A controversial technology
DNS-over-HTTPS is criticised by regulators, telecoms, representatives of Internet registries, and even the author of the domain name system himself. Among the arguments are the complicated administration and delays in content delivery networks. At the same time, some of the protocol implementations ignore the rules described in /etc/nsswitch.conf. So DNS management is transferred from the operating system level to the application level, which may lead to a mix-up between services.
Moreover, it is argued that this protocol creates the threat of personal data leakage. DNS-over-HTTPS encrypts information about visited resources, but it is still available to a server that processes the request. In this context, there are credibility concerns over the DoH provider. That’s one of the reasons why the U.S. National Security Agency recommends not using DNS-over-HTTPS in corporate networks and paying more attention to self-hosted solutions.
Step by Step
The rather slow spread of the technology seems to be the result of the harsh rhetoric against it. For today, a “classic” DNS traffic is three times bigger than an encrypted one. However, the situation is gradually changing — according to major ISPs and IS companies, DoH traffic has increased in recent years. This is especially noticeable in Brazil, the United States, Italy, Argentina, and Spain (see page 10 of the study on this topic).
According to the representatives of “Firefox”, the company doesn’t store logs longer than one day, doesn’t transfer user data to third parties, and mandatorily applies DNS Query Name Minimisation technology (RFC 7816).
The ability to work with DNS-over-HTTPS has also been added to Chrome, Edge, and Brave. The corresponding functionality is also implemented in the router firmware — both commercial and open-source (such as OpenWRT).
Enthusiasts are also contributing to the development of technology. For example, engineers from APNIC scanned the IPv4 address space, then they searched open ports 443, and tested them with a special script. They found more than 930 DoH resolvers, a quarter of which are deployed on home servers and probably used in private projects (these systems had no records of back view zones).
Most likely, DoH will be implemented by more and more developers. However, that doesn’t mean that it will be the “final” solution for DNS requests encryption — other alternatives are being developed in addition to DNS-over-TLS. Thus, the working group of the IETF proposed an open-source standard Oblivious DNS-over-HTTPS (ODoH).It allows hiding the IP of the user’s devices by using proxies. In this case, the DNS provider sees only the address of the intermediate link.
There are solutions for encryption of appeals to the domain name system based on other protocols, such as QUIC. But it is still too early to talk about their widespread use. In particular, even compared with DNS-over-HTTPS, the traffic volume of DNS-over-QUIC is incredibly small. The practical implementation of such systems is also questionable since in the future DNS-over-HTTPS will support QUIC (at the expense of the HTTP/3).
It is too early to say what DNS-requests encryption technology will be implemented, but it definitely may take a couple of decades anyway.