One of the hottest topics in the computer world this year is controversy over DNS-over-HTTPS (or DoH). DNS stands for domain name system and is the protocol that acts like the telephone directory for the web. The DNS system translates domain names, such as ‘https://www.google.com/’ to an IP address so that the request can be routed over the Internet. Every device connected to the Internet has a unique IP address, and the DNS system helps to establish a 2-way connection across the web, in this example, between a Google server and a user.
DNS is one of the oldest protocols on the web and hasn’t changed much since it was created. Domain name requests are sent in plain text to an ISP which then converts the domain name to an IP address and routes the user’s request to connect.
DoH takes the ISP out of the picture since web browsers will initiate the DSN lookup. Currently, DoH is built into a few browsers such as Mozilla Firefox and Google Chrome, and most of the major browsers have plans to enable DoH. A web brower will use the DoH protocol to encrypt a domain name request and send it to a third party DNS database provider for routing.
Proponents of DoH cite several advantages of the new routing protocol. First, DoH stops ISPs from recording browser history – one of the biggest privacy concerns, since an ISP knows every web site visited. A user’s browser history reveals a huge amount of information. Of course, some new entity will take over the role of DNS routing and could also create a browser history. Mozilla is using Cloudflare to route DNS, and Cloudflare says that it deletes all browser history every day. This same promise of privacy may not be true for all DoH providers and users might want to think twice before choosing somebody like Google to initiate DoH and collect browser history.
DoH also stops man-in-the-middle attacks. That’s where somebody intercepts a DNS request and sends the user to a different web site. There have been cases in the past where viruses rerouted user traffic to specific web sites to stimulate web usage. Other schemes have rerouted traffic to fake banking or shopping sites to try to coax credit card or account numbers out of users.
DoH also makes it harder for ISPs to engage in targeted advertising. This is something the big ISPs have been eyeing as they try to chip away at the huge advertising revenues earned by Google and Facebook. One of the most interesting benefits of DoH is that it makes it harder for authoritarian regimes to track the web activity of dissidents.
DNS-over-HTTPS is not the only alternate DNS routing protocol and web companies are also exploring DNS over TLS (DoT), which uses the transport layer security protocol on the web to encrypt the DNS request. Over time, the safest alternate protocol will likely prevail, but the goal of both of these new protocols is to encrypt the DNS process to make it safer, with a secondary goal of improving privacy.
Many big ISPs clearly hate the alternate DNS routing schemes since they lose access to customer browsing history. Vice recently reported about a big lobbying effort by Comcast to convince lawmakers to disallow DoH. The protocol is causing controversy in Great Britain where ISPs are required to block pornography unless a user specifically allows it. For now, Mozilla does not offer DoH in Great Britain, but there will be no easy way to stop it after it gets built into the core Android browser and other ubiquitous platforms. Corporate IT staff are also worried about DoH because it makes it more difficult to track employees visiting social media during work hours or browsing dangerous parts of the dark web.
There will be more public discussion about DoH routing as more web browsers include the protocol. Before the dust settles there is likely to be an ongoing tug-of-war between big ISPs, big web companies, and users as the public demands privacy.