DoH – Sounds Secure But Watch Out

the words IP Address
Peer Advice & Teaching Tips
Reading Time: 4 minutes

[Reading Time – 3 minutes 50 seconds]

Early in 2020 Mozilla announced that it will turn on DoH DNS-over-HTTPS (DoH) for all new U.S. installations of its Firefox web browser, and will soon silently turn it on for all existing installations of Firefox. But DoH is highly controversial, and can even weaken security.

First, the background on the Domain Name System (DNS). Each device connected to the Internet has an IP address, like 216.77.188.41. However, it would be very difficult for humans to accurately recall and enter the IP address of the computer they wanted to reach. A “name system” was devised that would allow computers on a network to be assigned both numeric addresses and more friendly human-readable names composed of letters, numbers, and special symbols (called a symbolic name). TCP/IP uses a hierarchical name system for matching computer names and numbers known as the Domain Name System or DNS, which is the basis for domain name resolution of names-to-IP address used today.

Yet these DNS queries are sent and received from your browser to the DNS server in unencrypted cleartext. And generally the browser on your home computer is using the DNS settings in the local operating system–settings that were sent from your network provider, usually an Internet Service Provider (ISP). That means that anyone along the path of your DNS query could see that request. And who might be interested and watching your DNS queries? For one, it could be your ISP. Or it could be a Content Delivery Network (CDN) provider, who have geographically distributed proxy servers already loaded with the content you want that is located closer to you so you can receive it quicker. The ISP or CDN might use those cleartext DNS queries to find out the types of websites you visit and the things you are interested in looking at online, and use or sell that information about your preferences to flood you with ads. Or, in an oppressive nation it could be the government snooping on what their citizens are doing online–and then step in to arrest and punish.

Enter DoH

About five years ago Cloudflare and Mozilla jointly created DNS-over-HTTPS, also called DoH. As its name implies, DoH uses HTTPS instead of HTTP to send DNS queries via an encrypted HTTPS connection (Port 443) rather than sending them in cleartext (Port 53). The encrypted DoH query is sent to a special DoH resolving server that aggregates all user’s DoH queries and then translates them into regular unencrypted DNS queries for processing by DNS servers. DoH may prevent outsiders–ISP, CDN, a government, or anyone else–from seeing what DNS queries you have run to know what websites you want to access.

But only partially.

Yes, the DoH resolver receives encrypted queries from the user. But when it sends those queries on to regular DNS authoritative name servers the query is not encrypted. Thus, DoH does not perform end-to-end encryption. And DoH does not really prevent an ISP from tracking your DNS requests. That’s because after your web browser receives the IP address from the DNS and sends you there, an ISP can see that IP address of your destination site if that site uses HTTP. And there are non-encrypted parts of HTTPS requests that are still in cleartext, like the IP address and Server Name Indication. Thus, using DoH will not prevent a determined ISP (or oppressive government) from knowing where you are going on the web.

What’s worse, using DoH sacrifices security for a slight increase–and maybe even a false delusion–of privacy.

At an organization it is common for a system administrator to use their own local DNS servers and DNS-based software to filter and monitor local traffic. They can use data from a DNS query–originating IP, query type, DNS response–to know if a user is trying to access a known bad domain and then block it. This may be designed to prevent users from accessing non-work related sites or domains that are known to contain malware (or worse, to block access to child abuse websites, terrorism content, and websites with stolen copyrighted material). This DNS configuration information is pushed out to employee computers. But if an employee uses DoH it overwrites those organizational DNS settings, thus allowing employees to bypass DNS-based traffic filtering.

And system administrators also want to watch DNS settings across operating systems to prevent DNS hijack attacks, in which an attacker redirects a web browser to their malicious site. But having different employees with their own unique DoH settings makes monitoring for DNS hijacking almost impossible.

The impact of DoH on security has already resulted in pushback, particularly in the UK. In 2019 the GCHQ, Britain’s intelligence service, criticized Mozilla for their stance on DoH. They said that DoH would impede police investigations and that it could undermine its existing government protections against malicious websites by providing bad actors with a way to bypass its internet surveillance systems. The Internet Watch Foundation (IWF), a British watchdog group that works to minimize the availability of online child sexual abuse content, also criticized both Google and Mozilla, claiming the browser makers were ruining years of work in protecting the British public from abusive content by providing a new method for accessing illegal content. And a UK ISP nominated Mozilla for the “2019 Internet Villain” of the year award! This caused Mozilla to later announce that Britons will not get DoH turned on by default.

However, all major browser vendors have announced support for DoH.

There are other options for privacy when using DNS. These include using Domain Name System Security Extensions (DNSSEC) or DNS-over-TLS (DoT). These solutions encrypt DNS instead of partially hiding DNS traffic inside HTTPS.

What should you do? Should you sacrifice better security for a slight increase in privacy? Weighing the small and limited privacy benefit against the larger security weakness it adds, I’m keeping DoH turned off.