Technical copywriting (example)

DOH domain name strategy raises security concerns

A new system designed to minimise latency for internet address resolution has raised serious concerns about security and privacy, with potential for third parties to track users and even manipulate what they see online.

DNS services provided by plain text UDP
Original DNS services were provided by plain text – allowing packet sniffing of DNS packets on routers to identify the destination of internet users. In reality there would be more than two machines on the chain of data, with security holes potentially providing visibility on users’ web usage.

The protocol, Domain Name System over Hypertext Transfer Protocol Secure (DOH) was published in October 2018 to address security concerns over unencrypted data sent between clients and Domain Name System (DNS) servers.

Plain text requests in the transmission chain

Originally, clients typically sent DNS requests via the User Datagram Protocol (UDP) as plain unencrypted text. This permitted end-to-end visibility of the domain name, web link and Internet Protocol address of the client machine throughout the transmission route. Secure communications could then be established with Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption keys once the destination was identified. However, by this point the nature of the web activity and user identity was already known.

An example of secured DNS over TLS
Example of the Domain Name System service provided with the Transport Level Security (TLS) service. Plain text negotiation is required until TLS v1.3 is ratified; and there is a little latency with TLS negotiation. However, it is the best method for securely providing DNS services.

In 2016, the Internet Engineering Task Force (IETF) released an upgraded protocol to resolve this security issue: DNS over TLS, or “DOT”. This method establishes encrypted security between the DNS server and client before submitting the domain name request. However, client uptake of DOT has been limited due to several issues:

  • Security negotiations incur latency delays,
  • The user must actively choose to implement the system, and some client software is difficult to configure,
  • The client system can be identified prior to the encryption negotiation – although this will be resolved by the Encrypted Server Name Indication system in the next TLS update.

In the meantime, the IETF has released the alternate strategy for accelerated DNS operations: DNS over HTTPS, or “DOH.” DNS resolution details would be incorporated into the header of the transmitted document (web page, media file, etc.) and sent by Hypertext Transfer Protocol Secure (HTTPS) to the client. This information could include an encrypted listing of DNS information for all links within the current document – and negating the need to send any further DNS requests. The DOH protocol was released in October 2018 and implemented in an Android phone application (Intra) the following month.

APNIC Chief Scientist Geoff Huston (profile)
APNIC Chief Scientist Geoff Huston believes that security researchers need to reconsider the implementation of DNS over HTTPS

Questions raised

The theory sounds plausible. However, the DOH strategy has raised security questions from network experts who are concerned about the impartiality and integrity of data sent within the files.

“Whereas DOT was considered part of the substructure of the environment, HTTP is applications,” said APNIC Chief Scientist Geoff Huston at Melbourne’s APRICOT conference in February 2020.

“All of a sudden, instead of asking the operating system to resolve the name, the browser can do it by itself.

“No one else is involved, and no one else can see it.

“Once you start doing that individual, tailored subversion, it gets really hard,” he said. “It is encrypted HTTPS, so the DNS resolver knows the user identity, and the user can get a favourite answer that nobody else gets. The resolver can create – for good or bad – tailored results that are invisible to anyone else.”

DNS over HTTPS example diagram - illustrating the multiple clients and potential for differing results
Example of the varied nature of Domain Name System service that could be provided by HTTPS. Multiple clients may receive differing results depending on the third-party providing the DNS services in the HTTPS header.

These DOH requests will be handled by a third party, who may not even by identified by the user. The DNS addresses sent by the server could be manipulated without the user’s knowledge, and without any way to verify the data integrity. A DNS address provided in a web file could be tailored specifically to track the user, or even provide intentionally incorrect data to direct the user to a counterfeit reproduction of their intended destination.

Furthermore, DOH will be able to bypass the web activity rules set by local Internet Service Providers, enterprise policies and legally-enforced internet content law. This could be beneficial or detrimental, depending on the circumstances. Censorship and content control laws could be bypassed and therefore complicate the monitoring of illegal internet user activity or unethical behaviour by internet providers.

These issues were raised in the British House of Lords in May 2019 when Baroness Glenys Thornton detailed her concerns regarding unmoderated internet use and asked for further investigation into the implications of DOH. However, her concerns have not halted the implementation of the protocol. The Google Chrome browser implemented support for DOH throughout the second half of 2019, and Mozilla Firefox followed suit in February 2020.

Geoff Huston believes that the impartiality of the DNS name space needs to be respected as an integral part of the internet and remain independent.

“When you take the DNS resolution away from common infrastructure, for the sake of a few nanoseconds of speed, the results can be finely chopped and fragmented for each user,” he said.

“The common infrastructure DNS is the last piece of cohesion, where everyone asks the same question and gets the same answer.

“This common referential language of the internet is at stake – so it merits the conversation regarding the suitability of DOH.”

References

https://www.youtube.com/watch?v=okoA93NUnSU
https://blog.apnic.net/2018/10/12/DOH-dns-over-https-explained/
https://tools.ietf.org/html/rfc8484
https://tools.ietf.org/html/rfc7858
https://twitter.com/paulvixie/status/1053765281917661184
https://techcommunity.microsoft.com/t5/networking-blog/windows-will-improve-user-privacy-with-dns-over-https/ba-p/1014229
https://developers.google.com/speed/public-dns/docs/DOH
https://hansard.parliament.uk/Lords/2019-05-14/debates/E84CBBAE-E005-46E0-B7E5-845882DB1ED8/InternetEncryption
https://datatracker.ietf.org/doc/draft-ietf-tls-esni/?include_text=1