EFF: Encrypted DNS could help close the biggest privacy gap on the Internet

Ivan Franco

Posts: 268   +9
Staff member

Thanks to the success of projects like Let’s Encrypt and recent UX changes in the browsers, most page-loads are now encrypted with TLS. But DNS, the system that looks up a site’s IP address when you type the site’s name into your browser, remains unprotected by encryption.

Editor’s Note:
Guest author Max Hunter is the Engineering Director at EFF. Max's team of engineers maintain Certbot, STARTTLS Everywhere, and other projects to encrypt the Internet. Max also serves on the board of the Internet Security Research Group.

Because of this, anyone along the path from your network to your DNS resolver (where domain names are converted to IP addresses) can collect information about which sites you visit. This means that certain eavesdroppers can still profile your online activity by making a list of sites you visited, or a list of who visits a particular site. Malicious DNS resolvers or on-path routers can also tamper with your DNS request, blocking you from accessing sites or even routing you to fake versions of the sites you requested.

A team of engineers is working to fix these problems with “DNS over HTTPS” (or DoH), a draft technology under development through the Internet Engineering Task Force that has been championed by Mozilla. DNS over HTTPS prevents on-path eavesdropping, spoofing, and blocking by encrypting your DNS requests with TLS.

Alongside technologies like TLS 1.3 and encrypted SNI, DoH has the potential to provide tremendous privacy protections. But many Internet service providers and participants in the standardization process have expressed strong concerns about the development of the protocol. The UK Internet Service Providers Association even went so far as to call Mozilla an “Internet Villain” for its role in developing DoH.

ISPs are concerned that DoH will complicate the use of captive portals, which are used to intercept connections briefly to force users to log on to a network, and will make it more difficult to block content at the resolver level. DNS over HTTPS may undermine plans in the UK to block access to online pornography (the block, introduced as part of the Digital Economy Act of 2017, was planned to be implemented through DNS).

Members of civil society have also expressed concerns over plans for browsers to automatically use specific DNS resolvers, overriding the resolver configured by the operating system (which today is most often the one suggested by the ISP). This would contribute to the centralization of Internet infrastructure, as thousands of DNS resolvers used for web requests would be replaced by a small handful.

That centralization would increase the power of the DNS resolver operators chosen by the browser vendors, which would make it possible for those resolver operators to censor and monitor browser users’ online activity. This capability prompted Mozilla to push for strong policies that forbid this kind of censorship and monitoring. The merits of trusting different entities for this purpose are complicated, and different users might have reasons to make different choices. But to avoid having this technology deployment produce such a powerful centralizing effect, EFF is calling for widespread deployment of DNS over HTTPS support by Internet service providers themselves. This will allow the security and privacy benefits of the technology to be realized while giving users the option to continue to use the huge variety of ISP-provided resolvers that they typically use now. Several privacy-friendly ISPs have already answered the call. We spoke with Marek Isalski, Chief Technology Officer at UK-based ISP Faelix, to discuss their plans around encrypted DNS.

Supporting privacy-protecting technologies is a moral imperative.

Faelix has implemented support for DNS over HTTPS on their pdns.faelix.net resolver. They weren’t motivated by concerns about government surveillance, Marek says, but by ”the monetisation of our personal data.” To Marek, supporting privacy-protecting technologies is a moral imperative. “I feel it is our calling as privacy- and tech-literate people to help others understand the rights that GDPR has brought to Europeans,” he said, “and to give people the tools they can use to take control of their privacy.”

EFF is very excited about the privacy protections that DoH will bring, especially since many Internet standards and infrastructure developers have pointed to unencrypted DNS queries as an excuse to delay turning on encryption elsewhere in the Internet. But as with any fundamental shift in the infrastructure of the Internet, DoH must be deployed in a way that respects the rights of the users.

Browsers must be transparent about who will gain access to DNS request data and give users an opportunity to choose their own resolver. ISPs and other operators of public resolvers should implement support for encrypted DNS to help preserve a decentralized ecosystem in which users have more choices of whom they rely on for various services. They should also commit to data protections like the ones Mozilla has outlined in their Trusted Recursive Resolver policy. With these steps, DNS over HTTPS has the potential to close one of the largest privacy gaps on the web.

This article was originally published on EFF.org. Republished with permission.

Permalink to story.

 

Uncle Al

Posts: 8,167   +6,925
To put it simply, the individuals right to privacy should take preciseness up to and until the individual knowingly and with complete awareness, chooses to give up that right. Furthermore, that right should be able to be reclaimed at any time, regardless of objection, in order to give privacy back to the originator. The right to do business should NEVER be held at a higher standard than the individual and their right of privacy.

Instilling that right would not only protect the individual but will act as a strong deterrent to anyone or any organization, business, etc that chooses to take the risk of ignoring those rights.
 
The fact is that, no matter how much encryption you use, the DoH server will be able to see each and every DNS query that you issue, and will know that those queries are coming from you. DoH does not give you privacy - it simply gives the institution that manages your DoH server full power to analyze your DNS queries.
 

Cubi Dorf

Posts: 360   +235
Encryption of dns is not problems, but DNS lookups should not be the browser business. DNS setting per application is silly. Overriding the users dns is big problem. Bury setting in about:config also not appropriate. If you not use the user dns it need to be very clear to user And easy option to change! Seem like big lack of transparency. It makes Mozilla looking shady when maybe they are actually trying to helping peoples.
 

LeroN

Posts: 115   +55
If you not use the user dns it need to be very clear to user And easy option to change! Seem like big lack of transparency. It makes Mozilla looking shady when maybe they are actually trying to helping peoples.
DoH is OFF in FireFox by default. There is nothing to worry about if you don't need to keep your privacy.
If you like it then you have an option to choose your own DNS service as well not only a default one. Mozilla is not Google.
 

arrowflash

Posts: 462   +504
I don't see anything pro-consumer or pro-privacy about this. It's a wolf in sheep's clothing. Aside from the concerns others have voiced, I've also heard that DoH could potentially break every adblock extension.

DoH is OFF in FireFox by default. There is nothing to worry about if you don't need to keep your privacy.
If you like it then you have an option to choose your own DNS service as well not only a default one. Mozilla is not Google.

It is off by default... for now. Is it even fully implemented yet?

There is a lot to worry about, since Mozilla is far from being an ethical and honest company these days. They're not as bad as Google yet but are getting there, and both are serving the same masters. Just look at the amount of telemetry Firefox collects by default, and not even turning it off in the standard settings fully disables it - to fully disable telemetry, you have to change a lot of parameters in about:config plus, if you're on Windows, add a value in the registry. Same thing with the forced automatic updates.
 

bexwhitt

Posts: 551   +238
Encryption of dns is not problems, but DNS lookups should not be the browser business. DNS setting per application is silly. Overriding the users dns is big problem. Bury setting in about:config also not appropriate. If you not use the user dns it need to be very clear to user And easy option to change! Seem like big lack of transparency. It makes Mozilla looking shady when maybe they are actually trying to helping peoples.

In the UK where the government are up in your business when you are on the internet DNS on the browser can only be a good thing, they are already forcing firefox to not turn it on by default in the UK https://www.theregister.co.uk/2019/09/24/mozilla_backtracks_doh_for_uk_users/