DoH Creates More Problems than it Solves
Unlike most new IETF standards, DNS over HTTPS has been a magnet for controversy since the DoH working group was chartered on 2017. The proposed standard was intended to improve the performance of address resolutions while also improving their privacy and integrity, but it’s unclear that it accomplishes these goals.
On the performance front, testing indicates DoH is faster than one of the alternatives, DNS over TLS (DoT). This is because DoH is better able to use persistent connections than DoT because of where it’s instantiated.
But the best that can be said of its performance vs. conventional DNS is that users probably won’t notice much additional delay. The individual lookups are slower, but they can be interleaved with other page load activities in such a way that the delays will be hidden.
Changing the DNS Architecture
The privacy and integrity issues are much more complicated, depending on who you trust and why you trust them. DoH has some fairly serious drawbacks in homes that use parental controls, campus intranets, and small business scenarios.
The most serious complaints concern the overall change DoH makes to DNS architecture, but these are more implementation decisions made by some application designers than inherent features. A DoH implementation that uses the DHCP-specified resolver wouldn’t suffer from these issues, but there’s more going on than simply cloaking address lookups.
Mozilla enables DoH by default but makes it relatively easy for enterprises to opt-out; but Google is committed to an approach that takes implementation decisions out of the hands of operating systems, network administrators, and local laws. By implementing DoH in browsers, the firms have created a scenario where lookup speed and integrity depend on the applications doing the lookups.
DNS has always been more than an address book; it is currently a distributed database that supports a number of application needs for email, CDNs, video streaming, and a host of other distributed applications with inter-process communication needs. DoH changes all of this by reducing the capacity of DNS, in contradiction to early hopes.
Who Do You Trust?
If you’re the kind of person that uses Chrome on a Pixel phone to access websites embedded with DoubleClick trackers through Android, you don’t lose any privacy because of DoH; you’ve actually got nothing left to lose. But you or your supplier may have problems in countries that require opt-ins for certain types of data collection and in those that ban lookups of dodgy domains.
You won’t be sharing your browsing habits with your ISP (other than the IP addresses you visit, of course,) but that may not be your worry. If you’re living in an oppressive regime you may be better off because you should be able to evade governmentally-mandated content filters.
That’s the theory, anyhow. I suspect the practice will be for said oppressive regimes to simply block access to IP addresses such as 18.104.22.168, 22.214.171.124, and 126.96.36.199. At the very least, you’ll be raising red flags every time you perform an unlawful access; but you’re probably used to that.
You Have to Trust Someone
My point is that every DNS transaction depends on the user trusting some provider somewhere to return the correct answer. Protocols can implement user choices, but they can’t remove the requirement for trust.
If you trust your ISP more than Google or Cloudflare – not unreasonable for many – DoH does nothing for you outside of the narrow case of using public Wi-Fi over unsecured networks. If you’re doing that, of course, you have much bigger privacy issues than DNS lookups.
For general privacy on a public network you need WPA3 (not widely implemented) or a VPN. Otherwise, the IP addresses (and many of the payloads) of your packets are easy pickings for anyone who knows how to use Wireshark.
It’s the Revenue, Stupid!
The major barrier to privacy on today’s Internet isn’t black hats, governments, or ISPs, it’s the revenue model that Geoff Huston pointed out in his recent CircleID post, DNS Privacy at IETF 104: “…pervasive monitoring is a feature, not a bug” of today’s Internet.
When Google takes DNS lookups away from ISPs, it’s not gaining any new information for itself if you’re already in their ecosystem; but they’re preventing anyone else from collecting and monetizing that information.
This is true regardless of the motivation for the design and implementation of DoH as it currently stands. But that doesn’t make DoH a bad standard all by itself.
How to Spot a Good Standard When You See One
Good networking standards work well in a variety of settings. Today’s DNS – placed inside the TCP/IP stack inside the client OS – is fast, flexible, and easy to implement.
Today’s DNS complies with national laws, is easy to bypass through hostfiles, works for CDNs, aids email with security keys, doesn’t leak local network architecture to the Internet, plays well with parental controls, and is resilient because it’s a distributed database.
It does communicate queries in plain text, but only over a wire that’s not generally accessible to any curious parties. If the goal of DoH is to cloak that rather trivial vulnerability, we can achieve it by implementing DoH in the protocol stack and beefing up DHCP. As implemented by Mozilla and Google, DoH is a very bad standard indeed.
The Rainbows and Unicorns Paradigm
The contradiction between the idealistic, privacy enhancing, censorship evading goals of DoH and the commercial reality of monopolizing access to ad placement data is all too common in Internet history. Our utopian spirt has been compromised by cynical commercial interests as long as there’s been an Internet.
In 1993, the visionary Howard Rheingold laid this dynamic bare in his book, The Virtual Community:
We temporarily have access to a tool that could bring conviviality and understanding into our lives and might help revitalize the public sphere. The same tool, improperly controlled and wielded, could become an instrument of tyranny. The vision of a citizen-designed, citizen-controlled worldwide communications network is a version of technological utopianism that could be called the vision of “the electronic agora.”…But another kind of vision could apply to the use of the Net in the wrong ways, a shadow vision of a less utopian kind of place–the Panopticon.
When we design standards without thinking about the way they’ll be implemented, we feed the growth of the Panopticon while mouthing the rhetoric of the Utopia. A standard that lends itself to taking control of personal data away from users and concentrating it in the hands of firms that are already drowning in our personal data is not progress.
We need to redesign DoH so that it works with DHCP and local policies, not against them. The layered architecture of the Internet and the distributed nature of DNS become nothing more than cruel jokes if this standard is rolled out in its current form.