One result of the rush towards using large-scale public Domain Name Service (DNS) resolvers, such as Google and Cloudflare, is that critical and sensitive DNS queries are often handled by servers in different countries or even continents. This trend is introducing unexpected security, resilience, legal and data protection issues for policy makers and governments.

With google cornering 36% of the global market share and Cloudflare 14%, more than half of the world’s DNS queries are now resolved by companies in the USA [Source: ooni.org]. With such a huge dependency on the infrastructure of two companies, this concern needs urgent attention.

DNS over HTTPS (DoH) is a security protocol that aims to increase user privacy and security by preventing eavesdropping and manipulation of data through man-in-the-middle (MiTM) style attacks. It uses TLS as an underlying encryption layer between client and resolver and is now supported in most operating systems, including Windows and MacOS/iOS. It can either be enabled by default for local name resolution or used as a proxy for upstream recursive lookups. It is worth noting, however, that DoH creates a challenge for organizations who monitor, and filter DNS requests based on policy to prevent malicious or inappropriate content. The data is hidden inside the HTTP data making harder to monitor and prevent malware as sometimes it exploits this scenario (e.g., Godlua malware).

DNS over TLS (DoT) encrypts and wraps the DNS queries and replies using the TLS protocol. It has the same objectives (privacy and security) and is supported by most large DNS service providers, including Google and Cloudflare. There is, however, one major difference in that DoT uses its own dedicated port 853, whilst DoH uses port 443. As DoH shares the same portas HTTPS, DNS traffic becomes hidden amongst other HTTPS traffic and is difficult to identify without deep-packet analysis. It can be argued that this provides better privacy protection for the end user as DoT streams can be more easily observed, even though the traffic remains encrypted. Furthermore, using a dedicated port is considered a weak point for DoT as it can be blocked by administrators, either knowingly in the event of trying to contain malware, or by accident. With DoH purposefully disguised amongst an HTTPS stream it remains much harder to identify and block, and for this reason is more secure.

Set across a continually changing geopolitical landscape, this rush towards using pubic DNS is creating a conflict with data privacy, especially as users now have a greater awareness of what they can demand from digital content suppliers, reinforced by statute through GDPR and the UK Data Protection Act 2018. There is also a growing desire to bypass state-controlled services, as well as consume controlled content whether it be entertainment, file sharing, or sports, compounding the problem.

Rather than trying to block another irreversible technology trend, we should look instead at how to adapt it — improving DNS security would be a great start.

For further detail on the emergence of DoH, check out RFC 8484 over at https://www.ietf.org