Cologne 08.09.2020

DNS over HTTPS: eco Discussion Paper Makes Recommendations for More Security in Network Environments

  • DoH as defence against Man-in-the-Middle attacks
  • DoH improves the privacy and security of users
  • Networks implementing their own DoH resolvers can ensure the provision of up-to-date, secure and high-performance Internet services

Throughout the history of the Internet, traditional DNS traffic – for example, when a user types a website name into a browser – has largely been unencrypted. The DNS over HTTPS (DoH) protocol, which first emerged in 2018, makes use of the well-known secure HTTPS web protocol, and is a new approach to change that. At the latest with the forthcoming Apple iOS 14 and macOS 11 updates, the niche topic of Domain Name System (DNS) encryption will enter the mainstream. Both operating systems are to support DoH.

DoH as defence against Man-in-the-Middle attacks

One objective of the DoH protocol was to prevent the manipulation of DNS data for the malicious purposes of Man-in-the-Middle (MITM) attacks. In MITM attacks, the cyber-criminal “listens in” to the user’s DNS requests and can redirect the user to a different online destination – for example, a fake bank website instead of the real one the user wanted to go to. Encrypted DNS is the only realistic solution available today to combat such attacks.

Several large-scale Internet companies, including Apple, Mozilla, Microsoft, and Google, are in the process of planning or implementing DoH into their services and applications. While the encryption of DNS has the advantage of improving user privacy and security, a discussion has emerged around the DoH protocol on a range of issues – from the circumventing of legally-binding blocking orders, through to the potential for tracking the behaviour of individual users through web-tracking capabilities, and on to questions of informed consent and the data self-determination of the individual user – which need to be addressed in the implementation and deployment of services.

DoH can improve user security and privacy

Encryption advocate and Vice-Chair of the Board at eco – Association of the Internet Industry Klaus Landefeld sees both the challenges and opportunities of DoH: “Encrypting DNS through DoH offers an opportunity for users to protect their activities and communications in an untrusted environment, like a public Wi-Fi hotspot. However, in trusted network environments like a corporate network, DoH settings in an application which send the DNS traffic by default to a separate external DNS provider would be a cause for concern.” He goes on to say that users – and companies – need to be able to make an informed decision about where their DNS requests should be processed.

Recommendations for the implementation and operation of DoH

“With the growing interest in DoH, DNS providers, network operators and Internet service providers should be encouraged to implement DoH resolvers to ensure that they can provide their customers with up-to-date, secure and high performance Internet services, and still be responsible for such activities as malware filtering and blocking orders,” Landefeld continues.

To clarify some of the complexities – both legal and technical – and to provide recommendations for implementation and deployment of DoH, members of the eco Association have collaborated on producing a Discussion Paper on DNS over HTTPS. The paper provides background information and explanations for non-technical readers, and a clear set of recommendations for best practice in line with privacy-enhancing techniques and informed user consent.

Download the eco Discussion Paper DNS over HTTPS free of charge:

Protecting User Privacy Online: Who sees where you’re going online? 1