The DoH dilemma Impacts of DNS-over-HTTPS on how the Internet works Vittorio Bertola, FOSDEM 2019
1. Where is my DNS? 2
Home LAN ISP The Internet 1.2.3.4 Connection by y IP ad address 3
“ Hey Hey! ! I don’ don’t li like ad addres esses es, I I wa want to to use na names! 4 4
Home LAN ISP The Internet Authoritative DNS server(s) Applications OS Full DNS resolver On-de On device DN DNS re reso solu lution 5
Home LAN ISP The Internet Authoritative DNS server(s) Applications Resolver OS («name server») Stub resolver Lo Local DN DNS re reso solu lution 6
Why «local»? The ISP’s network is the first that you traverse to get to the Internet, no matter where you go The ISP is normally in the same country, usually in the same city □ Same jurisdiction □ Same language □ Maybe they suck, but you know how to reach them 7 7
Home LAN ISP The Internet Authoritative DNS server(s) Applications OS Resolver Stub («name server») resolver Re Remote D DNS re reso solu lution 8
Why «remote»? It is topologically distant from you □ Often in another country It is run by a third party □ For free («public resolver») E.g. 8.8.8.8, 9.9.9.9, 1.1.1.1 □ Or as a paid premium service E.g. Cisco Umbrella/OpenDNS 9 9
2. What does DoH do? 10
What is DoH? DNS-over-HTTPS (RFC 8484) New IETF standard by Web people (that also operate public resolvers) Transmits DNS queries to the resolver over an HTTPS connection (encrypted) Can be used by any HTTPS-speaking app, bypassing the OS and its settings Requires upgraded DNS servers 11 11
Three main changes to resolution 1. The device-to-resolver connection is encrypted and hidden inside Web traffic 2. Each application can use a different resolver (DNS becomes an application level service, not a network one) 3. Each application maker can hardwire their own remote resolver, at least as a default 12 12
#1 The device-to-resolver connection is encrypted and hidden inside Web traffic 13 13
Home LAN ISP The Internet Authoritative DNS server(s) Applications OS Resolver Stub («name server») resolver Re Remote D DNS re reso solu lution, , int intercepted 14
Home LAN ISP The Internet Authoritative DNS server(s) Applications Resolver OS («name server») Stub resolver Lo Local DN DNS re reso solu lution, , no not int intercepted un unless th the ISP SP is is ha hacked 15
Home LAN ISP The Internet Authoritative DNS server(s) Transparent DNS proxy Applications OS Resolver Stub («name server») resolver Re Remote D DNS re reso solu lution, , pr proxied by y the ISP 16
Is this good or bad? Good Indifferent Bad If you use If you use local If you trust your remote resolution and ISP / it does resolution and are attacked or good things for are attacked or tracked, unless you tracked the attacker is on the ISP’s If you don’t trust network your ISP / it does bad things to you 17 17
It depends. But mostly good. 18
#2 Each application can use a different resolver (DNS becomes an application level service, not a network one) 19 19
Is this good or bad? Good Indifferent Bad If the application If all DoH If the maker is smarter applications application than the user, used the OS maker is and is honest settings (but smarter than you can’t really the user, and is If you don’t trust force them to) dishonest your OS If the user is smarter than the application maker 20 20
Is this good or bad? Bad Bad Bad If the If the If each application application application starts doesn’t let you maker’s giving you configure the interests and different IPs for DoH server the user’s the same name interests are If the remote If each opposite DoH server application starts provided by the using its own application (augmented) maker fails namespace 21 21
Bad. «Crossing the streams» bad! 22
#3 Each application maker can hardwire their own remote resolver, at least as a default 23 23
24
The real change Now (and for the last 20 years) In the DoH future Local resolution is the Remote resolution with default multiple servers is the default You get the nearest resolver when you You get the application connect maker’s resolver when you install the app You can change your resolver once for all in You have to change your your OS resolver for every new application 25 25
Is Is th this good good or or ba bad? 26 26
3. What would «remote resolution as a default» do? 27
Concentration Now In the DoH future DNS traffic is spread Four browser makers across hundreds of that have 90% of the thousands of server market control 90% of the world’s Web traffic And they are everywhere resolutions across the world And they are all in the And you can easily pick same country and the server you want jurisdiction How easily can you choose? 28 28
Privacy ? Now In the DoH future Your queries can be Your queries cannot be sniffed sniffed You are covered by your Your DNS data will be own country’s privacy, subject to the U.S. law enforcement and privacy, law enforcement neutrality rules and neutrality rules Your DNS is normally Many of the likely DNS supplied by a company providers live off data that does not live off monetization (and use targeted advertising cookies / fingerprinting) 29 29
Freedom from censorship ? Now In the DoH future You get the DNS-based You get the DNS-based content filters mandated content filters mandated by the law of your by the law of the remote country resolver’s country And your country may start mandating IP address filters as a response 30 30
Network neutrality ? Now In the DoH future Your ISP may break Your application maker network neutrality, unless or resolver operator may there are laws to prevent break network neutrality, this unless there are laws to prevent this 31 31
Performance ? Now In the DoH future The application has to The application doesn’t wait for the OS have to wait for the OS Your local resolver is Your remote resolver is near, though it can be far, but it could still slow and unreliable perform better Your local resolver gets Your remote resolver the topologically better cannot get the result from CDNs topologically better result from CDNs unless it violates your privacy 32 32
Security ? Now In the DoH future Your ISP can block Will your remote resolver botnets and malware get real-time threat with localized DNS filters feeds for your country? Your ISP can detect Your ISP will be blind network problems and Local names won’t work infections via the DNS any more Your ISP can use split DoH can be used for horizon, local names… data exfiltration 33 33
User empowerment ? Now In the DoH future You can easily pick a You have to change the different server server in each app, and not all apps may let you You can get DNS-based services (parental control…) All other DNS-based from whomever you want services stop working You can easily know where Your queries go wherever all your queries go the app wants Smarter users expect No one expects or things to work this way understands the change 34 34
Privacy in transport != Privacy Concentration + Less user control = Surveillance machine 35 35
Is Is th this good good or or ba bad? 36 36
Is this good or bad? Good Bad If you are a Turkish If you are ok with your dissident without a clue current resolver If you trust Google/Apple/ If you like to control DNS Mozilla/Cloudflare more If you trust your ISP more than your ISP than Google etc. If you trust the U.S. If you trust your own government and laws government and laws more more than yours than the U.S. ones If you don’t care about If you are worried about the centralization centralization of the net 37 37
It depends. But mostly bad. Especially without appropriate policies. 38
4. The DoH dilemma: who chooses your resolver? 39
The user? The ISP? The browser? The ISP, on behalf of the user? The browser, on behalf of the user? 40 40
…and there’s more: who should be entitled to apply policies to your DNS? The government? The resolver? The network administrator? 41 41
Thanks! Any questions? You can find me at @vittoriobertola vb@bertola.eu Credits: Original presentation template by SlidesCarnival modified by myself License: This presentation is distributed under a Creative Commons Attribution (CC-BY) license 42
Recommend
More recommend
