The Internet Engineering Task Force has taken the first steps towards a better way of protecting users' DNS queries and incidentally made a useful contribution to making neutrality part of the 'net's infrastructure instead of the plaything of ISPs.

The Register first noticed the technology in this article by Mark Nottingham (an Internet Architecture Board member, but in this case writing as an individual) that provides an overview of changing 'net protocols (we assume El Reg readers already know about HTTP/2, TLS 1.3, and QUIC); but buried further down is the relatively-unheralded DOH.

No, that's not a Homer Simpson outburst missing its apostrophe: it stands for DNS over HTTPS, and emerged from IETF working group first established in May this year.

The basic premise of DOH is simplicity itself: as long as client and server support it, if someone is using (say) Google's 8.8.8.8 as their DNS resolver, they can send the query over HTTPS instead of as a DNS packet, with end-to-end encryption.

As Nottingham wrote, the effort is directed towards defeating networks (or for that matter, governments) that use DNS to impose policy on 'net traffic.

Integrity, confidentiality, scaling

To understand DOH, The Register spoke to one of the Internet-Draft's co-authors, Patrick McManus of Mozilla.

McManus said there were several drivers that led towards DOH: chiefly, it provides a guarantee of both the integrity and the confidentiality of DNS requests, and it helps overcome scaling problems in the DNS.

On scaling, he said, lookups are slower than you might expect: “the 75th percentile for lookups is 181 milliseconds”, he said, which is clearly unacceptable. While the big authoritative servers are fast, stub resolvers at the ISP level are highly variable.

“This is a problem for the Web space,” McManus said, because “it's a blocking latency and there's very little you can do about it.”

If, for example, you're trying to download a Web page which embeds a dozen external links, that's a dozen DNS lookups slowing down the load.

“Big Web” infrastructure isn't ISP-level, it's in content distribution networks (CDNs).

“Instead of every ISP having to reinvent this infrastructure for themselves … this allows you to simply push the endpoints into infrastructure that's designed to scale, the CDN world,” McManus said.

Antidote for poisoning

But it's integrity and confidentiality that are DOH's important characteristics, because DNS is such a common vector for networks or governments to interfere with traffic.

Network provider DNS manipulations of some type are already common, McManus said, referring to this study [PDF].

“There's a high frequency of [DNS resolver] prefixes being rerouted in some way,” he said, “and that's completely invisible to the client”.

As Nottingham wrote, there are ways to protect against this, but they're visible to the network operator: “it is possible to discriminate it from other traffic; for example, by using its port number to block access.

“DOH addresses that by piggybacking DNS traffic onto an existing HTTP connection, thereby removing any discriminators. A network that wishes to block access to that DNS resolver can only do so by blocking access to the website as well.”

McManus: “DNS traffic is commonly messed with, and a lot of privacy implications are attached to that. Although DNSSEC allows end-to-end integrity, it can be trivially downgraded by anybody … including your network provider, in ways that are non-obvious”.

DOH's encryption (via HTTPS) hides the traffic from the provider, on a port the ISP can't block.

While client implementations have yet to emerge, McManus said, there are at least two ways a DOH client could indicate interference to the end user, either via the error message that tells users why a lookup failed or, if the client falls back to an “ordinary” resolver, an error message indicating what's happened.

“What you won't get is modified data without you knowing … you won't be misled,” he said.

That's where DOH reaches into the 'net neutrality debate. For example, if a network provider is using DNS to identify sources it wants to discriminate against, it will be defeated by the encryption.

User privacy goes beyond defeating censorship or network manipulation: it also makes it harder to misappropriate DNS lookups to help identify users (whether that be for advertising or user targeting, or on behalf of governments).

Most users would be surprised at how many different organisations can correlate an individual's DNS lookups with the individual.

“Because of the way the DNS is structured, just as many people off-path can see requests as on-path,” he said.

In other words, DNS is leaky, and that leakiness adds to the vast data-hoard of pervasive monitoring (which, you will recall, the Internet Architecture Board considers an attack).

“If you make a choice of resolver, you can limit that – you've disassociated the DNS from your network provider,” McManus said.

Because that's in HTTPS instead of a DNS client, the ISP can't influence the choice.

“You can choose your level of privacy guarantee,” he said, which creates “a market place” for privacy. ®

Bootnote

DOH isn't the only encrypted DNS effort: there's also DNS over TLS aka RFC 7858. There's a client called Stubby that implements it, and the 9.9.9.9 DNS provider apparently runs a compatible DNS-over-TLS service.