Trade associations , ΠΈ , defending the interests of Internet providers, to the US Congress with a request to pay attention to the problem with the implementation of βDNS over HTTPSβ (DoH, DNS over HTTPS) and request from Google detailed information about current and future plans to enable DoH in its products, as well as obtain a commitment not to enable centralized by default Processing DNS requests in Chrome and Android without prior full discussion with other members of the ecosystem and taking into account possible negative consequences.
Understanding the overall benefit of using encryption for DNS traffic, the associations consider it unacceptable to concentrate control over name resolution in one hand and link this mechanism by default to centralized DNS services. In particular, it is argued that Google is moving towards introducing DoH by default in Android and Chrome, which, if tied to Google servers, would break the decentralized nature of the DNS infrastructure and create a single point of failure.
Since Chrome and Android dominate the market, if they impose their DoH servers, Google will be able to control the majority of user DNS query flows. In addition to reducing the reliability of the infrastructure, such a move would also give Google an unfair advantage over competitors, since the company would receive additional information about user actions, which could be used to track user activity and select relevant advertising.
DoH can also disrupt areas such as parental control systems, access to internal namespaces in enterprise systems, routing in content delivery optimization systems, and compliance with court orders against the distribution of illegal content and exploitation of minors. DNS spoofing is also often used to redirect users to a page with information about the end of funds at the subscriber or to log into a wireless network.
Google company , that the fears are unfounded, since it is not going to enable DoH by default in Chrome and Android. In Chrome 78, DoH will be experimentally enabled by default only for users whose settings are configured with DNS providers that provide the option to use DoH as an alternative to traditional DNS. For those using local ISP-provided DNS servers, DNS queries will continue to be sent through the system resolver. Those. Google's actions are limited to replacing the current provider with an equivalent service to switch to a secure method of working with DNS. Experimental inclusion of DoH is also slated for Firefox, but unlike Google, Mozilla default DNS server is CloudFlare. This approach has already caused from the OpenBSD project.
Let us recall that DoH can be useful for preventing leaks of information about the requested host names through the DNS servers of providers, combating MITM attacks and DNS traffic spoofing (for example, when connecting to public Wi-Fi), countering blocking at the DNS level (DoH cannot replace a VPN in the area of ββbypassing blocking implemented at the DPI level) or for organizing work if it is impossible to directly access DNS servers (for example, when working through a proxy).
If in a normal situation DNS requests are directly sent to DNS servers defined in the system configuration, then in the case of DoH, the request to determine the hostβs IP address is encapsulated in HTTPS traffic and sent to the HTTP server, where the resolver processes requests via the Web API. The existing DNSSEC standard uses encryption only to authenticate the client and server, but does not protect traffic from interception and does not guarantee the confidentiality of requests. Currently about support DoH.
Source: opennet.ru