alphaspirit - Fotolia

What are the implications of DNS over HTTPS for privacy?

With enterprises testing DNS over HTTPS to encrypt domain name traffic, some fear the potential privacy issues. Discover the challenges and benefits of the new protocol.

After Mozilla announced a test of the DNS over HTTPS protocol to encrypt domain name server traffic, some critics were concerned about the privacy implications. What are the privacy implications of DNS traffic over HTTPS? What are the security benefits?

In order to view a webpage, a browser first needs to find out where it is located. This is done using the domain name system protocol, which maps a domain name to the IP address of the server hosting that domain.

Typically, the network stack of a smartphone or IoT device sends a DNS query to a DNS server operated by the user's internet service provider (ISP). If that server is a recursive resolver server and it doesn't have a record for the domain in question, it will send further DNS queries to other DNS servers to obtain the IP address of the domain that is serving the requested page.

If the contents of the page -- scripts, stylesheets or images -- are hosted on more than one domain, then a DNS query will be sent for each domain. Although most DNS queries are quickly resolved, they all add to the time it takes for a webpage to load.

While this is often frustrating, one bigger concern is that DNS queries and responses are sent in cleartext, which is visible to any third party with access to the network path used in the DNS resolution process between a client and a recursive resolver.

DNS queries can also reveal information about which websites users visit, when and how often they visit them, their IP address, and even the type of devices the user has. When content filters are in place, DNS logs can capture user IDs or MAC addresses of the client devices, and research has shown that DNS lookups can even be used to de-anonymize traffic from the Tor network, which was specifically designed to protect users from network surveillance and traffic analysis.

DNS is also a common vector for networks or governments to interfere, redirect or censor internet requests, and DNS spy tools, such as Morecowbell and Quantum DNS, have been used by governments for covert snooping.

Because DNS was designed over 40 years ago, it has begun to show its age, as security wasn't a consideration back then. Hackers have long exploited the insecure nature of DNS through a variety of attacks including DNS spoofing attacks, DNS hijacking, DNS poisoning, or redirecting webpage requests and returning spoofed sites or files.

[The DoH] protocol encapsulates DNS requests in HTTPS protocol exchanges.

There are various initiatives available to overcome these shortcomings, one of which is the DNS Queries over HTTPS (DOH) protocol from the DNS over HTTPS working group of the Internet Engineering Task Force. This protocol encapsulates DNS requests in HTTPS protocol exchanges, which then turn DNS over HTTPS requests into encrypted web traffic. This makes it a lot harder for hackers to hijack or spoof DNS activity to leverage a man-in-the-middle attack or for governments to censor or manipulate network traffic, as it guarantees both the integrity and confidentiality of the DNS requests. It can also make it harder to share information with advertisers and other third parties looking to target specific types of users.

Despite these security benefits, there are concerns that centralizing DNS traffic using any form of gatekeeper simply transfers the point of trust from an ISP to another third party, making it a prime target for cybercriminals and state-sponsored actors. Different DoH DNS resolvers operated by commercial companies or nonprofit organizations could give users a choice of who to trust, but there could well be resistance from governments that want to preserve their DNS monitoring capabilities, as well as from ISPs that want to monetize existing DNS traffic.

Even though the DoH standard is only a draft, there are already services users can use for free that support DNS over HTTPS, such as Google Public DNS and Cloudflare's services.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing