DNS-over-HTTPS — what is going on with the adaptation

March 23, 2022
Telecom
DNS-over-HTTPS — what is going on with the adaptation
Since the beginning, this protocol has been a very controversial one in the IT community. Some people believe that DoH increases the security of connections, while others think that it only makes the sysadmins’ work more difficult. Either way, DoH is used by more and more applications despite the different points of view. In this article, we will take a closer look at it and tell you what’s really going on.

A controversial technology 

DNS-over-HTTPS is criticised by regulators, telecoms, representatives of Internet registries, and even the author of the domain name system himself. Among the arguments are the complicated administration and delays in content delivery networks. At the same time, some of the protocol implementations ignore the rules described in /etc/nsswitch.conf. So DNS management is transferred from the operating system level to the application level, which may lead to a mix-up between services.

Moreover, it is argued that this protocol creates the threat of personal data leakage. DNS-over-HTTPS encrypts information about visited resources, but it is still available to a server that processes the request. In this context, there are credibility concerns over the DoH provider. That’s one of the reasons why the U.S. National Security Agency recommends not using DNS-over-HTTPS in corporate networks and paying more attention to self-hosted solutions.

Step by Step

The rather slow spread of the technology seems to be the result of the harsh rhetoric against it. For today, a “classic” DNS traffic is three times bigger than an encrypted one. However, the situation is gradually changing — according to major ISPs and IS companies, DoH traffic has increased in recent years. This is especially noticeable in Brazil, the United States, Italy, Argentina, and Spain (see page 10 of the study on this topic).

This trend is related to the activation of DNS-over-HTTPS by default in major browsers. Thus, Firefox developers included a new protocol for American users in 2019, and in 2021 for users from Canada. In the second case, the project was implemented in partnership with the DoH provider CIRA.

According to the representatives of “Firefox”, the company doesn’t store logs longer than one day, doesn’t transfer user data to third parties, and mandatorily applies DNS Query Name Minimisation technology (RFC 7816).

The ability to work with DNS-over-HTTPS has also been added to Chrome, Edge, and Brave. The corresponding functionality is also implemented in the router firmware — both commercial and open-source (such as OpenWRT).

browsers with DoH

Enthusiasts are also contributing to the development of technology. For example, engineers from APNIC scanned the IPv4 address space, then they searched open ports 443, and tested them with a special script. They found more than 930 DoH resolvers, a quarter of which are deployed on home servers and probably used in private projects (these systems had no records of back view zones).

Other options

Most likely, DoH will be implemented by more and more developers. However, that doesn’t mean that it will be the “final” solution for DNS requests encryption — other alternatives are being developed in addition to DNS-over-TLS. Thus, the working group of the IETF proposed an open-source standard Oblivious DNS-over-HTTPS (ODoH).It allows hiding the IP of the user’s devices by using proxies. In this case, the DNS provider sees only the address of the intermediate link.

The IP address of the client is known to the proxy, but the proxy cannot get information about the request because the message is encrypted.

There are solutions for encryption of appeals to the domain name system based on other protocols, such as QUIC. But it is still too early to talk about their widespread use. In particular, even compared with DNS-over-HTTPS, the traffic volume of DNS-over-QUIC is incredibly small. The practical implementation of such systems is also questionable since in the future DNS-over-HTTPS will support QUIC (at the expense of the HTTP/3).

It is too early to say what DNS-requests encryption technology will be implemented, but it definitely may take a couple of decades anyway.

We use cookies to optimize site functionality and give you the best possible experience. To learn more about the cookies we use, please visit our Cookies Policy. By clicking ‘Okay’, you agree to our use of cookies. Learn more.