This is a bunch of notes taken from “DNS over HTTPS considerations” by Bert Hubert.
It’s an amazing talk and I recommend watching it. It covers the history of DNS security, privacy considerations, state-of-the-art and what awaits us in the future.
DNS is one of the oldest text protocols that are still widely used. Almost everything else we encrypted already.
There have been four tries to encrypt DNS:
- DNSSEC 1998-2015
- DNSCurve/DNSCrypto 2009
- DNS over TLS 2015
- DNS over HTTPS 2018
None of them got traction for various reasons. But recently there has been a push to improve users' privacy.
You can use HTTPS and nobody will know what you are looking at, but the site you are using will be know because DNS is unencrypted. It’s similar to phone calls. You can encrypt audio, but your operator will know who you are talking to. And that can be enough to lose your privacy.
DNS is not the only thing that leaks data about what site you are using. There are more leak vectors.
Metadata privacy leaks:
HTTP attempts. Often you would first go to unsecured plain text site and then be redirected to secure one. But the site you are going to has already been leaked.
DNS lookups. If your DNS lookups are not encrypted, you leak names of sites you are going to.
(e)SNI. One IP address can host several HTTPS sites and the way to tell which site you want is to use SNI and SNI is not encrypted.
OCSP. Browsers must check whether HTTPS certificate is valid or not and they use OCSP for that and, guess what, OCSP is not encrypted.
IP address. One IP address can host thousands of sites, but in reality, it’s often the case that it’s easy to map an IP address to the site name.
You can set up a tunnel to someone you trust. But then they will know all of this.
Browsers want to stop using user’s DNS servers and use Google’s or Cloudflare’s DNS servers over HTTPS to ensure that requests are private. Sometimes they call this DNS over Cloud.
Things that can break:
- Security filtering. Some filters block ads or other bad sites according to DNS names. They will stop working
- Security monitoring. Pretty much the same thing, but done as a privacy thing in a corporate environment for example.
- CDN performance. It would be harder to send your request to your nearest servers for speed improvement.
- Split horizon/VPN. If you are using VPN to tunnel into the private network then DNS requests for your private sites will go to Google or Cloudflare and they would learn about the names of your private sites.
- Your privacy. Non-Americans have no privacy expectations according to FISA 702 law. And both Google and Cloudflare are US companies.
There is a potential to track users with DNS over HTTP because of a persistence feature that speeds up encryption (resumption cookies). You can disable this feature sometimes, but there is always a tradeoff between simplicity and privacy.