Blog

When DNS was invented, almost 35 years ago, the goal was to make the Internet grow. Security and privacy issues were not considered because almost nobody used the Internet yet. In the following years, the DNS was increased with the capacity to authenticate the information it carries, with DNSSEC, but all the information continues to circulate in the Internet in text without encryption. Any element of the network capable of reading network traffic is capable of reading which DNS questions each person is asking. In principle, it can be thought that this is not of great importance, because the DNS only indicates the site you want to visit or the one you want to send an email to. The DNS would be "just metadata”.

Over time, it was realized that these metadata provide a lot of information for anyone who wants to do an analysis and people started to talk about how to protect DNS traffic from "wiretaps" in the Internet.

The first proposal to try to remedy this situation was published by Dan Bernstein under the name DNSCurve and was designed to hide information in communications between recursive DNS servers (those from providers to customers) and authoritative DNS servers (those from websites, TLDs, etc.). It was published outside the IETF and did not see much acceptance, but a security and DNS provider, OpenDNS, made an implementation for communications between clients and their recursive servers.

On the other hand, IETF started working on modifying the DNS transport protocol (since the beginning it has been UDP and TCP), adding TLS in order to encrypt the traffic, and thus DTLS (DNS over TLS) was born.

All these advances kept the DNS, so far known, unchanged and hid the information under a protective cover. Relatively simple modifications, that did not practically modify the DNS used until now.

However, in parallel and independently, IETF started to work on another alternative. Known as DNS over HTTPS (DoH), it departs much more from traditional DNS and hides DNS messages as if they were data to be transported over HTTP with TLS protection, like the web data of any HTTPS site. The message becomes not just a DNS encapsulation, but a new type of message over HTTPS. It is also mandatory to use Port 443 for communications.

The intention is not only to hide DNS messages with encryption, but also to hide DNS traffic itself along with the rest of the web traffic. This way, the possible blocking of access to DNS servers is avoid, which has been used by governments around the world, and it is also more difficult to distinguish DNS traffic from other HTTPS traffic.

DoH had the support of Mozilla, which incorporated the protocol in Firefox and which saw acceptance on the side of open recursive DNS servers (general service for the Internet, instead of just for customers, as is usually the case for Internet providers), with the implementation of Cloudflare on the 1.1.1.1 server.

The controversy soon followed because Mozilla chose to make this the default way to use DNS in Firefox, without the user doing anything. Immediately, two problems arise:

- we are running away from privacy intervention by governments, while information is being handed over to an American private company (some would say, one more). Is this the best choice? Each will have to decide, hopefully with information.

- the door is opening for a bypass of security and access control policies in sensitive networks, such as companies, state agencies or even parental control policies at home, making it not only possible, but even easy, to escape this type of control.

As with everything, technology is neither good nor bad and depends on how it is used. To begin, you will need information to know how this affects the privacy of each of us, as well as the security of our networks.

Finally, and just as a footnote, DoH, by modifying the way DNS is handled, could also be an open door to a new stage in the evolution of DNS services, in the near future.