Practical Impact of DNS Over HTTPS (DoH)

The tech news has been abuzz recently regarding DNS over HTTP, or DoH for short. Some articles portray it as the savior of personal privacy and security. Others paint a grim picture of DoH destroying all protections and ability to police the internet. The reality is of course a little of both.


Primer: DNS is the system which translates an internet server name, such as myspecificbank.com, to an address that can be found on the internet, which looks something like 242.253.1.59. Today, those requests are visible to any prying eyes and can be used to target hacking attacks or redirect users. HTTPS is a language that your web browser speaks to get web pages. It is encrypted, locked from prying eyes. The idea is to put DNS requests inside of HTTPS requests so they are hidden.


DoH will improve privacy in the form of hiding the names of sites you visit. It can also potentially improve security by reducing the possibility of getting fake information about a server address and being redirected instead to a hacker site stealing your data. These are both welcome and long-awaited improvements. However, there are limitations and downsides.


Limited Implementation


The initial implementation of DoH announced to-date is only in web browsers (Chrome & Firefox) and Google Android. Any DNS request made by any other application outside of your web browser or Android phone will not be using DoH. It’s unclear if or when Microsoft and Apple will implement DoH. If you are really concerned about privacy you can install a DoH proxy for PC or Mac. But as long as your router, which is usually a de-facto DNS server, still uses old-school DNS, any other devices you have won’t have their DNS requests private.


Speed of Implementation


These days, most internet traffic is web browsing. Google Chrome and Mozilla Firefox browsers are used for over 75% of all web surfing worldwide. By using the web browser to make DNS requests private, these two companies hold the power to effect this change very quickly. They are planning just that. DoH is already working in both Chrome and Firefox, it’s just not enabled by default. Mozilla could make DoH the default behavior in Firefox as early as summer 2019. This fast-track has those who spy on you for a living up in arms, that is, governments and internet providers who mine this data or use it to control what you see. (Hint: they won’t be able to anymore.)


Neutered Firewalls


Both home and business networks usually have some sort of firewall. It may be anything from as simple as the box that the internet provider gave you to a complex as a custom-managed and monitored enterprise firewall. In any case, the odds are that at least some part of that firewall expects to be able to see all DNS requests if not answer them directly. Today, no network access works without first sending a DNS request. So firewalls often take advantage of that to block sites. For example, a simple vendor-provided parental control feature may merely block the DNS requests for sites on a list deemed to be unsuitable for children, thus rendering those sites inaccessible (to the average user).

When DoH is in use, the firewall will never see the DNS requests and not get the opportunity to intervene in name-based restriction rules. The end result is that if DoH is enabled before your firewall is modified to no longer depend on DNS requests, then the firewall may be rendered mostly moot. Kids will be surfing porn and employees wasting hours on social media. Not all firewall features are dependent upon DNS, but a surprising number may be. The trick is that we don’t fully know yet. Your firewall vendor likely doesn’t know yet the extent of this issue.


Private and Split-horizon Domains


In business, it is common for internal servers to be part of a private DNS domain. Such a domain is unresolvable by an external DNS server – DNS requests only work inside the company firewall, for example, files.corp.abcwidgets.com. The trick is, that the planned browser DoH implementation uses external DNS servers to answer requests. Companies which have these private DNS configurations will need to either prevent DoH from being enabled in their employee browsers (stop the auto-upgrades), or scramble to upgrade their internal DNS servers to support DoH, and then ensure that it is referenced as the DoH Trusted Recursive Resolver in the browser.


Summary


The DoH standard is still quite young and in a draft stage. But that apparently is not be slowing down Google and Mozilla, who seem eager to ensure our privacy in this way. Due to the fast-track path of these power players, home and business users may be caught unaware and unprepared. It may be necessary to delay the adoption of DoH for some users and businesses, by disabling it in the browser, to ensure network controls continue to work until firewalls can be modified/upgraded. Interestingly, DoH does not have any impact on domain name DNS hosting. If you own a domain name, there is nothing that needs to be done when DoH is flipped on.


At this time, Google and Mozilla look like they have the upper hand, and DoH will move forward. Given that DoH pokes the (non-) Net Neutrality bears and the laws ensuring governments’ ability to surveil, it’s possible that a clash of the Titans could ensue in the courts.