Chrome are still in the experimental phases of testing encrypted DNS, so most of your connections likely won't take advantage of it for now anyway, and there are still ways to opt out of using it at all. But as with the push to get websites to adopt HTTPS encryption, encrypted DNS will likely move forward now if Chrome and Firefox find that the change doesn’t have too much of an impact on speed or reliability for users.
“Yeah it’s going to be work, but that’s fine, just do the work,” says Cloudflare’s Prince. “I’m astonished how political this has been. It makes me uncomfortable that every coffee shop I’m going to knows every site that I’m visiting. It seems like it’s a no brainer to be adding encryption. Let’s just do it!”
For the average person, encrypted DNS will offer valuable privacy protections against ISPs and other entities that are hungry for user data. Even so, analysts caution that potentially risky web browsing should still take place with sturdier protections, like a VPN or the anonymity service Tor.
Critics of DNS over HTTPS do recognize the irony of pushing for less encryption out of a desire to protect people when the security and cryptography communities overall take a hard line against law enforcement on the value of encrypted communication platforms free of backdoors. But the difference, they say, is that end-to-end encryption or encryption at rest cuts everyone out except the data's owners, while DNS encryption only shifts trust.
“From an enterprise standpoint, DNS monitoring is critical to ensuring security. Losing the visibility into DNS is tremendous operational loss and will help attackers more than it ensures privacy,” says Jake Williams, a former NSA hacker and founder of the security firm Rendition Infosec. “As long as you trust resolvers like Cloudflare, then there's no issue. And I personally trust Cloudflare, but others may not. We're just trading who can potentially track us.”
Vulnerable web users who've never given any of this a second thought—and don't even know what DNS is—would probably say, though, that they'll take whatever they can get.