DNS over HTTPS (DoH) – DNS Encryption Entering the Mainstream

With large-scale Internet companies currently implementing DNS over HTTPS (DoH), Klaus Landefeld, Vice-Chair of the eco Association, explains the significance of the move, and why network operators and ISPs should be working on implementation themselves.

DNS over HTTPS (DoH) deployment is growing, and now some big companies are implementing it into popular applications and services. What is DoH and what is it good for?

Klaus Landefeld: DNS over HTTPS is a protocol which uses the well-known and secure HTTPS protocol to encrypt DNS requests. Encrypting DNS through DoH offers an opportunity for users to protect their activities and intended communications in an untrusted environment, like a public Wi-Fi hotspot. When users are in a public hotspot, they generally don’t know anything about the network. It’s just an open environment that they are connecting to, to get Internet connectivity. And in these situations, the network is completely untrusted. You don’t know anything about it: Will there be a man in the middle attack? Will they snoop or store information you are transmitting over the network? The highest risk of you exposing yourself is within this type of networks.

DoH working in conjunction with other encrypted traffic offers a convenient way around this: By choosing a different DNS resolver, it ensures that your DNS information is encrypted as well. Therefore on the question of whether it makes sense to use DoH versus the network provided resolver, the biggest argument to use DoH would actually be in an untrusted environment, like a public network.

So this is just a really good innovation? Or are there also downsides that users should know about?

Landefeld: While encrypting DNS does improve user privacy and security, DoH has raised a range of issues as well – like the circumventing of legally-binding blocking orders, or the potential for individual users to be tracked using web-tracking capabilities and device fingerprinting via the HTTPS protocol. It has led to a number of heated discussions in the technical community over the last 18 months.

One issue from my perspective is that in trusted network environments like a corporate network, individual DoH settings in a single application which then sends the DNS traffic to a separate external DNS provider are a cause for concern. A lot of these issues go away if you do this on the system level instead, because system policies are easier to handle and typically controlled by corporate IT.

The system policies on a corporate PC, for example, could prevent the user from using an external DoH provider and enforce use of the local company DNS while the user is in the corporate network. And I believe most competent administrators would actually go out and say: The moment the device is on the corporate network, we use our corporate resolver. However, the moment the device is on a public network, we want DoH, because that’s much more secure than having a public hotspot doing the resolution. The problem is that if DoH is implemented on the application level, the different configurations depending on where you are will not be used, and this will cause issues for network operators as well as corporate IT.

Where is DoH being used?

Landefeld: A number of the big Internet companies – like Apple, Mozilla, Microsoft, and Google – are in the process of implementing DoH into their services and applications. For example, it will be implemented in the forthcoming Apple iOS 14 and macOS 11 updates, and Google is in the process of rolling out DoH on Chrome for Android. So, the protocol is already starting to enter the mainstream. This means that DNS providers, network operators and Internet service providers should be encouraged to implement DoH resolvers as soon as possible. This way they can ensure that they can continue to be a part of the DNS value chain, and provide their customers with up-to-date, secure and high-performance Internet services while still being responsible for such activities as malware filtering and blocking orders.

eco has just published a discussion paper on DoH – who is it for and what does it contain?

Landefeld: The discussion paper was developed as a collaboration by members of the eco Association, representing all sectors from network infrastructure, Internet service providers (ISPs), content delivery networks (CDNs), service and application providers to cyber security and legal experts. They have taken the opportunity to make the most of this source of broad and diverse expertise to discuss the emerging use of the DNS over HTTPS (DoH) protocol and the impact of its implementation on different environments.

The paper provides background information and explanations for non-technical readers and policy-makers, and a clear set of recommendations for best practice in line with privacy-enhancing techniques and informed user consent. It is one of the few examples where a really diverse set of stakeholders from the DNS-provision value chain have come together and been able to collaborate constructively on a set of recommendations for implementation and deployment of DoH. Just bringing these people together to talk from the different sides of the debate demonstrates the value of the eco Association network.


Klaus Landefeld