Domain Name Service over HTTPS (DOH): The good, the bad and the very bad.
Don’t get me wrong: the “classical” way of doing domain name services it complicated, relatively unsafe, outdated and it is time to think about something else. On the other hand: It has been proven to be robust, flexible, reliable and it plays well in all sorts of environments.
Not too long ago, someone came up with the idea of providing domain name resolution over HTTP. I think that’s a great idea. Install a sleek https/DNS old-to-new forwarder into your environment and all of your devices can happily continue to talk port 53/udp in your local network while the forwarder uses encrypted https communications to retrieve the remote data. Nothing needs to be changed, your internal addresses get resolved as before, even the DHCP doesn’t need a new configuration. More and more devices would switch over to DOH while honoring the system configuration and a few years down the road we would find the idea of pushing unencrypted UDP packets across the wires .. well .. ridiculous.
But it didn’t happen that way.
Browser manufacturers, Mozilla and Google being the first, decided that it was up to them to change the way we do domain name lookups. They simply ignore all system settings and forward all of the domain name requests to some company.
Does it matter to you as a home user?
You previously got your domain name resolution most likely from your ISP. In other words: Your Internet Service provider knows about every Internet domain you are visiting. Yes. Every domain. Yes, that includes “those” web-sites too. With DOH the data is not visible to your ISP. But it is visible to the domain name service you are connecting to. If you are using Mozilla Firefox, it’s Cloudflare. Google of course recommends Google’s own Public DNS. So Cloudflare or Google are now the parties who will learn all about all the sites you are visiting on the Internet. And your Internet Service Provider? They too will continue to know about the Internet addresses you are visiting. Because they still need to transport the data and in order to do so, they need the target’s IP address*. So – for the average home user, activating DOH is not really an advantage.
What if you run your own network?
If you run your own small family network or if you are responsible for a corporate network, the web-browsers will circumvent all your network settings, filter lists or your own name service entries. Your caching forwarder will die of boredom because the browsers simply ignore everything, even your hosts file. We had the case that a bigger company had their “internal.company.com” domain routed to a country specific address depending on the country the employee accessed it from. They did that with a simple configuration for their internal name server. But it failed and it drove the admins nuts until they finally discovered the DOH setting in their user’s browsers. They now had to manually disable DOH for over 100 Firefox browsers. They also had to block the IP numbers used for the Mozilla DOH in their firewalls because employees tried to turn DOH back on again in order to avoid company restrictions.
Where’s the beef?
The only advantage between the classical name server protocol and DOH is the fact that the data is encrypted. While this is most certainly a powerful argument, it doesn’t live up to it’s promise. First because it’s not that much of an issue if your ISPs name server is just a hop or two away. Second: It’s only encrypted while on route. The provider, may it be Cloudflare or Google, learns all about the sites you are visiting. And you are now giving two parties insights into your Internet connection habits. So there is no real privacy enhancement. And because the browsers do their own thing, you may run into all sorts of problems if you have your own name server environment.
And than there’s the international angle:
The suggested DOH providers are based in the U.S. This may or may not be good for you. If you are in North Korea (and have Internet access), DOH is a huge advantage. If you are in Germany and find your kid surfing right-wing hate groups because Cloudflare takes the American First Amendment very seriously, you may find that German law may not influence American corporations a lot. The U.S. Copyright runs for 90 years or more. Judges may order web-sites delisted because they feel those sites violates US law even thought they might be perfectly legal in the country of question. Most countries have a much more sane copyright. Should all users in the world be subjected to American law? You decide.
The principle idea of DOH holds a lot of promise if it is implemented in a respectful and cooperative way. The browser people are trying to bully us into their way of thinking. They disrespect our configurations, environments and settings and want to forward our sensitive data to some data center we have no relations with, we don’t know, have no contract, no service agreement and no way of contacting. It may not even be subject to our national laws. And there’s no real advantage as our Internet Service Providers continue to know what and whom we are visiting on the Internet.
So – I am asking: Why do they do that?
Your answer is as good as mine.
* Yes – a number of different domains may share a single IP address. And the ISPs will not know exactly which host has been visited. But the majority of medium and larger web sites have their own IP – numbers and are thus easily identified with just the IP address. With the continued growth of IPv6 even smaller web-sites will have their very own IP address rendering that little advantage useless.
Michaela Merz is an entrepreneur and first generation hacker. Her career started even before the Internet was available. She invented and developed a number of technologies now considered to be standard in modern web-environments. Among other things, she developed, founded, managed and sold Germany’s third largest Internet Online Service “germany.net” . She is very much active in the Internet business and enjoys “hacking” modern technologies like block chain, IoT and mobile-, voice- and web-based services.
One thought on “Domain Name Service over HTTPS (DOH): The good, the bad and the very bad.”
Thank you for this. I think I heard about it in passing, but didn’t understand it at all, and never really looked into it. For now, I want it disabled, so did so on Firefox (“network.trr.mode”, 5) and Basilisk (even though it isn’t functional on Basilisk yet.)