Security dream? DNS-over-HTTPS does not prevent ISPs from tracking users' web traffic Watch Now

The DNS-over-HTTPS (DoH) protocol is not the privacy panacea that many have been advocating in recent months.

If we are to listen to networking and cybersecurity experts, the protocol is somewhat useless and causes more problems than it fixes, and criticism has been mounting against DoH and those promoting it as a viable privacy-preserving method.

The TL;DR is that most experts think DoH is not good, and people should be focusing their efforts on implementing better ways to encrypt DNS traffic -- such as DNS-over-TLS -- rather than DoH.

What is DoH and a short history

The DNS-over-HTTPS protocol is a recent invention. It was created a few years back and was proposed as an internet standard last October (IETF RFC8484) It is already supported on Android, and is scheduled to roll out in both Mozilla Firefox and Google Chrome later this year.

The protocol itself works by changing how DNS works. Until now, DNS queries were made in plaintext, from an app to a DNS server, using the DNS settings of the local operating system received from its network provider -- usually an internet service provider (ISP).

DoH changes this paradigm. DoH encrypts DNS queries, which are disguised as regular HTTPS traffic -- hence the DNS-over-HTTPS name. These DoH queries are sent to special DoH-capable DNS servers (called DoH resolvers), which resolve the DNS query inside a DoH request, and reply to the user, also in an encrypted manner.

Because of all of the above, the companies and organizations that have DoH-capable products have been advertising DoH as a way to prevent ISPs from tracking users' web traffic and as a way to bypass censorship in oppressive countries.

But many learned people say this is a lie. Several experts in the fields of networking and cybersecurity have publicly criticized some of the claims surrounding DoH and the efforts to push it nearly everywhere.

They say DoH is not the magical user privacy cure that some companies have been pushing in their marketing efforts, in order to boost their image as privacy-first organizations.

Experts say these companies are irresponsible for pushing a half-baked protocol that doesn't actually protect users and causes more problems than it fixes, especially in the enterprise sector.

The response to DoH's anointment as a major privacy-preserving solution has been downright acid, in some cases. Critics have taken a jab at the protocol on different plains, which we'll try to organize and categorize below:

DoH doesn't actually prevent ISPs user tracking

DoH creates havoc in the enterprise sector

DoH weakens cyber-security

DoH helps criminals

DoH shouldn't be recommended to dissidents

DoH centralizes DNS traffic at a few DoH resolvers

DoH doesn't actually prevent ISPs user tracking

One of the main points that DoH supporters have been blabbing about in the past year is that DoH prevents ISPs from tracking users' DNS requests, and hence prevents them from tracking users' web traffic habits.

Yes. DoH prevents the ISP from viewing a user's DNS requests.

However, DNS is not the only protocol involved in web browsing. There are still countless other data points that ISPs could track to know where a user is going. Anyone saying that DoH prevents ISPs from tracking users is either lying or doesn't understand how web traffic works.

If a user is accessing a website loaded via HTTP, using DoH is pointless, as the ISP will still know what URL the user is accessing by simply looking at the plaintext HTTP requests.

But this is also true even if users are accessing HTTPS websites. The ISPs will know to what site the user is connecting because the HTTPS protocol isn't perfect, and some parts of the HTTPS connection are not encrypted.

Experts say that ISPs won't be inconvenienced by DoH, at all, because they can easily look at these HTTPS portions that are not encrypted -- such as SNI fields and OCSP connections.

DoH encrypts precisely zero data that is not already present in unencrypted form. As it stands, using DoH only provides *additional* leaks of data. SNI, IP addresses, OCSP and remaining HTTP connections still provide the rest. It is fake privacy in 2019. — Bert Hubert 🇪🇺 (@PowerDNS_Bert) September 22, 2019

Furthermore, ISPs know everything about everyone's traffic anyway. By design, they can see to what IP address the user is connecting when accessing a website.

This IP address can't be hidden. Knowing the final IP destination reveals to what website a user is connecting, even if everything about his traffic is encrypted. Research published this August showed that a third-party can identify with 95% accuracy to which websites users were connecting just by looking at IP addresses.

Any claims that DoH prevents ISPs from tracking users are disingenuous and misleading, experts argue. DoH merely inconveniences ISPs by blinding them to one vector, but they still have plenty of others.

DoH bypasses enterprise policies

The second main talking point is DoH's impact on the enterprise sector, where system administrators use local DNS servers and DNS-based software to filter and monitor local traffic, to prevent users from accessing non-work related sites and malware domains.

For enterprises, DoH has been a nightmare ever since it's been proposed. DoH basically creates a mechanism to overwrite centrally-imposed DNS settings and allows employees to use DoH to bypass any DNS-based traffic filtering solutions.

Since today's DNS servers don't support DoH queries, the apps that currently support DoH come with lists of hardcoded DoH servers, effectively separating DoH from the operating system's regular DNS settings (a big software design no-no that has angered some developers already, such as the OpenDNS team).

System administrators need to keep an eye on DNS settings across operating systems to prevent DNS hijack attacks. Having hundreds of apps with their own unique DoH settings is a nightmare, as it makes monitoring for DNS hijacking almost impossible.

Furthermore, traffic to certain domains is blocked for a certain reason inside enterprises.

Once DoH becomes widely available, it will become all employees' favorite method for bypassing enterprise filters to access content that's normally blocked at their workplaces.

Some may use it to access movie streaming sites or adult content, but once enabled, DoH remains enabled, and employees may also accidentally visit malware and phishing sites, which brings us to the next point...

DoH weakens cyber-security

Many experts say the protocol upends hundreds of cyber-security solutions, which will become useless once users begin using DoH inside their browsers, blinding security tools from seeing what users are doing.

And there have been many experts who have warned about this issue, whose voices have been drowned by those claiming DoH is the greatest thing since sliced bread.

"When the DNS protocol is encrypted, an organization can no longer use a DNS query's data (query type, response, originating IP, etc) to know if a user is trying to access a known bad domain, let alone trigger a blocking or redirecting action on it," Andrew Wertkin, Chief Strategy Officer at BlueCat, told ZDNet via email earlier this week.

Rfc 8484 is a cluster duck for internet security. Sorry to rain on your parade. The inmates have taken over the asylum. — Paul Vixie (@paulvixie) October 20, 2018

DNS over HTTPS #DoH is definitely a thing. I think it will affect network security monitoring and detection in a non trivial way. #dailypcap



Pretty straight forward, but some good readings:



1) https://t.co/RnSito66aK

2) https://t.co/vDOWEHbBog

3) https://t.co/hNnvLYGKdn pic.twitter.com/AEgM5H9wui — Steve Miller (@stvemillertime) October 24, 2018

In a paper published last month, the SANS Institute, one of the world's largest cyber-security training organizations, said that "the unmitigated usage of encrypted DNS, particularly DNS over HTTPS, could allow attackers and insiders to bypass organizational controls."

A similar warning was echoed this Friday, October 4, in a security advisory issued by the Netherlands' National Cyber Security Centrum. Dutch officials warned that organizations using DNS-based security monitoring solutions "will likely see their visibility decrease over time" and these security products will become ineffective.

"The trend is unmistakable: DNS monitoring will get harder," the Dutch agency said.

The advice is that companies need to look at alternative methods of blocking outgoing traffic, solutions that don't rely only on DNS data. The SANS Institute urges organizations not to panic, but this will entail a financial effort and time to update systems, something that many organizations won't be willing to do.

And they need to do it quickly, as malware authors have also already realized how useful DoH can be. For example, in July, news surfaced of the first malware that used DoH to communicate with its command and control server unimpeded by local network monitoring solutions.

But security researchers and enterprise administrators aren't daft. They also understand the need to protect DNS queries from snooping eyes.

However, if it would be up to them, they'd argue for pushing DNSSEC and DNS-over-TLS (DoT), a protocol similar to DoH, but which encrypts the DNS connection downright, rather than hiding DNS traffic inside HTTPS.

DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH. — Paul Vixie (@paulvixie) October 21, 2018

DoH is an unfortunate answer to a complicated problem. I personally prefer DoT (DNS over TLS). Putting an OS-level function like name resolution in the hands of an application via DoH is a bad idea. See what @paulvixie has been writing for the most informed commentary. — Richard Bejtlich (@taosecurity) September 10, 2019

DoT shares some of the same disadvantages with DoH, but if security researchers had to pick between DoH and DoT, the latter would cause far fewer headaches, since it will work on top of the existing DNS infrastructure, rather than create its own class of DoH-capable resolvers.

"All major ISPs deploying DoT and major Operating Systems (OS) supporting DoT will significantly help improve privacy and security as well as maintain the decentralization," said Shreyas Zare, the creator of the Technitium DNS Server, who summarized DoH's impact on the enterprise sector in a blog post last month.

DoH also bypasses legitimate blocklists, not just censorship



Another major talking about DoH has been its ability to bypass DNS-based blocklists that have been put in place by oppressive governments. Using DoH, users can bypass DNS-based firewalls that have been set up at national or ISP levels, usually for the purpose of online censorship and to keep users from accessing politically sensitive content.

The problem is that DoH also bypasses DNS-based blocklists put in place for legitimate reasons, like those against accessing child abuse websites, terrorism content, and websites with stolen copyrighted material.

This is why both Mozilla and Google have recently found themselves in hot water with authorities in both the UK and the US.

In mid-May, Baroness Thornton, MP for the Labour Party, brought up the DoH protocol and its impending support from browser makers in a session of the House of Commons, calling it a threat to the UK's online safety.

The GCHQ, Britain's intelligence service, has also criticized both Google and Mozilla, claiming the new protocol would impede police investigations and that it could undermine its existing government protections against malicious websites by providing bad actors with a way to bypass its internet surveillance systems.

The Internet Watch Foundation (IWF), a British watchdog group with a declared mission to minimize the availability of online child sexual abuse content, also criticized both Google and Mozilla, claiming the browser makers were ruining years of work in protecting the British public from abusive content by providing a new method for accessing illegal content.

In July, a UK ISP nominated Mozilla for an award of '2019 Internet Villain' for its plans of supporting DoH, citing similar reasons as the IWF.

In September, the US House Judiciary Committee started an investigation into Google's plans to enable DoH, claiming that DoH support "could interfere on a mass scale with critical Internet functions, as well as raise data-competition issues."

When Google and Mozilla announced plans to support DoH as an anti-censorship solution, everyone expected the pushback to come from oppressive regimes such as China, Iran, or Russia; yet, the pushback came from the most unexpected places.

And Mozilla has already cracked under pressure. The organization told ZDNet in July that it does not plan to enable DoH by default for UK users anymore. Google, on the other hand, said it designed DoH support in Chrome in such a way that the responsibility falls strictly on the companies providing DNS servers with alternative DoH resolvers.

DoH shouldn't be recommended to dissidents

And another major issue that most security experts have had with DoH are the recent claims that it can help those living in oppressive countries.

These claims have been widely ridiculed, with some security experts calling DoH supporters as irresponsible for putting people's lives at risk by giving them a false sense of security if they use DoH.

This is because DoH does not protect users from tracking. As it was explained above, DoH only hides DNS traffic, but everything else is still visible.

In a blog post last month, PowerDNS described the efforts to push the idea that DoH can help users in dangerous countries as "a very 'techbro' thing to do" coming from people who don't fully understand the situation.

"It is instrumental to see DoH as a 'very partial VPN' that only encrypts DNS packets, but leaves all other packets unmodified," PowerDNS said.

Instead, experts like Zare and PowerDNS recommend that users in oppressive countries use DoH-capable apps in combination with Tor or VPNs, rather than using DoH alone. Telling people they can fully rely on DoH is just misleading.

DoH centralizes DNS traffic at a few DoH resolvers

And there's the problem of DoH's impact on the entire DNS ecosystem, a decentralized network of servers.

The biggest critic of this move has been the Asia-Pacific Network Information Centre (APNIC), which, in a blog post this week, criticized the idea of sending DoH traffic to a few DoH resolvers, rather than using the existing ecosystem of DNS servers.

They argue that encrypting DNS traffic should be done on the current infrastructure, rather than create another (useless) layer of DoH resolvers, which then sits on top of the existing DNS layer.

"Centralized DoH is currently a privacy net negative since anyone that could see your metadata can still see your metadata when DNS is moved to a third party," APNIC said. "Additionally, that third party then gets a complete log per device of all DNS queries, in a way that can even be tracked across IP addresses.

"Encrypting DNS is good, but if this could be done without involving additional parties, that would be better," APNIC added.

***

The general idea is that DNS-over-HTTPS isn't what many have thought. It doesn't actually protect users from having their web traffic snooped, and it's not really that useful for dissidents in dangerous countries.

Users who want to hide their web traffic should still look at VPNs and Tor as safer solutions, with DoH as an extra layer of protection, when available.

Enterprises will need to invest in new ways of monitoring and filtering traffic, as the era of DNS-based systems seems to be coming to an end, and hybrid solutions with TLS interception capabilities will be needed. Such systems already exist, but they're expensive, and the main reason why many companies have been relying on DNS-based systems until now.