Today i noticed a tweet with a poll from Bert Hubert (PowerDNS) one of the mainstream DNS recursor/Authoritative Name Server applications. Stating that Mozilla is moving dns to HTTP over DNS (Doh) with help from partner cloudflare. This poses risks and opportunities for some.

You might ask:

  • So what.. i don’t understand what you are trying to tell me..
  • What is DNS ?
  • DOH ? who came up with that acronym.. ?
  • Enlighten me, what you know from your short research into this topic..
  • What is in it for me?
  • When will this take affect?

Ok hold-on, there are so many questions one can handle.. lets circle back to what DNS does first..

What is DNS?

You want to visit a website about homer.. https://www.fox.com/the-simpsons/ as the internet is built around IP numbers rather than names this needs to be translated to reach the right server.

behind the scenes the following happens:

  • browser asks your OS resolver where to find www.fox.com (it’s ip address)
  • OS resolver looks in its local storage, does not find it and asks a configured resolver for the same thing
  • configured resolver will looks in its local storage, does not find it and asks the root TLD for the same thing
  • root tld responds where to find .com’s main resolver
  • configured resolver will ask .com’s main resolver where to find www.fox.com
  • .com’s tld responds where to find fox.com’s resolver
  • configured resolver will ask fox.com’s resolver where to find www.fox.com
  • fox.com;s tld responds where to find www.fox.com (it’s ip address)
  • configured resolver stores this in its local storage and returns the IP to you browser
  • browser sets up a tcp session towards the returned IP on port 443 (https) and starts negotiation for a secure connection.

So basically DNS is nothing but a means to gain knowledge on where to find a web-site’s ip.

DOH ? who came up with that acronym..

Good question, it refers to Dns-Over-Http in short DoH, although i find the resemblance striking.. It does not solve a real problem imho. It creates a synthetic solution for a problem which will not go away, which i will describe below.

Enlighten me what you know from you short research into this topic

This works today, so why change?

According to various sources the following issue is being tackled primarily driven by issues found in the US and other country’s where no laws exists against tampering and/or harvesting dns requests to monetise this traffic. In these locations your dns request can add to their treasure chest by either selling a profile of you based on dns request you make or even adding content to pages based on this request.

Keeping your Privacy

Uhhh.. why is requesting an IP privacy sensitive?
For example you visit the following sites to find information around security: infosecurity, hackerspace, blackhat, ccc combining this information you are now profiled as a hacker which can be sold to for example sites which deliver lock-picking kits..

So who knows this information today?
Well, you are asking for an ip address of a website, eg the websites name is known by the OS, Configured Resolver(s), Networks it traverses, Root TLD, More Specific Root TLD (.com) and Domain TLD (fox.com).

They all have the ability to track where your request for this website visit came from and sell or use this in data for user profiling and advertisement purposes. They also could be in a position to alter the response and redirect you to another location. A great example for redirect is the corporate captive portal telling you you’re not able to visit XYZ as its against a company policy..

So what parties are involved:

  • Your Browser vendor
  • Your OS vendor
  • Your Company
  • Your ISP
  • Transit and Peering providers
  • ISP which is hosting the website
  • ICANN root TLD
  • ICANN/VERISIGN More Specific Root TLD (.com)

Who do you trust?

How much do you trust them with your request for this websites address?

Your Browsers vendor

  • Chrome according to their own privacy policy https://www.google.com/chrome/privacy/ they will track you and store information local unless you login with a google account, then all websites you visit will be send to google.
  • Firefox, aims to be a privacy driven browser, their policy is located: https://www.mozilla.org/en-US/privacy/
  • Safari, their policy is at: https://www.apple.com/legal/privacy/en-ww/
  • IE, https://privacy.microsoft.com/en-us/privacystatement

Your OS vendor

Nothing changed (yet) on their end, you can bicker whether or not to use opensource software vs closed OS software to be able to identify what is under the hood.

Your company’s DNS

Well it is the company you work for.., if you don’t trust their network and the resolvers you might want to consider changing jobs.

Your ISP

This is where all the fuss is about currently, i can understand that trust in your ISP can be far fetched in the US given some track records, I do understand the need for a more secure structure.

Protection against Tampering / injecting content

Yes, some parties tamper with your requests by means to insert content into your webpages, this is mainly done in the US, EU has a law against this form called net-neutrality.

Protection from Blocking content / Pay-walling / Captive portals

As DNS is used to find contents location, you can also use it to block reaching this content by name or providing an alternative page.
Examples in this are your captive portals you’l find at restaurants, hotel, trains etc telling you that you should behave to be able to use the free service offered.

As the DoH protocol uses dsn to find the DoH resolving server this Captive portal / Pay-wall will still function as before. Blocking content by dns name is prevented after the pay-wall/captive portal has allowed you access. Bear in mind that the dns used to lookup the DoH server could still be tampered with and redirected to a similar server run by the parties which already are trying to divert traffic from you

What is in it for me?

Well, your dns traffic will be redirected somewhere, this can be to your companies dns resolver, your isp’s resolver, open resolvers like cloudflare/opendns/google or thru dns over HTTP towards cloudflare/google. Your Threat prevention mechanisms may function worse after this DoH protocol is turned on by default as some rely on this.

All will tell you AN answer, if this is the right one or not, it’s a matter who do you trust.

For companies i would not rely on the default DoH settings as it will also send internal dns requests to a foreign party, i would recommend to either:

  • Reconfigure the browser policies
  • Redirect these known URI’s to your own DoH server (dnsdist from powerdns for example, yes more/less privacy with this use is debatable depending on scale)
  • Block these URI’s on your network edge

When will this take affect?

According to the release planning Firefox will lead the implementation and adoption of DoH, it is already available in their nightly’s and will be mainstream in release 63, which will be automatically deployed around 23-10-2018. No details as of yet whether it will be turned on by default, but the tone has been set to do so selecting a DoH handler near you which mozilla thinks it’s good for you.