Root Causes 84: What Is DNS over HTTPS?
DNS over HTTPS is a capability whereby DNS lookups can be encrypted to defend against certain man-in-the-middle attacks as well as protecting information about web usage from being revealed to third parties.
In this episode our hosts explain DNS over HTTPS, it potential uses, and how it works. They also explain some of the controversy and potential concerns that have been raised with this approach.
- Original Broadcast Date: April 20, 2020
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
So, today, we are going to talk about DNS over HTTPS. Now obviously anything that says HTTPS is fair game for us to discuss and DNS, the world of DNS can get very bits and bitsy wouldn’t you say, Jay?
-
Jason Soroko
It’s been around forever.
-
Tim Callan
Right.
-
Jason Soroko
You might think that the world just knows how to do it and it certainly does. There are all kinds of attacks against it nowadays. There’s all kinds of issues around performance. There’s all kinds of issues around privacy. But today, we are going to be talking specifically about encrypting DNS lookups between the client and the resolver.
-
Tim Callan
Ok. So, encrypting DNS lookups between the client and the resolver. I can see obvious use cases for that or some obvious benefits for that. You know, if I can sit and look at your lookups, I can learn something about your interests and your behavior. This could be used for intel for somebody who is trying a cyberattack. This could be used just to spy on people. This could be a violation of privacy. Are those the right benefits? Are those the real main benefits of this approach?
-
Jason Soroko
Mostly. Mostly. I think privacy is the one that comes into question quite a lot. I don’t think that there is a protection of privacy that is - - in fact, the privacy issues is the more interesting juicy bit of this that we will talk about in a bit, Tim, because you are really pushing the privacy question off to a different provider, which is interesting.
-
Tim Callan
Ok.
-
Jason Soroko
Really the purpose here just first and foremost is to increase, you could call it privacy and security by essentially trying to prevent your ISP who is probably for the most part was doing your DNS resolving and pushing that DNS resolving to somebody else and then encrypting that resolving between you and the resolver so that your ISP can’t really either manipulate it or log it or do some sort of, you know, or somebody else do some sort of the man-in-the-middle attack against it.
-
Tim Callan
So that implies that you have a greater degree of trust for the new DNS resolver than you did for your original hosting provider?
-
Jason Soroko
Yeah. It could be. Your ISP could be in a jurisdiction where they are being compelled by government law to log what you are doing or perhaps even to redirect you. I know that in the U.K. that’s in fact the case because of some laws over there. We can get into that but that’s one reason. As well, I’m sure you remember the whole controversy around ISPs that would monitor your service for the types of traffic that are going through in order to be able to speed you up, slow you down. Those kinds of decisions. There’s all kinds of stuff that the ISPs do that either you may be aware of or you are not aware of and you might consider it a problem for you.
-
Tim Callan
So, I’m on the wrong end of net neutrality by virtue of what I do and I don’t want my performance to suffer so I do DNS lookup over HTTPS for instance.
-
Jason Soroko
Right. Right. And, you know, to be honest with you there’s also cases – and this is true for me – where my internet speed in my jurisdiction is pretty good but my DNS resolving, the performance can sometimes be degraded for whatever reason and so therefore, sometimes I will switch over to a different DNS resolver just to speed up my DNS resolving.
-
Tim Callan
At a high level, how does it work?
-
Jason Soroko
Well, at a high level, how this works is essentially you would redirect your DNS resolving to another provider using DNS over HTTPS. So how do you do that? Well, on a laptop with a browser Firefox was the first browser to start supporting this and there are some other browsers right now that are looking into it. I know Microsoft is in the middle of also giving native support to this through Windows 10.
-
Tim Callan
Ok. So, is this a third-party service that I go sign up for? How does that work? Like are there people in the business of doing this professionally?
-
Jason Soroko
Well, if you choose to use Firefox as your browser, I’m not sure if it’s defaulted at the time of this podcast, but I think there was a period where it was default as part of Firefox.
-
Tim Callan
Oh, wow. Ok. So, are there any disadvantages?
-
Jason Soroko
Well, again, it depends on who you trust. And very recently in the news, Cloudflare is the DNS resolver behind the Firefox DNS resolving DNS over HTTPS and a lot of you may also know of Cloudflare’s app that exists I believe on both Android and iOS which is Cloudflare’s 1.1.1.1 app, which actually performs - essentially it enables you to hijack your DNS requests and perform DNS over HTTPS for your mobile devices.
-
Tim Callan
So Cloudflare is in so many things. Like you run into Cloudflare just in so many places. They are so ubiquitous. They touch so much of your typical service, you know, that’s an interesting one, right? Where, you know, on the one hand I think Cloudflare obviously has displayed a lot of competence and on the other hand, some people might say gee, I have a lot of my eggs in the Cloudflare basket?
-
Jason Soroko
Yeah. That’s true. There’s an awful lot of the internet’s piping, if you will, that has to do with Cloudflare and hey, they’re a competitor and they’ve gotten into a lot of things. But this choice of becoming one of the big defacto DNS over HTTPS resolvers, of course it raised a lot of eyebrows at the beginning because like I said at the top of the podcast, you are really pushing your DNS request out to a different provider and that provider being Cloudflare. Now, one of the things Cloudflare said I think pretty much from the beginning was that they would wipe their logs within 24 hours and I think at the beginning as well, and I don’t want to misquote them, but there was some sort of an asterisk within the statements that said the only reason they were keeping the logs were for research purposes just to make sure that their performance was up to scratch. Something like that. And KPMG I believe, who was their auditor, released a privacy audit and has apparently said exactly that yeah, Cloudflare has kept their promise and all the things they said they were going to do they in fact are doing. So that’s a good thing. It means they are keeping their promises. Really, I guess if there is a fly in the ointment at all it might have to do with well what you are doing with those logs within those 24 hours. Is there any double check for whether that is being copied or sent elsewhere? I’m certainly not accusing Cloudflare of doing anything inappropriate. I’m more repeating what other people might have been thinking or what the controversy may still be.
-
Tim Callan
But there are other people? Like Cloudflare is not the only one in the world that does this, right?
-
Jason Soroko
No. There are others, but Cloudflare I think really is the dominant player.
-
Tim Callan
Ok. So, HTTPS, DNS over HTTPS. Sounds like it is a very real and certainly, what do I want to say? A potentially beneficial part of what you may have in your mix. Any other thoughts?
-
Jason Soroko
No, Tim. That’s really it. I wanted to make sure that folks listening to this podcast kind of got the basic gist of this. There is a lot more to it but I don’t want to get into the weeds especially because of the fact that it’s a pretty fluid situation anyway.
-
Tim Callan
Sure. Cool. So, thank you, Jay. Good. Nice explanation of a good fundamental thing that I think people don’t about that much and maybe we don’t know about that much.
-
Jason Soroko
Yeah. Thanks, Tim. These are the kinds of bread-and-butter podcasts that we like to do from time to time.
-
Tim Callan
Excellent. Thanks, Jay. This has been Root Causes.