07-bertola-The DoH Dilemma - DNS Symposium 2019 - ICANN


The DoH dilemmaImpacts of DNS-over-HTTPS onhow the Internet worksVittorio Bertola, DNS Symposium 2019

1.What doesDoH do?2

What is DoH?DNS-over-HTTPS (RFC 8484)New IETF standard by Web people (thatalso operate public resolvers)Transmits DNS queries to the resolverover an HTTPS connection (encrypted)Can be used by any HTTPS-speakingapp, bypassing the OS and its settingsRequires upgraded DNS / Web servers3

Three main changes to resolution1. The device-to-resolver connection isencrypted and hidden inside Web traffic2. Each application can use a differentresolver (DNS becomes an applicationlevel service, not a network one)3. Each application maker gains control ofresolver choice and can hardwire aremote resolver listOnly one incommonwith DNSover-TLSProtocoldesignchoicesDeploymentand policychoices4

2.A note onterminology5

A debate on wordsDebate over which defining feature isthe root of (most) issues, and how do wename it Unencrypted vs encrypted? Business model – ISP vs OTT? Concentrated vs distributed? «DNS-over-cloud»?My choice is «local» vs «remote»6

Home LANISPThe InternetAuthoritativeDNS server(s)ApplicationsOSStubresolverResolver(«name server»)Local DNS resolution7

Why «local»?The ISP’s network is the first that youtraverse to get to the Internet, nomatter where you goThe ISP is normally in the same country,usually in the same city Same jurisdiction Same language Maybe they suck, but you know how toreach them8

Home LANISPThe InternetAuthoritativeDNS server(s)ApplicationsOSResolver(«name server»)StubresolverRemote DNS resolution9

Why «remote»?It is topologically distant from you Often in another countryIt is run by a third party For free («public resolver»)E.g.,, Or as a paid premium serviceE.g. Cisco Umbrella/OpenDNS10

3.Consequencesof DoH’sdeployment11

#1The device-to-resolver connectionis encrypted and hiddeninside Web traffic12

Home LANISPThe InternetAuthoritativeDNS server(s)ApplicationsOSStubresolverResolver(«name server»)Remote DNS resolution, intercepted13

Home LANISPThe InternetAuthoritativeDNS server(s)ApplicationsOSStubresolverResolver(«name server»)Local DNS resolution, not intercepted unless the ISP is hacked14

Home LANApplicationsOSStubresolverISPTransparentDNS proxyThe InternetAuthoritativeDNS server(s)Resolver(«name server»)Remote DNS resolution, proxied by the ISP15

Is this good or bad?GoodIf you useremoteresolution andare attacked ortrackedIf you don’t trustyour ISP / itdoes bad thingsto youIndifferentIf you use localresolution andare attacked ortracked, unlessthe attacker ison the ISP’snetworkBadIf you trust yourISP / it doesgood things foryou16

It depends.But mostly good.17

#2Each application can use a differentresolver (DNS becomesan application level service,not a network one)18

Is this good or bad?GoodIf the applicationmaker is smarterthan the user,and is honestIf you don’t trustyour OSIf the OS’s DNSimplementationis not goodenoughIndifferentIf all DoHapplicationsused the OSsettingsBadIf theapplicationmaker issmarter thanthe user, and isdishonestIf the user issmarter thanthe applicationmaker19

Is this good or bad?BadBadIf theapplicationdoesn’t let youconfigure theDoH serverIf theapplicationmaker’sinterests andthe user’sinterests areoppositeIf the remoteDoH serverprovided by theapplicationmaker failsBadIf eachapplication startspointing you todifferent IPs forthe same nameIf eachapplication startsusing its own(augmented)namespace20

Bad.«Crossing the streams» bad!21

#3Each application maker gainscontrol of resolver choice and canhardwire a remote resolver list22

A consequence of deployment policiesMozilla’s announcement from May 201823

Mozilla’s resolver accreditation policyBromite’sconfigurationscreen24

The real changeNow (and for the last 20 years)In the DoH futureLocal resolution is thedefaultRemote resolution withmultiple servers is thedefaultYou get the nearestresolver when youconnectYou can set your resolveronce for all in your OSYou get the applicationmaker’s resolver whenyou install the appYou have to set yourresolver for every newapplication25

What does this mean?26

New gatekeepers ConcentrationNowDNS traffic is spreadacross hundreds ofthousands of serversAnd they are everywhereacross the worldAnd you can easily pickthe server you wantIn the DoH futureFour browser makersthat have 90% of themarket control 90% ofthe world’s Web trafficresolutionsAnd they are all in thesame country andjurisdictionHow easily can youchoose?27

Privacy ?NowIn the DoH futureYour queries can besniffedYour queries cannot besniffedYou are covered by yourown country’s privacy,law enforcement andneutrality rulesYour DNS data will besubject to the resolver’sprivacy, law enforcementand neutrality rulesYour DNS is normallysupplied by a companythat does not live offtargeted advertisingMany of the likely DNSproviders live off datamonetization (and usecookies / fingerprinting)28

Freedom from censorship ?NowYou get the DNS-basedcontent filters mandatedby the law of yourcountryIn the DoH futureYou get the DNS-basedcontent filters mandatedby the law of the remoteresolver’s countryAnd your country maystart mandating IPaddress filters as aresponse29

Network neutrality ?NowYour ISP may breaknetwork neutrality, unlessthere are laws to preventthisIn the DoH futureYour application makeror resolver operator maybreak network neutrality,unless there are laws toprevent this30

Performance ?NowIn the DoH futureThe application has towait for the OSThe application doesn’thave to wait for the OSYour local resolver isnear, though it can beslow and unreliableYour remote resolver isfar, but it could stillperform betterYour local resolver getsthe topologically betterresult from CDNsYour remote resolvercannot get thetopologically betterresult from CDNs unlessit violates your privacy31

Security ?NowIn the DoH futureYour ISP can blockbotnets and malwarewith localized DNS filtersWill your remote resolverget real-time threatfeeds for your country?Your ISP can detectnetwork problems andinfections via the DNSYour ISP will be blindYour ISP can use splithorizon, local names DoH can be used fordata exfiltrationLocal names won’t workany more32

User empowerment ?NowYou can easily pick adifferent serverYou can get DNS-basedservices (parental control )from whomever you wantIn the DoH futureYou have to change theserver in each app, andnot all apps may let youAll other DNS-basedservices stop workingYou can easily know whereall your queries goYour queries go whereverthe app wantsSmarter users expectthings to work this wayNo one expects orunderstands the change33

Privacy in transport ! PrivacyConcentration Less user control Surveillance pointChanging the entity in charge ! More freedom34

Is this good or bad?GoodBadIf you are a dissidentwithout a clueIf you are ok with yourcurrent resolverIf you trust Google/Apple/Mozilla/Cloudflare morethan your ISPIf you like to control DNSIf you trust the U.S.government and lawsmore than yoursIf you trust your owngovernment and laws morethan the U.S. onesIf you don’t care aboutcentralizationIf you trust your ISP morethan Google etc.If you are worried about thecentralization of the net35

It depends.But mostly bad.Especially without appropriate policies.36

4.The DoHdilemma(s)37

Who should choosethe device’s resolver?The user?The ISP?The browser?38

Who should be entitledto apply policies to your DNS?The government?The resolver?The network administrator?39

Where shouldthe issues be discussed?At IETF?At ICANN?By regulators?40

EuroDIGworkshopWork to doTechnicalDiscoveryprotocolPending IETFdrafts: serverBCPs, clientBCPs Missing piecesMonitoring andresearchJune 20,The HaguePolicy / CommunityIndependenttrusted resolveraccreditationDeploymentpromotion anduser educationEx post analysison IETF enforcementmechanismsContent controlresponsibilitiesService liabilities41

Thanks!Any questions?You can find me mCredits: Original presentation template by SlidesCarnival modified by myselfLicense: This presentation is distributed under a Creative Commons Attribution (CC-BY) license42

design choices Deployment and policy choices Onlyonein common with DNS-over-TLS. 5 2. A note on terminology. 6 A debateon words . Your ISP maybreak network neutrality, unless thereare lawsto prevent this In the DoHfuture Your applicationmaker or resolveroperator may break network neutrality,