Home / Blogs

DoH Might Not Be the Answer After All

DNS-over-HTTPs (DoH) has sometimes been regarded as the next big thing in web security. The system, it's been argued, can help to defeat many common types of cyberattack — and particularly DNS cache poisoning and MITM eavesdropping. Presumably, this is the reason that both Google and Mozilla implemented DoH in their browsers (Chrome and Firefox, respectively) at the end of last year.

In reality, though, it's far from clear that DoH is a solution to any real-world problem. As we've previously pointed out, in many ways DOH creates more problems than it solves. Because the system also collects DNS queries in one place — the records of your browser manufacturer — it also has also given rise to a significant level of controversy, as some feel that the move to DoH risks eroding the privacy of users even further.

In this article, we'll take you through a short history of DOH, and explain why this system might not be the solution we are looking for after all.

What is DoH?

The basic principle of DoH is easy enough to explain. It is essentially an adaptation of the DNS (Domain Name System), which converts domain names (like CircleID.com) to IP address (like 151.101.129.67). This system works via a domain name lookup table, which is typically held by an Internet Service Provider (ISP).

When users buy a domain name, this is linked to the IP address of their servers by the domain registrars, and this information is held in a DNS server. Whenever you type a domain name, your system asks this server for the IP address associated with it, and the DNS server sends this information.

DoH is different from standard DNS in a number of key ways. First, the communication between devices and DNS servers is encrypted. At the moment, though the majority of websites encrypt the information they exchange with your browser, the DNS request itself is not encrypted. This makes it quite easy for a hacker to see which websites you visit, even if they can't see what data you exchange with them.

Second, the encryption scheme used by DoH is HTTPS, which is the standard encryption method used for securing websites. This means that DNS traffic looks the same as normal web traffic, and makes it difficult for hackers to target DNS requests.

Thirdly, all of this encryption happens in your browser, rather than being handled by an external machine or device. Whilst Google and Mozilla claim that this makes DoH more secure than the typical DNS request, it also raises questions about what these companies are going to use this data for.

Privacy Concerns

In many ways, the move to DoH is a simple one. Before, more DNS queries weren't encrypted, and now they will be. That makes it more difficult for hackers (or anyone else) to see which sites you are visiting. Look a little deeper, however, and the picture is a bit more complex.

Because DoH shifts the job of encryption to browsers, it hides users' DNS queries from ISPs. Unfortunately, it doesn't hide this from the software company who made the browser, to begin with. In short, Google will still be able to see which websites you visit.

Given this, it seems strange that many companies are hyping DoH as a way of giving users greater privacy. It does no such thing. Rather, it merely hides information on your browsing habits from just one of the companies (your ISP) who wants access to it.

Ten years ago, this might not have been such a huge problem, because browsers were only used for a limited number of tasks. Today, however, the rise of cloud storage and SaaS businesses mean that browsers are now a central part of the workflow for almost every business. Most basic business services that are used to save or send sensitive information, such as cloud-based digital invoice or payment services, run on browsers.

Centralization and Competition

Why, then, are Google and Mozilla pushing DoH as the next advance in web technology?

Well, there is one clear reason — Google, in particular, makes money from collecting user data but has to compete with plenty of other companies for it. If they can limit access to DNS data for other companies (like ISPs), they gain a competitive edge.

Essentially, then, although the system hides your data from some companies, it doesn't hide it from everyone. While using a service such as a VPN hides your DNS queries from your ISP as well, your VPN company can still see your browsing history. And even if they claim that they will never track this, the sad history of VPN data leaks suggests that they do.

Data leaks of this kind also point to the largest problem with DoH: it centralizes data on browsing habits in one place, and also makes this more valuable by limiting the access of ISPs. As a result, the logs held by Firefox and Chrome are about to become a major target for data theft.

The Death of DNS?

The biggest outcome of DoH, however, might be the demise of DNS itself. Although DNS has long allowed users to configure the way that queries are handled and where they are sent to, most users — and even those who are concerned about their privacy — don't touch these controls. If DoH is used as standard on web browsers, then this history suggests that most users will begin to use DoH without realizing there is another system available.

That might not be a totally bad thing, of course. But like any new technology, DoH comes both with upsides — increased DNS encryption — and downsides — the centralization of DNS data by browser manufacturers. Because of this, we need to recalibrate the DOH debate : rather than seeing DoH as a "natural" progression, we need to think carefully about its privacy implications.

By Samuel Bocetta, Security Analyst and Consultant – A former defense contractor for the US Navy, Sam Bocetta turned to freelance journalism in retirement, focusing his writing on US diplomacy and national security, as well as technology trends in cyberwarfare, cyberdefense, and cryptography. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

 Be the first to post a comment!

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Whois

Sponsored byWhoisXML API

Brand Protection

Sponsored byAppdetex

Cybercrime

Sponsored byThreat Intelligence Platform

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign