Another Layer of Privacy and Security
Currently, a user’s internet service provider is most often the only party privy to DNS requests made by a browser, primarily because the ISP alone is responsible for the routing of that request. Nearly everything a user does online begins with a DNS query. Its function is to map domain names (such as example.com) to the actual IP address of the server hosting a desired webpage.
DNS queries are sent in clear text (using UDP or TLS) and can reveal the websites a user visits, along with metadata such as a site’s name, when it was visited and how often. In other cases, when content filters are in place, DNS logs can capture user IDs or MAC addresses. And thanks to a loosening of privacy rules by lawmakers , now ISPs can share their users’ internet activity with third parties.
Similar Efforts by Familiar StakeholdersFor these reasons DNS over TLS (DoT) is considered a leaky aspects of the internet’s plumbing. That’s why Google and others, such as Mozilla and Cloudflare, a security focused content delivery network provider, have been building and promoting new alternatives to sending traffic using UDP and TLS. In April 2018, Cloudflare launched its own DNS-over-HTTPS service called 220.127.116.11 . More recently, the Mozilla Foundation’s Firefox group also announced it was testing a DNS-over-HTTPS service with a small group of users.
Privacy, Security and SpeedThese groups argue man-in-the-middle (MiTM) attacks often exploit the insecure nature of DNS via DNS Spoofing attacks or DNS Hijacking or DNS Poisoning . MiTM attacks involving DNS are when a hacker can abuse DNS servers to redirect webpage requests and return spoofed sites (or files ) that appeared to be legitimate.
By putting DNS in an HTTPS encrypted channel the ISP (hotel or café Wi-Fi hotspot) can no longer eavesdrop on DNS queries. It also makes it harder for hackers to hijack or spoof DNS activity in order to leverage a MiTM attack. Then there is the matter of efficiency and reliability. Cloudflare maintains that using a DNS resolver via an HTTPS request is more efficient and can shave up to 15 milliseconds off the time it takes to make DNS queries to render a webpage. Even more milliseconds can be shaved when Cloudflare acts as the authoritative DNS hosting service, Prince said. Google also promises lower latency, however doesn’t mention specific speed increases.
The adoption of the RFC 8484 is important. The standard has not yet been ratified by the IETF, but as more internet stakeholders adopt it, the closer it is to formally becoming a DoH standard. In April of 2018, experts said the standard could become adopted in a matter of weeks. Fast forward 14 months and RFC 8484 is still up for discussion. The last tweak to proposal was in October 2018. Security and Privacy Concerns
Changing Your DNS Settings on Windows 10
While many cheer the upsides of using the encrypted HTTPS channel to secure DNS traffic, there are some that caution that doing so trades one privacy and security problem with another. They argue, by routing traffic through a content distribution network management system (such as Cloudflare and others) they are creating new central repositories for DNS queries that could be hacked or used to mine personal identifiable information (PII) data.
“Your client IP address is only logged temporarily (erased within a day or two), but information about ISPs and city/metro-level locations are kept longer for the purpose of making our service faster, better, and more secure.”