For nearly two decades, the movement to encrypt the various links between a client making a request on the web and the ultimate destination of that request has been moving forward, step by small step. With the vast majority of browser requests now loaded over HTTPS and major platform providers having encrypted the links between their data centers, one of the last remaining cleartext pieces is the request from a browser to a DNS provider. But that’s beginning to change.
For adversaries, passively monitoring network connections has become much more difficult as HTTPS has become the default connection method in all of the major browsers. Intercepting user sessions is no longer such an easy task and requires more resources and/or the ability to compromise the endpoint itself. The same cannot be said for the DNS queries that come from the browsers on those client devices. The DNS system was created nearly 40 years ago as a way to translate the IP addresses of machines on the Internet into human readable names and vice versa.
By design, DNS doesn’t have much in the way of transport security, so a query sent from a user’s browser to the DNS provider is in plaintext. That means that an adversary who can monitor the connection to the DNS server can collect the client’s requests and see exactly which sites the user is visiting. From a privacy perspective, this is not what you want.
Enter DNS over HTTPS (DoH), a method for sending DNS queries over an encrypted connection. The idea is simple: a protocol that protects users’ DNS queries from surveillance by anyone with privileged access to the network. DoH provides an important level of privacy for individuals, and many of the large platform providers and browser makers have already implemented the protocol or have plans to in the near future. DoH is implemented in Google Chrome, Mozilla Firefox, Microsoft Edge, and Opera, and both Windows and macOS will support it in upcoming releases.
“Broader native support in the OS should encourage more people to move to DoH."
“Most endpoints are behind an edge network now, so the IP address and the stuff you can get by watching the network connection doesn’t tell you much anymore. So people are turning to DNS for monitoring or infection,” said Eldridge Alexander, security tools manager at Duo, who is speaking about DoH benefits and concerns during the Black Hat conference Wednesday.
But there are some concerns surrounding the deployment of the protocol, especially in enterprises that employ outbound traffic inspection, which isn’t possible on encrypted connections. Another concern is the centralization of DNS service in the hands of a small number of providers, such as Google, who would then have even more control over the Internet than they already do.
“There is reduced visibility for benign network operators because the tech stack you would use to monitor is the same one you would use to manipulate DNS as a malicious operator,” Alexander said.
The concerns around centralization of DNS services are legitimate too, but Alexander expects those to dissipate as more providers add support for DoH. And, once support for the protocol lands in Windows, macOS, and iOS later this year adoption among enterprises and other organizations should increase sharply.
“Broader native support in the OS should encourage more people to move to DoH and I think you’ll see more universities and schools supporting it as Windows and Mac laptops with it become available,” Alexander said.
Alexander is releasing an open source tool called VIMES that will monitor the DNS connection and run a test to see whether the DNS provider supports DoH or DNS over TLS, a similar protocol, and give the user the option to switch to the more secure protocol.