The security community generally agrees on the importance of encrypting private data: Add a passcode to your smartphone. Use a secure messaging app like Signal. Adopt HTTPS web encryption. But a new movement to encrypt a fundamental internet mechanism, promoted by browser heavyweights like Google Chrome and Mozilla's Firefox, has sparked a heated controversy.

The changes center around the Domain Name System, a decentralized directory that acts essentially as the internet's address book. When you send data to or request it from a server, a DNS lookup ensures that it goes to and comes from the right place. Google and Mozilla plan to encrypt those interactions sometime this year. Which sounds straightforward enough—but not everyone is convinced that the shift solves more problems than it potentially creates.

Reach For My Resolver

The concept of DNS was developed in the mid-1980s, and hasn't evolved much since the early 1990s. Like many foundational internet protocols, DNS has been remarkably flexible and serviceable over the years. But having roots that predate the rise of the modern internet has led to inevitable problems, one of which is that those address lookups aren't encrypted. That’s a big deal. Any time your browser attempts a DNS lookup, that request can pass across multiple servers. Your internet service provider, lurking government snoops, and just anyone on the same Wi-Fi network can see what websites you visit, even if they can't see what you do once you actually load the sites.

It gets even worse. Since DNS requests are unencrypted, bad actors can manipulate them to strategically send you to the wrong website. It’s like listing your address under someone else's name, and getting all their packages delivered to your house. This type of attack, known as DNS hijacking, has been on the rise; in January, the Department of Homeland Security even issued an emergency directive about the threat.

"Yeah it’s going to be work, but that’s fine, just do the work." Matthew Prince, Cloudflare

Which explains the push for encrypted DNS: It would make those types of surveillance and misdirection much harder. The Internet Engineering Task Force standards body has already codified a few different methods for implementing it, namely “DNS over HTTPS” (DoH) and “DNS over TLS” (DoT). Both protocols apply ubiquitous web encryption to DNS requests. The two standards are very similar, except DoT separates encrypted DNS traffic into its own recognizable channel (an attribute network defenders largely prefer), while DoH intermingles encrypted DNS traffic with general HTTPS encrypted web traffic so they're indistinguishable (an additional privacy benefit to some). Each approach has its pros and cons, but both Mozilla and Google have elected to go with DoH in their browsers.

No matter which version you choose, though, adding a layer of encryption to DNS requires some systemic rejiggering. It's like writing down your order at a restaurant, locking it in a small safe, and then handing the safe to the waiter to take back to the kitchen. You won't give away any personal information about your culinary preferences, but you also won't get the right meal.

To get around this complication, secure DNS protocols rely on intermediaries called "resolvers," which can still see the requests unencrypted as they come through. Mozilla has piloted its encrypted DNS with the internet infrastructure company Cloudflare acting as the main resolver. Cloudflare has already been offering encrypted DNS with a service called 1.1.1.1 for more than a year. Mozilla chose the company because it pledged to delete all DNS logs after 24 hours, never share data with third parties, and submit to audits to confirm that data is really being deleted. But users can set Firefox to default to any resolver that supports DoH. Similarly, Chrome is starting out by offering DoH with six resolvers, including Cloudflare and Google itself.