Likes and Dislikes: DNS over HTTPS

We analyze opinions regarding the features of DNS over HTTPS, which have recently become a “bone of contention” among Internet providers and browser developers.

/Unsplash/ Steve Halama

The essence of the disagreement

Lately major media и thematic platforms (including Habr) often write about the DNS over HTTPS (DoH) protocol. It encrypts DNS requests and responses. This approach allows you to hide the hostnames accessed by the user. From the publications, we can conclude that the new protocol (in IETF approved it in 2018) divided the IT community into two camps.

Half believe that the new protocol will increase the security of the Internet, and implement it in their applications and services. The other half are convinced that technology only complicates the work of system administrators. Let's take a look at the arguments on both sides.

How DoH Works

Before moving on to discuss why ISPs and other market participants are either for or against DNS over HTTPS, let's take a quick look at how it works.

In the case of DoH, the request to determine an IP address is encapsulated in HTTPS traffic. Then it goes to the HTTP server, where it is processed using the API. Here is an example request from RFC 8484 (page 6):

   :method = GET
   :scheme = https
   :authority = dnsserver.example.net
   :path = /dns-query?
           dns=AAABAAABAAAAAAAAAWE-NjJjaGFyYWN0ZXJsYWJl
           bC1tYWtlcy1iYXNlNjR1cmwtZGlzdGluY3QtZnJvbS1z
           dGFuZGFyZC1iYXNlNjQHZXhhbXBsZQNjb20AAAEAAQ
   accept = application/dns-message

So DNS traffic is hidden in HTTPS traffic. The client and server communicate on the standard port 443. As a result, requests to the domain name system remain anonymous.

Why is he not welcomed

Opponents of DNS over HTTPS they saythat the new protocol will reduce the security of connections. By words Paul Vixie, a member of the DNS development team, will make it harder for sysadmins to block potentially malicious sites. Ordinary users will lose the ability to set up conditional parental controls in browsers.

Paul's opinion is shared by UK ISPs. Country legislation obliges them to block resources with prohibited content. But DoH support in browsers complicates the task of filtering traffic. Critics of the new protocol also include the Government Communications Center of England (GCHQ) and the Internet Watch Foundation (IWF), which maintains a registry of blocked resources.

In our blog on Habré:

• US robocall war - who's winning and why
• British telecoms will pay subscribers compensation for disconnections

Experts note that DNS over HTTPS can become a threat to cybersecurity. At the beginning of July, information security specialists from Netlab found the first virus that used the new protocol to carry out DDoS attacks - Godlua. The malware accessed DoH to obtain text records (.txt) and extract the URLs of command and control servers.

Encrypted DoH requests were not recognized by antivirus software. information security specialists fearthat after Godlua other malware will come, invisible to passive DNS monitoring.

But not everyone is against

In defense of DNS over HTTPS on my blog expressed APNIC engineer Geoff Houston. According to him, the new protocol will help fight DNS hijacking attacks, which have become more and more common lately. This fact confirms January report of the information security company FireEye. The development of the protocol was also supported by large IT companies.

At the beginning of last year, DoH began to be tested at Google. And a month ago the company presented General Availability version of their DoH service. Google hopethat it will increase the security of personal data on the network and protect against MITM attacks.

Another browser developer - Mozilla - supports the DNS over HTTPS since last summer. At the same time, the company is actively promoting new technology in the IT environment. For this, the Internet Services Providers Association (ISPA) even nominated Mozilla for Internet Villain of the Year. In response, representatives of the company notedthat are disappointed by the unwillingness of telecom operators to improve the outdated Internet infrastructure.

/Unsplash/ TETrebbien

In support of Mozilla major media spoke and some internet providers. In particular, in British Telecom count them.that the new protocol will not affect content filtering and increase the safety of UK users. Under public pressure ISPA had to withdraw "villainous" nomination.

Cloud providers also advocated the implementation of DNS over HTTPS, for example Cloudflare. They already offer DNS services based on the new protocol. For a complete list of DoH-enabled browsers and clients, see GitHub.

In any case, it is not yet necessary to talk about the end of the confrontation between the two camps. IT pros predict that if DNS over HTTPS is to become part of the massive Internet technology stack, it will take not one decade.

What else we write about in our corporate blog:

• How an ISP network is built
• Basic services in ISP networks
• Convergence and unification - multiple tasks on one device

Source: habr.com