The implications of control over internet infrastructure via DNS-over-HTTPS on privacy

Next story
Rene Holt

In the early days of the internet, it was quite common for local networks to run their own domain name service (DNS). DNS was invented as a solution for allowing internet users to query remote servers via friendly, easy-to-remember names like google.com. Names are much easier to remember compared to more abstract IP numbers like 64.233.160.0, which are mapped to domain names. In this way, DNS allows people to request google.com while leaving the hard work of finding the IP address to a series of servers assigned to the job.

In the decades since, there has been an increasing push to place the infrastructure of the internet away from local customer networks and into the hands of large internet service providers (ISPs) – including those servers that have been taking care of DNS requests. Instead of setting up DNS in their local networks, people and businesses nowadays are more commonly using whatever default DNS service their ISP offers. This shift has been a cause for alarm for many industry insiders over the loss of privacy.

Indeed, the power brought to bear by major tech firms has not been lost on the public and some of the political class in the US. Some see the need to bust monopolies and introduce more competition and fairer conditions for customers. With respect to ISPs, leaders like Vermont Senator Bernie Sanders have suggested they divest themselves of their conglomerate power. In his recent bid for the presidency, Sanders went as far as vowing to break up the monopolies of the few large ISPs, which operate much like utilities, that he believes have been squeezing businesses and the broader public out of their hard-earned dollars.

Can encryption win back privacy?
In the face of this shift toward greater reliance on ISP provisioning, some suggest that by adding encryption, more privacy can be won back from ISPs. This has led to a new fever for data encryption sweeping the globe as people rush to find privacy on the internet, and for data protection regulations like GDPR and CCPA goading businesses on toward encryption solutions.

The question that remains to be asked, then, is this: How will the latest DNS encryption technology, known as DNS-over-HTTPS (DoH), truly impact privacy?

British Telecom ISP turns on DNS-over-HTTPS ad experimentum
Following the lead of Google, Mozilla and Microsoft, British Telecom (BT), a major ISP based in the UK, has become the next player to jump onto the DoH bandwagon. According to a company statement, “BT are currently investigating roadmap options to uplift our broadband DNS platform to support improvements in DNS security – DNSSEC, DNS over TLS (DoT) and DNS over HTTPS (DoH). To aid this activity and in particular gain operation deployment insights, we have enabled an experimental DoH trial capability.”  

DoH is a network protocol that encrypts DNS requests via the HTTPS protocol. Traditionally, since DNS requests are sent off in plain text, IT administrators have been easily able to monitor their corporate networks for the domains being queried and block users from accessing malicious domains.

While this means DNS requests are less private, gathering intelligence down to the DNS level has always been a critical data source for supervising the security of a network.

DoH shifts privacy into new hands
Users might feel that they have more privacy when they know that their DNS requests are being encrypted via DoH whenever they are browsing in Chrome or Firefox. However, DoH is likely to be more of a double-edged sword – ISPs and IT administrators may not be able to see your domain requests, but DNS providers still can. In other words, the only “privacy” that DoH brings is in terms of shifting trust away from your ISP into the hands of your selected DNS provider, which in the case of Google, Firefox and others like BT, means trusting the largest technology firms in the game.

This is in part why DNS pioneer Dr. Paul Vixie commended Google for publishing the stable addresses for their DoH service. IT admins can easily block Google Chrome’s DoH service for their networks. In addition, Chrome users will retain the freedom of choice to select their own DNS provider, and not be compelled to use Google’s encrypted DNS service. For more information on Dr. Vixie’s views on the importance of operating one’s own local DNS resolution servers, you can read his Dark Reading article, “Benefits of DNS Service Locality.”