Thursday, April 11th, 2019 (11:31 am) - Score 24,185

ISPs have also built crucial relationships with Content Delivery Network (CDN) vendors, which help them to more efficiently cache and serve on-net content to give consumers the best experience and minimise network costs (indirectly this also keeps the price you pay for broadband down). But ISPs say some of that might be impacted if DoH providers get in the way of their normal DNS (i.e. more difficult for providers to steer certain content).

Furthermore ISPs can also use DNS redirects for common support tasks, such as device/router setup, mobile top-ups, network performance metrics (as often demanded by Ofcom) and broadband support. Getting these important features to work with DoH will be difficult and could impact a provider’s ability to help their customers. Not to mention issues for public Wi-Fi hotspots, which often start you off on “captive portals“.

At this point it becomes clear that for all the benefits of DoH, there are also some potentially big challenges and costly problems for ISPs too. The risk of inconsistent experiences and thus greater complexity for end-users (e.g. needing to setup Parental Controls on each device you use instead of via a central control) is not something that the big players can lightly ignore.

Admittedly the alternative perspective here is that when DoH becomes widespread and Government’s start asking why the DNS-level blocks that ISP use for certain tasks are no longer effective (not that they were ever very effective) then it becomes, as one provider put it to us, “someone else’s problem” (e.g. the DoH providers problem).

Governments will thus end up needing to talk with many more parties in the internet connectivity process than just an ISP (e.g. Google, Mozilla etc.) in order to get their desire for greater use of censorship or other DNS dependent systems realised, which creates another set of problems for them. Meanwhile the DoH providers will rightly argue for the security benefits.

Andrew Glover, Chair of the UK ISPA, said: “The [Online Harms White Paper] lists ISP blocking of non-compliant sites as a potential enforcement mechanism of last resort. However, as technology evolves, including through new technical protocols such as DNS-over-HTTPS, the ability of ISPs to put in place technical measures could be substantially reduced. The legal basis of any blocking action taken will also need to be clear.”

Granted there are more sophisticated methods of network-level filtering available for ISPs than mere DNS level blocking, which is one of the easiest methods, but the costs may be unaffordable for all except the largest players (e.g. big ISPs can use DPI – Deep Packet Inspection but even this has its limits). Of course DPI won’t solve every other problem mentioned above and can carry a performance impact.

Work is now on-going within the industry to find ways of adapting to the challenges created by DoH, particularly among the largest providers, although it remains to be seen how much success they have. The very nature of DoH makes all of these issues quite fundamentally difficult to resolve. DoH could also create new security risks of its own by potentially making it easier for certain malware to hide bad traffic, as well as being difficult to block without hindering HTTPS.

Explaining the complexity of all this to end-users, when in the future they inevitably ask why something doesn’t work as intended, is another challenge entirely (support teams would need significantly more technical familiarity). For now none of the major DoH players have chosen to enable the feature by default, instead preferring to give end-users the option, but we expect this to change (e.g. it will become the default in Firefox).

Tech-savvy end-users will of course be keen to manually enable this feature and in doing so we hope that they remain mindful of how it may impact some of the services offered by their ISP, which could cease to function correctly (i.e. don’t blame your ISP if you enable a third-party feature like this and suddenly something you use on their network stops working or doesn’t function at its best).