[Reading Time – 3 minutes 50 second]
Mozilla announced in 2020 that it will enable DoH DNS-over HTTPS (DoH) on all new U.S. Firefox web browser installations. It will also silently turn it on on all Firefox installations. DoH is controversial and can even compromise security.
First, some background information about the Domain Name System (DNS). Every device connected to the Internet is assigned an IP address. For example, 216.77.188.41. It would be difficult for humans to remember and enter the IP address to the computer they want to reach. A “name system” was created to allow computers on a network to be assigned numeric addresses as well as more friendly human-readable names made up of letters, numbers, special symbols (called a symbol name). TCP/IP uses a hierarchical system to match computer names and numbers. This is known as the Domain Name System (DNS) and it is the basis for domain-to-IP address resolution.
These DNS queries are sent and received in cleartext from your browser to the DNS servers in unencrypted cleartext. The DNS settings in your local operating system-settings are sent from your Internet Service Provider (ISP) and are used by your browser on your home computer. This means that anyone could see your DNS query. Who could be watching your DNS queries and possibly interested? It could be your ISP. It could also be your Content Delivery Network (CDN), which has proxy servers that are located near you loaded with the content you need. This allows you to receive it faster. Cleartext DNS queries may be used by the CDN or ISP to determine which websites you visit and what you are interested in. This information could then be sold or used to flood you with advertisements. In oppressive nations, it might be the government spying on their citizens online and then arresting and punishing.
DoH
Cloudflare and Mozilla created DNS-over HTTPS five years ago. Also known as DoH. DoH uses HTTPS to send DNS queries over HTTPS (Port 443) instead of sending them in plaintext (Port 53). The DoH query encrypted is sent to a DoH resolving service that aggregates all users’ DoH queries and then converts them into regular unencrypted DNS questions for processing by DNS servers. DoH may prevent outsiders (ISP, CDN or a government) from seeing the DNS queries you have run in order to determine which websites you want.
But not entirely.
Yes, the DoH resolver can receive encrypted queries from the user. However, the query is not encrypted when it sends it on to regular DNS authoritative names servers. DoH does not do end-to-end encryption. DoH doesn’t prevent an ISP tracking DNS requests. Because your web browser will receive the IP address from the DNS and send it to you, an ISP can view the IP address of your destination website if that site uses HTTP. There are also non-encrypted portions of HTTPS requests that remain in cleartext such as the IP address or Server Name Indication. DoH is not a way to prevent an oppressive government or determined ISP from knowing where you are on the internet.
Worse, DoH can compromise security to gain a slight increase in privacy and maybe even a false illusion.
It is common for system administrators to use their local DNS servers and DNS-based tools to monitor and filter local traffic within an organization. To determine if a user attempts to access a bad domain, they can use data from a DNS query originating IP, query type, and DNS response. This can be used to block users from accessing sites that are not related to work or domains known to contain malware. It can also be used to block access to websites with stolen copyrighted materials, child abuse websites, terrorist content, and websites that contain terrorism material. These DNS configuration details are sent to employees’ computers. However, DoH allows employees to bypass DNS-based traffic filtering by overwriting the organizational DNS settings.
System administrators want to monitor DNS settings across operating system to prevent DNS hijack attacks. This is when an attacker redirects a browser to their malicious website. Monitoring for DNS hijacking is almost impossible when different employees have their own DoH settings.
DoH’s impact on security has already been criticized, especially in the UK. The GCHQ, Britain’s intelligence service, criticized Mozilla’s position on DoH in 2019. They claimed that DoH would hinder police investigations and could undermine its existing government.