At RIPE 77, I talked about what’s been going on with DNS over the past five years from the perspective of end devices. Now in article form, here's what I had to say about the status of the IETF standards for DNS over TLS (DoT) and DNS over HTTPS (DoH) as well as the deployment status of clients and servers for those technologies.
Whenever I talk about DNS encryption, I get a lot of feedback from people saying they had no idea what's been going on in this area. And that’s not surprising. There’s a lot going on right now, and it’s all happening way faster than usual.
My aim here is to talk about how things have been developing over the past five years and to look at some of the good, the bad and the ugly things happening in DNS encryption today.
Work on DNS over TLS (DoT) started four or five years ago, triggered by the Snowden revelations, which revealed the extent of the pervasive monitoring that was happening in the DNS. Taking a strong stance on this, the IETF declared pervasive monitoring an attack on the Internet (RFC7258). They formed a working group called DPRIVE, whose goal was to look at encrypting the stub to the recursive resolver.
After a few years of wrangling with various solutions, the WG decided that the way forward was to use DoT. They soon established a new dedicated port – port 853 – for the service, which became a standard two years ago.
At this point in time, there are now a whole range of DoT implementations out there. There are a number of existing client and server implementations, twenty test DoT servers, and, more recently, there are DoT services being offered by Quad9 and Cloudflare.
Many implementations - e.g. Android Pie, systemd - employ a mode of doing DoT known as opportunistic DoT. In these cases, the system resolver actively probes the resolvers it gets from DHCP on port 853. If it discovers a server offering DoT on that port, it’ll use it in preference to doing cleartext. If it can’t, it does normal DNS.
It's worth noting that, when we look at the DoT implementations currently on offer, most are at the system resolver level. We are missing native implementations in Windows and in Mac OS and IOS. But there’s every reason to hope they'll appear in the next few years. If you want to stand up a DoT server, it's easy, there’s lots of software that supports it and there are plenty of guides on how to do so.
What do you get when you encrypt DNS? Well, actually, you get a lot, some of it good, some bad, and some ugly.
The most obvious good thing is that you defeat passive surveillance. But you also get the option to configure the client with authentication information, meaning it can use PKIX or DANE to actually authenticate the server at the far end of the connection. This, in turn, lets you prevent redirects (as the client is able to choose to hard fail if it can’t authenticate that server), it enables clients to detect the interception of their DNS queries, and, arguably, it increases trust in the service you’ve chosen to use. For example, if you’ve chosen to use a resolver because it does DNSSEC validation or a certain type of filtering, authentication guarantees you that service.
And while we’re still on the good, as a nice side effect, DNS encryption also gives you data integrity of transport, meaning spoofed responses can't be injected into an encrypted stream.
The Bad and the Ugly
One question you sometimes hear asked is: why even bother to encrypt the DNS? After all, the SNI still leaks. The good news is: not for long. There’s a solution in TLS 1.3, proof of concept code, and a draft in the IETF – so it looks like SNI being encrypted will soon be a reality.
What’s perhaps more of a concern right now is that, as already mentioned, DoT runs on a dedicated port, which leaves open the possibility that that port could be accidentally or even intentionally blocked. DoT can, in principle, also be run on port 443 as a fallback, but that’s not the default.
Then there’s the more general issue of which resolver you’ll use for your queries. As a single entity that sees all your DNS queries, you really have to ask which resolver you can trust to provide that service. Most of the servers at the moment are anycast servers in the Cloud, or servers operated by a handful of individuals. DoT just isn’t being served within a lot of networks today. So if you want to choose to actively encrypt your own DNS, you have to go outside your network.
However, this can cause operational problems, for example breaking split horizon DNS. It’s certainly possible that a client might have some fallback mechanism where it tries to resolve externally initially on an encrypted connection, but then reverts to doing it internally via UDP if needs be. The problem is, at that point, the private names have already leaked, and what’s worse, with an encrypted stream, the operator can’t actually see this happening. Operators are faced with the very real concern that encrypted DNS will bypass their local monitoring and security policies, and so create a conflict for them. As a result, we have a case where providing additional privacy for users is directly producing an operational concern for operators.
Sara Dickinson presenting on DoH during OARC in Amsterdam
DoT to DoH
The goal of the DPRIVE WG was to encrypt the DNS with the smallest possible delta on top of the existing infrastructure. No one has ever really suggested doing anything other than encrypting from system resolvers to the resolver already used, so these cases of bypassing the network were expected to be short‑term or rare.
With the story for DNS over HTTPS (DoH), things are quite different. The deployment model is going in a very different direction and it's being led by browsers. This means browsers are talking about potentially doing DNS over HTTPS directly from the browser to a set of pre‑configured Cloud resolver services.
So, where does HTTPS fit into the picture if we already have a solution in DoT? Well, DoH is a much more recent development, work only having started on it about eighteen months ago. That said, despite being new, things have been moving remarkably fast with DoH. A working group was whipped up very quickly at the IETF to get a new protocol defined, the draft went through, and it's already a published RFC (RFC8484).
Where DoH Differs from DoT
At the specification level, there are a number of differences between DoT and DoH. For instance, for DoH, the use cases are much more ambitious. One use case called out in the specification itself says that DoH will allow web applications to directly access DNS information using existing browser APIs, which puts DoH in a very different context right from the get go.
Also, with DoH, when it comes to discovery, according to the spec, you must use a URI template to connect to a DoH server. Today, however, we have no standardised discovery mechanism where you can do this, so there is no option of doing opportunistic discovery probing, although there are proposals in the works to deal with this.
All this gets interesting when you think about the connection models. Obviously with DoT you are doing dedicated connections. And there’s a comparable model with DoH, where you open an HTTPS connection and the only thing you send on that stream is DoH queries. But there’s also the potential for a mixed mode scenario with DoH. This would mean that an application like a browser could have an existing HTTP connection open, and through some discovery mechanism it could determine that the far end has a DoH server, allowing it to start sending its DNS queries over the existing connection completely mixed in with the HTTPS traffic.
Now, there is a use case to say this could be beneficial from a privacy standpoint. If I have a browser open and a tab for, say, mybank.com and mybank.com does DoH, then I can send my DNS queries to mybank.com and I'm not then leaking them to a third‑party because that bank already knows all the content I'm looking up. But what makes things even more interesting from an operational perspective is that, of course, if these mixed connections do contain DNS queries, it becomes impossible to block just the DNS traffic that's happening there. That could be very good for users who are in oppressive network environments, but for operators this is a brand new challenge to think about.
In terms of deployment and implementation, DoH has probably achieved in eighteen months what DoT did in five years. There are multiple test services, and CloudFlare, Google and Quad9 all offer DoH. In terms of the clients and servers that are available, while browsers such as Firefox and Chrome are very much leading the way, there are also some desktop applications available for those interested in going down that route.
DNS in Browsers
There are actually a number of browsers that do their own DNS. Chrome has had its own DNS implementation for a while and there are a handful of others out there that already use encrypted transports. Firefox has had a DoH implementation since Firefox 60, so for well over six months. This isn’t currently enabled by default, but there are experiments underway (see below). Chrome has a full DoH implementation that’s neither exposed nor advertised at this point, but which we can expect to see appear in Chrome in the very near future.
Why is the browser community looking to encrypt directly from the browser? Well, for one thing, waiting for OS support is the slower option. Browsers control the clients, so they can put new releases out in a matter of days and weeks without waiting on the much longer time scales for OS changes. Also, it gives them a unique selling point and an opportunity to improve user experience in terms of latency within the browser.
Well, ok, but why choose DoH instead of DoT? According to Mozilla (here), there are various reasons for going with DoH, including the fact that, from the browser perspective, leveraging the HTTP ecosystem makes a huge amount of sense, they understand proxying, they understand caching in that world, and they think they can accelerate the DNS by doing this. You have a whole community of people saying don't bother with this new port, just put encrypted DNS on port 443, it never gets blocked, it just works.
Lastly, it's kind of a 'shiny new things' scenario for the browser folks, because when you start doing DoH, there is the potential to do all sorts of cool things: you can define new media types; you can do server push; and there are proposals for doing what's been described as 'resolverless DNS'. So there’s a whole range of potential for this that's quite unexplored at the moment. Indeed, some people have even suggested this is a way to do DNS 2.0 without actually doing DNS 2.0. I'll leave you to make up your own minds.
The Firefox Experiment
They then coined a brand new term - Trusted Recursive Resolver (TRR) - and said that 'because CloudFlare is our TRR, it means that we think Firefox can ignore the resolver provided by the network and go straight to CloudFlare'. So that was the proposal at the time. They went ahead and did the experiment in June and they blogged about it in August. They did it by opting in half of their Firefox nightly users and sending all queries in parallel to the system provided resolver and out to CloudFlare. Then they compared the results.
What I found particularly interesting is, when they wrote up the results for this, they enumerated the questions that they were trying to answer, and number one was: 'does the use of a Cloud DNS service perform well enough to replace traditional DNS?' It wasn't about validating any nitty-gritty details of the protocol, it was about answering this much bigger question. The conclusion they came to was that if you use CloudFlare, you take a 6‑millisecond performance overhead, and given that you get encryption for that, the cost is acceptable.
So, the experiment continues. Firefox have announced that they are committed to investigating Cloud providers as the option that they want to look at, and in September 2018 they announced another experiment that they are moving forward in Firefox beta.
Trusted Recursive Resolver
This notion of TRR is worth looking at in more detail. Since those original posts, Mozilla have been very careful not to commit to saying what their config will be, and if you ask them in various places they'll say we're still trying to figure this out. So it’s not a done deal, and the DNS community is in limbo waiting for this decision from browser vendors, and this is a decision which could have an enormous impact on how stub to recursive DNS works.
One of the things it will do is alter what is, today, the implicit trust model of DNS. When you choose to log on to a given network, you accept implicitly that you are going to use the resolvers provided by that network. This could change to installing an app, and somewhere in the however-many pages of T&Cs, there’ll be a line saying the application is going to send the DNS queries to the resolver of its choice using DoH. So this is an interesting question, and one of the concerns it's raised in the community is, does this mean we are heading towards a potential centralisation of DNS resolvers? Given that, today, browsers have lists of CAs that they trust, can you imagine a future where we have lists of DNS provides that they trust. If you want one that isn't there, you have to go in and manually configure it.
Reactions to this news are, as you might imagine, mixed. Some say it’s good that it is provoking discussion about the fact that DNS needs to be encrypted, as it helps brings operators face-to-face with the reality that this is coming their way. Some people are highly uncertain and somewhat concerned about what this will bring about. For others, this is the single worst idea that they have ever heard and it's the end of the DNS republic as we know it.
In general, there are certainly reasons why some would feel uneasy. Many operators, for instance, have legal and regulatory obligations to manage the DNS coming into their networks and are not prepared for this change. If this was turned on tomorrow, they could find themselves in all kinds of trouble. This has led some operators to say they’ll be forced to either block this traffic or proxy it, because they need to have control of their network. After all, historically they’ve had the luxury of unencrypted DNS.
Then there are questions about the legal issues. Within GDPR, users are required to give informed consent if their data is going to be transported outside the EU. But how many people do you know outside the tech community who can give informed consent about what should happen to their DNS queries when (a) they don't understand DNS and (b) they probably won't look at changes in the terms and conditions and, (c) they’ll encounter cases where the provider doesn't state clearly what jurisdiction their data falls under.
This brings us back to thinking about the fundamental threat model involved with the DNS. There’s no arguing that a TRR can be useful in some networks. If I'm in a coffee shop, for example, I’d probably much rather go to somebody like Quad9 than use said coffee shop’s DNS resolver. In terms of ISPs, in the US, the lack of net neutrality means that many users there view their ISPs as a threat because they are aware that those ISPs are directly monetising DNS queries and selling them to advertisers. The converse is true in the European Union. Because we have GDPR, our ISPs are very tightly restricted in what they can do with our DNS data, and so nine times out of ten your ISP is probably a better choice in terms of privacy than any Cloud based DNS resolver. So, in terms of those questions about where you choose to send your queries, there are multiple options.
Another slightly scary aspect is if you start thinking about this concept of applications choosing TRRs. What happens if some governments decide that, if an app is to be available through the local App Store, they have to use certain government‑maintained TRRs? What if some TRR operators start providing monetary incentives to app developers to use their TRR? Will any of this be transparent or obvious to users? The bottom line here is that there are lots of questions, and not a whole lot of answers at the moment. (For more examples and issues, I’d strongly encourage you to read a blog by Bert Hubert (PowerDNS) where he goes through some of the other implications of moving to a third‑party DNS provider.)
Lastly, I just want to call out something which comes from a slightly different perspective. One thing that enterprises are going to have to worry about here is what challenges they are going to face if they need to manage lots of end devices in terms of managing the DNS configuration for them. Today it's straightforward because you can do it with DHCP. However, in this world, each app could have its own configuration for where it's going to send its DNS data. We don't know what the other browsers are going to do. We don't know what other apps are going to do, but there is as real possibility here that we will lose a central configuration point on an end device for where you choose to send your queries and that DNS will disappear into content delivery rather than being part of the infrastructure of the device.
What Should YOU Do?
With all this in mind, here are some words of advice:
- If you’re an operator, think about running DNS over TLS on your server - there are already devices that will be probing on port 853, and that number is small today, but it will increase as Android Pie deployment increases and as the various operators pick up the new release. So it's the right thing to provide them the opportunity to do encrypted DNS within the network.
- Think about running a DoH server - wherever the story with the browsers go, it's a good thing if users have the option to use a local DoH server in a trusted network. So we think it's the right thing to start getting people thinking about doing this and running it and what the challenges will be.
If you are interested in this topic, I gave a more detailed talk on this at the recent DNS OARC workshop (Slides, Video) and also keep an eye on the dnsprivacy.org website and on Twitter, and there is also a session in the BCOP task force later today talking about doing DNS over transports other than UDP and the operational challenges of that.
My concluding remark would be, basically, stay tuned. We really don't know where we're going to be with this in a year, or perhaps even in the next couple of months, and there’s a lot of concern in the operator community about where this could go and the implications for them.
Sara Dickinson is co founder of Sinodun IT, a small consultancy based in the UK who work on all things DNS, including R&D, Open Source implementation, and standards.
Sinodun IT were heavily involved in the development of DNS over TLS, making active contributions in the specification work, early implementation and deployment. They are also a contributor to a collaboration called dnsprivacy.org, which consists of various organisations and individuals who are interested in advancing the cause of DNS privacy. Sinodun IT is not directly involved in any of the work on DoH.