Should DNS over HTTPS become the golden standard?
The Cambridge Analytica scandal may be old news, but it has far-reaching implications – Internet users grew more concerned over their online visibility and website owners were compelled to list their data-collection privacy. We can state for a fact that some good came out of it, although the amount alone of paperwork can be a powerful demotivator for someone with a sound business idea.
Since we’re on the topic of privacy, it would appear that we may have another Cambridge Analytica in the making. There’s been a lot of buzz around the implementation of DoH (DNS over HTTPS), a somewhat new encrypted communication protocol that should, theoretically, uphold privacy.
As one of my colleagues pointed out, DNS over HTTPS is poised to become the next “golden standard”, since it has achieved “an unprecedented default level of privacy and data protection”. DoH does have its merit –in a traditional DNS comm model, the user queries the domain name system for the numerical IP address associated with that specific website.
In turn, the DNS returns the address, allowing the user to view the requested web content. That’s, more or less, how web-surfing works. The major caveat of this comm protocol is that the DNS lookups are not encrypted. In essence, each time you’re trying to connect to a website, the endpoint pings the ISP about your request. Of course, your Internet Service Provider is blind to what you’re doing on that website, but can still ‘see’ and even log your request(s).
That’s a pain-point right there, and Google, Mozilla et al. have done a bang-up job speculating the market’s ‘needs.’ The push for DNS over HTTPS is at its peak, with browsers now allowing the users to implement the protocol. Despite limited effectiveness against MiM (man-in-the-middle) attacks, it would appear that the early adoption could, allegedly, paint a gigantic bullseye on the users’ backs.
Back in October, ZDNet pointed out that the premature adoption of DoH will not only wreak havoc in the enterprise/SMB/startup sector but could, presumably, give malicious hackers the upper hand. I’ll cover all these points throughout the article.
Since the topic du jour revolves around privacy/data protection or the lack thereof, here’s an interesting dilemma: should DNS over HTTPS replace VPN or work together? Should we completely forget about VPNs and stick with this new and ‘wobbly’ technology?
B2B – What does a VPN do?
In trying to figure out just how DoH can replace a VPN, I find myself compelled to go on a little B2B (back to basics trip). So, bear with me on this one.
Now, consider the way your endpoint (i.e. smartphone, tablet, PC, Mac) connects to the Internet. Let’s say that you want to search YouTube for the latest Witcher trailer. In order to do that, you will need to get out ‘into the wild’ and inquire about your ISP’s DNS for YouTube’s numerical IP.
Once the server finds the right address, you will be able to go to that place on the Internet where YT resides (here be dragons!). At a glance, the mechanism itself appears to be straightforward and secure. However, do bear in mind that the communication goes both ways (endpoint to ISP and ISP to the Internet), and, to our very misfortune, both are unsecured.
The time-honored solution to this is the VPN. What the VPN does is that it interposes a VPN client and VPN server between the querying machine, ISP, and the Internet. Breaking it down even further, it should look, more or less, like this: endpoint wants to end up on Wikipedia.
The request is sent in an unencrypted form to a VPN client. The client encrypts the packages containing the request and pipes them through to the ISP. In turn, the ISP sends the encrypted request to a VPN server, which communicates with the Internet. Basically, the ISP will be oblivious to your search strings.
So, that’s how a VPN works. Next, let’s take a closer look at DNS over HTTPS.
B2C Part 2 – How does DNS over HTTPS work?
DNS over HTTPS – the crux of this article. It may as well be the best thing that happened to privacy ever since GDPR was enforced, but I seriously have my doubts about that statement. More on that a bit later.
As I’ve mentioned, DoH is or was supposed to be the golden standard of data privacy and protection. The idea behind DNS over HTTPS was to prevent everyone (ISP, Government, secret services, hackers) from peeking at your traffic. It’s more than that; up until now, DNS queries were made in plaintext.
Remember the golden rule of password-making? Never leave them in plaintext, which can mean anything from writing them down in a notepad document from keeping network logs on your machine.
Basically, this is what happens in the traditional DNS comm model – plaintext DNS queries can be retrieved and reviewed by any of the IP matchmaking entities. Thus, the need for a more secure comm solution. Here enters DNS over HTTPS. It was specifically engineered to deal with this particular issue. Should it become the norm? Perhaps, but not in its current state.
Headbutting DoH is DNS over TLS, yet another security protocol that uses a dedicated communication port on your machine. While some sysadmins argue that neither of them solves the issue, they are inclined to choose the ‘lesser evil’ which, in this case, is DNS over TLS. Why is that?
As I’ve mentioned, DNS over TLS uses a dedicated comm port on your machine (853), whereas DoH uses port 443, which is the standard port for HTTPS traffic. So, why is this important? Traffic routed through 853, albeit encrypted, can still be seen at the network level. And, in some countries, such as the United States, DNS over TLS connections can raise some suspicions regarding your online activity.
Moving on to more pressing matters – DNS over HTTPS hides traffic info in HTTPS streams. DoT (DNS over TSL) does not. That’s not even the main issue. The endorsement of DoH means that we will need to change the way we look at the entire network infrastructure.
In order to make this happen, ISPs will need to implement DoH resolvers (DNS servers capable of handling DoH-type queries). Evidently, the existing architecture would have to undergo a rather radical makeover. And that translates into more money, time, and energy, which, in the end, maybe wasted on a solution that adds more to the issue than actually solving it.
It all boils down to this – encrypted DNS comm should be an industry standard, but neither DoH nor DoT are the answers.
DoH vs DoT vs VPN
The entire debate revolves around privacy vs. security – are you willing to let your guard down, even for a brief moment, to ensure that no one can spy on you? If we were to remove the context and ask the same question, the answer would be a staunch ‘no’. However, given what we know so far, it’s very difficult to predict the outcome, let alone make a decision that could ultimately tear down that modicum of privacy we thought we had.
DoH vs. DoT
In the previous section, I have outlined some of the pros and cons of using DoH over DoT. Here’s a short and comprehensive list of the pros and cons of each comm method.
DNS over HTTPS
- Prevents Man-in-the-Middle attack. No more plaintext DNS queries since they are secured.
- Circumvents ISP or third-party interception. All packages are obfuscated.
- Machine performance is greatly increased, since DNS over HTTPS method centralizes all DNS traffic, meaning fewer servers are required to process the queries.
- Most browser makers are pushing DoH, which means faster deployment.
- Wreaks havoc in enterprise sectors. Infrastructure expansion alone can ramp up the costs.
- Blocks just one tracking vector. True that ISPs or third-parties cannot see your DNS requests, but there are other ways to keep tabs on your online activity, such as OCSP connections, SNI fields or both.
- Potentially bypasses tradition DNS traffic filtering technology. Since DoH tends to overwrite a company’s DNS, allowing employees to visit otherwise banned websites.
- Leaves endpoints more vulnerable to cyberattacks. It may prevent MiM attacks but potentially makes an organization more vulnerable to insider threats and other forms of malware.
DNS over TSL
- Fairly easy to implement. DoT takes advantage of the existing network infrastructure.
- Mature encryption methodology. Tried-and-tested, TSL is more mature and flexible compared to HTTPS.
- Completely encrypts the connection. DoH merely encapsulates DNS traffic in HTTPS comm.
- Mim attacks can be fended off even with DoT. Users must empty their cached data from the server. This is usually stored in plaintext format.
- It doesn’t offer full protection against SNI leaks and traffic analysis.
- Must be constantly updated to patch vulnerabilities.
- Uses a dedicated comm port.
- Might raise legal issues in some countries.
DNS over HTTPS – A replacement for VPN?
And we finally come down to our little dilemma: should DoH replace VPN? The answer is still ‘no’. Although the technology was engineered to address some privacy issues, it ended up creating more security issues than ever before.
The tech eliminated one traffic-inspection vector, but do bear in mind that your ISP still has other means of keeping tabs on your activity. To say that the technology is still in its infancy would be a major understatement; in its diaper would be more precise.
DNS over HTTPS should never be conceived as a 1-to-1 replacement for a VPN client; at the very least, we can consider it as its counterpart, its partner in crime. While the VPN ‘scrambles’ your IP as to make it impossible to track your activity, DoH only ensures that the communication channels with the DNS are secured by encapsulating the DNS querying in the HTTPS.
VPN is here to stay. At least for the time being. Unfortunately, the same thing can’t be said about DNS over HTTPS. The approach may be sound on paper, but in reality, it’s something like curing the disease by killing the patient – you really don’t want to create a breach in your security network, just for some extra privacy.
When talking about DoH vs VPN, I always like to use the following analogy – for certain blood disorders, docs prescribe anticoagulants. Despite being hundreds of them on the market, they prefer Sintrom, because it’s the only curable one (things get out of hand, the doc can neutralize it). The same thing applies to VPN and DoH – VPN can be plugged, while DoH can’t! Well, at least not yet.
DNS over HTTPS does more for privacy but falls behind as far as security is concerned. Google and the other giants are doing their best to push DoH. Still, if we have the option to opt-out, we should take it. As I’ve pointed out, the technology needs a serious redesign before it can tackle both privacy and data protection issues.