Stacie Hoffman on DoH


In this podcast, DNS expert Stacie Hoffman explains issues with new Internet protocol known as DNS over HTTPS (DoH.) This dubious piece of work creates a number of operational vulnerabilities in the name of privacy while doing little to protect personal information.

Stacie is a policy and security consultant at Oxford Information Labs in the UK, and she’s very plugged-in to ICANN and IETF. Her areas of expertise span a range of issues from technical standards to policy development, as well as the geopolitical issues that come with technology, markets, and a borderless cyber space.

She’s been following DoH closely from the beginning, and she’s got concerns about where it’s going that she expressed in a post on CircleID, Recalibrating the DoH Debate. Here’s a little history to frame our conversation.

The Evolution of DNS

Since Paul Mockapetris created the Internet’s Domain Name System (DNS) in 1983, queries and responses have been made in plain text. While this is a vulnerability of sorts, it was never regarded as a significant problem. In that simple time, DNS data had little value.

In the 1980s, the result of the common DNS query was an Internet Protocol address, a piece of information that is also displayed in plaintext in every IP packet. The Internet was an academic system in which commercial activity of all sorts was banned, even advertising. So anyone could reverse engineer DNS activity from IP packets, but no one was motivated to do so.

The challenges Mockapetris and the early implementors faced were matters of accuracy and reliability rather than securing information of such low value. Anyone who could see DNS queries could also see IP packets, and many more people could see IP packets than could see DNS queries.

IP Addresses are Open Secrets

IP addresses were and are open secrets, but they don’t mean as much as they used to. In today’s Internet, a lot of content is hosted on CDNs or virtual hosts, and much of it is hidden behind gatekeepers such as Cloudflare.

Such services share a common pool of IP addresses, often relying on plain text URLs for differentiation. This becomes complicated when sites encrypt their packets with the protocols used HTTPS web sites.

Major sites are still distinguishable by the IP addresses that can’t be encrypted unless users employ VPN tunnels. But DNS queries are a convenient way for advertisers to collect browsing histories.

Securing Browsing History For and From Advertisers

This is why so many advertising-based business now provide public DNS services. Not only do they provide information to advertisers, they also keep information away from potential competitors.

New IETF standards such as DNS over TLS (DoT) and DNS over HTTPS (DoH) hide DNS queries and response from both snoops and ISPs. While this is now part of the Internet’s privacy calculus, it’s much less important that protecting IP payloads – the actual information sent and received by IP – from snoops.

In the overall scheme of things, payloads are infinitely more sensitive than DNS queries. DoT is the rational way to secure DNS because it uses the same security techniques that we use for data.

The Trouble with DoH Comes Down to Centralization

DoH is problematic for two reasons: it deprives users of control over which DNS provider to use, and it centralizes a function that has always been distributed.

DNS is a remarkable achievement in computer science because it’s the first and largest distributed database in the world. It’s inherently robust and resilient, capable of withstanding a host of failures without failing in its overall mission.

Today, dominant providers only handle about half of DNS queries, but if DoH catches on a handful of firms will handle nearly all of them. This is a problem when they go down, as they seem to do with increasing frequency.

The Jurisdiction Problem

DoH also complicates local laws regarding DNS behavior by removing the service from the jurisdiction. We didn’t address this in the podcast, so I asked Stacie to explain it:

The policy issues that DoH touches upon are many and varied – highlighting the need to understand the changes and trade-offs that come with adopting DoH. These range from concerns over market concentration and competition to human rights like privacy and access to information and wider social issues like child online protection. DoH’s potential to restructure the global Internet also raises concerns over the resiliency of the Internet’s infrastructure and loss of features provided by DNS that are used to counter threats like malware, spam, and DDoS attacks. Centralising the Internet’s resolution system with an extraterritorial company reduces the ability of governments to enforce local policies – for good or bad.

Jurisdiction plays a larger role here than just applying local laws. Currently, there is no accountability structure, nor are there internationally recognised guidelines for DoH resolvers. If the centralised DoH model takes shape before accountability and oversight is in place, as it is likely to do, the companies running DoH resolvers (like Google and Cloudflare) would only be accountable in their local jurisdiction and function based on policies developed by private companies. Some parties claim that DoH will allow for a level of anonymity not currently seen in the DNS resolution layer, improving overall online privacy.  However, the assumption of this guardian role being taken over by global tech corporations is just as, if not more, worrying than the current model on offer.

It’s probably wise to say no to DoH because it’s more trouble than it’s worth. Enjoy the podcast and share your reactions.