Throughout the existence of the Internet, openness has been one of its defining characteristics, and most of today's traffic is still transmitted without any encryption. Most requests for HTML pages and related content are made in plain text, and responses are returned in the same way, despite the fact that the HTTPS protocol has existed since 1994.
However, sometimes there is a need for security and / or confidentiality. Although encryption of Internet traffic has become widespread in areas such as online banking and shopping, the issue of maintaining confidentiality in many Internet protocols has not been resolved so quickly. In particular, when querying a site’s IP address for a host, a DNS query is almost always transmitted in clear text, which allows all computers and providers to determine which site you are visiting, even if you use HTTPS after establishing a connection.
The idea that encryption is also necessary for DNS queries is not new, and the first attempts were made back in the 2000s - DNSCrypt, DNS over TLS (DoT), etc. Mozilla, Google and other large Internet companies are promoting a new method of encrypting DNS queries: DNS over HTTPS (DoH).
DoH not only encrypts the DNS query, but also transfers it to the “regular” web server, not the DNS server, which makes DNS traffic impossible to distinguish from regular HTTPS. This coin has two sides. This procedure protects the DNS query itself, like DNSCrypt or DoT, and also makes it impossible for the guys from the security services of large companies to track DNS spoofing , and transfers responsibility for critical network functions from the OS to the application. And also it does not help in any way to hide the IP address of the website that you just requested - after all, you go to it anyway.
Compared to DoT, DoH centralizes information about the sites you visited in several companies: today it is Cloudflare, which promises to get rid of your data in 24 hours, and Google, which intends to save and monetize all the details of everything that you have ever planned to do.
DNS and privacy are important topics, so let's dig into the details.
DNS server and trust
The concept of a domain name system dates back to ARPANET , when the only text file on each ARPANET node - under the name HOSTS.TXT - contained all the correspondence between the names of the systems connected to ARPANET and their digital addresses. When you replenished this file yourself, it was easy to verify that it was correct. With the growth of the network, it became unrealistic to maintain central and local copies of these files. By the early 1980s, attempts had already begun to create an automation system for this process.
The first name server (Berkeley Internet Name Domain Server or BIND) was written in 1984 by a group of students at the University of California, Berkeley based on RFC 882 and RFC 883. By 1987, the DNS standard had been revised several times, leading to the advent of RFC 1034 and RFC 1035 which since then have by and large not changed.
The basis of the DNS structure is its tree structure, where nodes and leaves are divided into zones. The DNS root zone is the upper level consisting of thirteen clusters of root servers that form the official root DNS servers. Any new DNS server (raised by a provider or company) receives DNS records from at least one of these primary servers.
Each subsequent DNS zone adds another domain to the name system. Typically, each country maintains its own domains, and .org or .com domains that are not associated with countries are served separately. A query for a host name through DNS starts with a domain name (for example, .com), then with a name (for example, google), followed by possible subdomains. If the data has not yet been cached, you may need to make several transitions through the DNS zones to resolve the request.
DNSSEC: adding trust to the DNS system
Before proceeding to the encryption of DNS queries, you need to make sure that we can trust the DNS server. This need became apparent in the 1990s, and led to the first operational extensions to the DNS Security Standard (DNSSEC), RFC 2353, and the revised RFC 4033 (DNSSEC-bis).
2006 internet map
DNSSEC works by signing DNS query records with a public key. The authenticity of the DNS record can be confirmed by the public keys of the DNS root zone, which is a trusted third party in this scenario. Domain owners generate their keys, signed by zone operators and added to the DNS.
Although DNSSEC allows you to be relatively confident that the answers from the DNS server are real, this protocol must be included in the OS. Unfortunately, few operating systems provide a DNS service that can do more than just “know about DNSSEC” —that is, they don’t actually confirm DNS responses. So, today you cannot be sure that the answers you receive from DNS are real.
Problem with DoH
Suppose you are using DNSSEC. You are ready to encrypt messages to add privacy to your data transfer. There may be many reasons for keeping DNS queries secret from prying eyes. Among the most innocent are bypassing the filters of corporations and providers, banning the monitoring of Internet habits, and more. Among the more serious are attempts to avoid persecution by the government for expressing political views on the Internet. Naturally, encryption of DNS queries does not allow people to spy on these queries, but as a result, larger problems with the security of DNS and, of course, all other communication protocols are ignored.
The main competitors here are DoT using TLS and DoH using HTTPS. The most obvious difference between the two is the port: DoT runs on a dedicated TCP port 853, and DoH mixes with other HTTPS traffic on port 443. This gives the controversial advantage of making DNS queries indistinguishable from other traffic, which makes it impossible for network operators (private and corporate) ) secure your own network, as Paul Vixie, one of the DNS architects, announced on Twitter last year.
The second of the main differences is that if DoT simply sends DNS queries over TLS, then DoH is essentially DNS-over-HTTP-over-TLS, requires its own Media Type application / dns-message, and makes things much more complicated. Mixing DoH with existing protocols causes each DNS query and response to go through the HTTPS stack. This is a nightmare for embedded applications and is also incompatible with almost all existing types of equipment.
DoT has another advantage - this protocol has already been implemented, and much longer than DoH exists, used by companies such as Cloudflare, Google, as well as local Internet providers; standard server software like BIND uses DoT right out of the box. On Android Pie OS (version 9), DNS over TLS will be used by default if the selected DNS server supports DoT.
Why switch to DoH if DoT is already rolling out? If non-standard applications such as Firefox bypass DoT-based system DNS and use their own domain name retrieval system through DoH, then from a security point of view this situation will become very difficult. Transferring DNS to individual applications, which is happening now, seems like a step backward. Do you know which DNS method each application uses? Do you know that it mixes this process with TCP traffic on port 443?
Encryption does not interfere with snooping
Two large companies, Cloudflare and Mozilla, stand behind DNS over HTTPS, and the latter even released a nice little comic strip , where it tries to explain the DoH scheme. Unsurprisingly, they don’t mention DNSSEC at all (even though it is called “critical” in RFC 8484), and instead offer something called Trusted Recursive Resolver (TRR), which essentially represents the advice “use trusted DNS Server ”by which Mozilla means Cloudflare.
In addition to DoH, they mention the QNAME minimization standard ( RFC 7816 ), which should reduce the amount of non-critical information sent by the DNS server. At the same time, this standard does not depend on DoH in any way and will work without any DNS encryption. As with DNSSEC, security and privacy are enhanced through the evolution of the DNS standard.
The most interesting is contained in the section “What does TRR + DoH not fix”? As many experts have said, DNS encryption does not prevent snooping. Any subsequent request to the IP address that was received in a terribly secret way will still be clearly visible. All the same, they will know that you have visited Facebook.com, or the site for dissidents. No encryption of DNS or Internet traffic will hide information vital to the operation of a network such as the Internet.
Will the future Internet become a single point of failure?
Mozilla offers to deal with the issue of IP snooping simply by stating that this is not a problem through the use of the Cloud. The more websites and content distribution networks (CDNs) hang on a small number of services (Cloudflare, Azure, AWS, etc.), the less this single IP address will mean - you just need to believe that the chosen one your cloud service will not steal your data and will not fall for a day.
This year, June 24th, there was a massive drop in services when a configuration error made by the Verizon provider made Cloudflare, Amazon, Linode and many others unavailable for most of the day. On July 2 this year , Cloudflare fell for about half an hour, and with it many websites that rely on its services.
Coincidentally, Microsoft's Office365 cloud service also lay for several hours that day, which is why many users were unable to use its services. On the weekend before Labor Day [US national holiday celebrated on the first Monday of September / approx. trans.] power failure in the AWS US-East-1 data center led to a terabyte of customer data stored there being covered with a copper basin . Obviously, there are still some drawbacks to the idea of ​​the benefits of centralizing the Internet.
Old songs in a new way
Amazingly, there is no mention of virtual private networks (VPNs) in this whole discussion about privacy and tracking. They solve problems with data encryption and DNS queries, with hiding the IP address and more, simply by moving the point at which your PC or other device connected to the Internet connects to the Internet. Dissidents within authoritarian regimes have used VPNs for decades to circumvent Internet censorship; VPNs, including special features like Tor, are a critical element of Internet freedom.
How does Tor work
If you trust a large commercial company like Cloudflare in a scheme like DoH, then finding a trusted VPN provider that doesn't store or sell your data will be easy. And the Opera browser generally has free, built-in proxy support, which offers many VPN benefits .
In the end, we can say that DoH confirms its acronym, doing poorly that DoT is already working out well ["Doh!" transl.]. We need to concentrate more on the widespread adoption of DNSSEC, together with DoT and minimizing QNAME. And if you care about real privacy, then you need to turn to a VPN.