Why Every Privacy Activist Should Embrace* DNS-over-HTTPS

Alec MuffettAlec Muffett

Apr 27 · 3 min read

*even if it means initially using Google or Cloudflare for DNS for a while

A friend posted to a maillist:

The amount of dns fuckery in the UK already is high enough that neverssl.com is now the top suggestion on my chrome browser homepage, as I have to load it every time I get on a train to get their middle-boxes out of my way. Is DoH going to make this even more cumbersome?

It’s a fair question, but taking a step back — and having seen a lot of slightly fearmongering posts about DNS-over-HTTPS (DoH) of late, I responded thusly:

The fact that a local-network “terms-and-conditions” gateway requires a DNS-hijack in order to operate, is evil; that bootstrapping a basic function (gaining connectivity) sometimes uses a breach of a trust model (fake DNS mapping) should never have been invented. It’s a hack. It’s a kludge. It’s wrong.

But I can’t get on board with my peers who believe that it’s a good idea to throw vitriol at DoH just because it might complicate “legacy” crap like the above, or that disintermediating DNS is somehow bad for security controls.

I believe the converse; this is a “risk” we’ve alwaysfaced, that people would stop using “name resolution” and start doing stuff like:

  • hardcoding IP addresses
  • hardcoding Onion addresses
  • using transports like VPNs (with hardcoded IP addresses) to create a private IP namespace with private name resolution, invisible to filters
Using DNS as a single (or: one of several?) point of control for choking-down who-can-talk-to-whom, has always been a bad idea; I can totally see why people on this maillist are looking at DoH and are seeing it as “ARGH! CENTRALISATION!” but I have a completely different take on it:

I see DoH as part-of, and pursuant-to, restoration of the “End-To-End Principle”.

If you are having a genuine private conversation with someone over [some messenger system] then it is the participants who define what is exchanged, without opportunity for some third party to intervene with the content.

So when you interact with a website, why is it suddenly a good thing for a random third party MIDDLEMAN (eg: anyone in your DNS name-resolution food-chain) to be able to tamper with your name resolution? Yes, it means choosing to use {Google, Cloudflare} — who are the “800lb gorillas” in this space — for a while, but handled properly and temperately with consumer choice and without identifiers[1] there is a much reduced opportunity for the “fuckery” which you fear.
Yes, DoH may be a hassle if you personally rely upon your own local tampering with DNS in order to provide endpoint user-experience controls that your browser/apps otherwise lack; but to some extent those challenges are failings[2] in your endpoints; anyone who makes arguments like “WhatsApp should ‘Give The User More Control’ over the content which are sent/they receive over that end-to-end-encrypted messenger” — should understand this perspective.

So I see:

  • personal, local DNS tampering as a crutch to provide control over inadequately controllable apps; and I aver that we should ditch the “crutch” by fixing the apps
  • upstream DNS tampering as man-in-the-middlery, and censorship.

…and thus I welcome DoH.

Further: if we take the concept of “a browser with unfilterable communication and embedded name resolution which [means of name resolution, as well as transport] is unblockable and does not rely upon third parties who might be coerced” to its logical conclusion, we simply reinvent Tor Onion Networking, of which I am deeply in favour.

Disintermediated communication; it’s what speech used to be.

——
[1] both things that we should collectively lobby for.
[2] things that we should collectively lobby to address

Similar Articles:

Why big ISPs aren’t happy about Google’s plans for encrypted DNS

Why big ISPs aren’t happy about Google’s plans for encrypted DNS

How to enable DNS-over-HTTPS (DoH) in Firefox

How to enable DNS-over-HTTPS (DoH) in Firefox

Mozilla plans to roll out DNS over HTTPS to US users in late September 2019

Mozilla plans to roll out DNS over HTTPS to US users in late September 2019

Want to evade censorship and protect your privacy? A rough and dirty guide to the DOH system

Want to evade censorship and protect your privacy? A rough and dirty guide to the DOH system