The Battle over DNS

One of the hottest topics in the computer world this year is controversy over DNS-over-HTTPS (or DoH). DNS stands for domain name system and is the protocol that acts like the telephone directory for the web. The DNS system translates domain names, such as ‘https://www.google.com/’ to an IP address so that the request can be routed over the Internet. Every device connected to the Internet has a unique IP address, and the DNS system helps to establish a 2-way connection across the web, in this example, between a Google server and a user.

DNS is one of the oldest protocols on the web and hasn’t changed much since it was created. Domain name requests are sent in plain text to an ISP which then converts the domain name to an IP address and routes the user’s request to connect.

DoH takes the ISP out of the picture since web browsers will initiate the DSN lookup. Currently, DoH is built into a few browsers such as Mozilla Firefox and Google Chrome, and most of the major browsers have plans to enable DoH. A web brower will use the DoH protocol to encrypt a domain name request and send it to a third party DNS database provider for routing.

Proponents of DoH cite several advantages of the new routing protocol. First, DoH stops ISPs from recording browser history – one of the biggest privacy concerns, since an ISP knows every web site visited. A user’s browser history reveals a huge amount of information. Of course, some new entity will take over the role of DNS routing and could also create a browser history. Mozilla is using Cloudflare to route DNS, and Cloudflare says that it deletes all browser history every day. This same promise of privacy may not be true for all DoH providers and users might want to think twice before choosing somebody like Google to initiate DoH and collect browser history.

DoH also stops man-in-the-middle attacks. That’s where somebody intercepts a DNS request and sends the user to a different web site. There have been cases in the past where viruses rerouted user traffic to specific web sites to stimulate web usage. Other schemes have rerouted traffic to fake banking or shopping sites to try to coax credit card or account numbers out of users.

DoH also makes it harder for ISPs to engage in targeted advertising. This is something the big ISPs have been eyeing as they try to chip away at the huge advertising revenues earned by Google and Facebook. One of the most interesting benefits of DoH is that it makes it harder for authoritarian regimes to track the web activity of dissidents.

DNS-over-HTTPS is not the only alternate DNS routing protocol and web companies are also exploring DNS over TLS (DoT), which uses the transport layer security protocol on the web to encrypt the DNS request. Over time, the safest alternate protocol will likely prevail, but the goal of both of these new protocols is to encrypt the DNS process to make it safer, with a secondary goal of improving privacy.

Many big ISPs clearly hate the alternate DNS routing schemes since they lose access to customer browsing history. Vice recently reported about a big lobbying effort by Comcast to convince lawmakers to disallow DoH. The protocol is causing controversy in Great Britain where ISPs are required to block pornography unless a user specifically allows it. For now, Mozilla does not offer DoH in Great Britain, but there will be no easy way to stop it after it gets built into the core Android browser and other ubiquitous platforms. Corporate IT staff are also worried about DoH because it makes it more difficult to track employees visiting social media during work hours or browsing dangerous parts of the dark web.

There will be more public discussion about DoH routing as more web browsers include the protocol. Before the dust settles there is likely to be an ongoing tug-of-war between big ISPs, big web companies, and users as the public demands privacy.

5 thoughts on “The Battle over DNS

  1. Just to address the casual “you may not want to trust Google” comment — I can’t speak to the present or future but, when they implemented 8.8.8.8 and such they were *incredibly* careful about privacy around dns history. If anyone saw this sort of info as a liability and not an asset, it was Google…

    Comcast doesn’t have quite the same profile…

    Like

    • I use Google all of the time. However, there are web sites dedicated to ways to avoid Google, so there are many people in the country who specifically distrust Google. I assume all of the big ISPs gather data on us, so to me, it’s a matter of picking your poison.

      Like

  2. The assumption that “ISPs gather data on us” is demonstrably false in many markets – for example, in Europe the use of DNS data by ISPs would be covered by GDPR. In the US, I know that Comcast has a very clear privacy policy on not tracking its customers through their DNS usage. The casual assumption that tech companies will be better at respecting the data privacy of their users is surprising given the regular flow of stories linked to privacy breaches, surveillance capitalism etc.

    If you *need* your web usage to be private, there are far better tools than DoH to assure your privacy. For example, the Tor Browser would be a better, if not completely infallible, choice than a standard browser plus DoH; equally a VPN that also routes DNS would be a better choice provided you’ve been careful in your choice of VPN provider.

    Like

    • I’m not sure where you got the idea that Comcast doesn’t collect customer data. The following link is to their terms of service and they collect the same kind of info as any other big ISP – stuff needed to communicate with a customer, but also to “deliver personalized marketing and advertising for our own and others’ products and services”.

      https://www.xfinity.com/privacy/policy#info-collection

      I agree that it’s more of a challenge for an ISP in Europe due to EU privacy laws. But here in the US data gathering is still the wide-open wild west.

      Like

      • You’ll note that I was specifically referring to how its privacy policy related to DNS data. You can find the specific text here:

        https://corporate.comcast.com/stories/privacy-with-comcasts-xfinity-internet-service

        The most pertinent phrase is as follows:

        “As your Internet Service Provider, we do not track the websites you visit or apps you use through your broadband connection. Because we don’t track that information, we don’t use it to build a profile about you and we have never sold that information to anyone.”

        In my view that is commendably clear, dispels the notion that it is tracking its customers’ through their DNS usage. As you say, GDPR pretty much dispels this myth in Europe too, as may the Californian equivalent as that is adopted in the US.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s