Choosing the right encrypted DNS resolvers: who discovers the options?

2021-01-06 Blog

The Adaptive DNS Discovery (ADD) working group (WG) at the Internet Engineering Task Force (IETF) has been trying to catch up with the deployment of encrypted DNS and met six times last year. Its goal is to provide standardised means of discovering which encrypted options are available to various network users, and a means for those same users to select the option most appropriate for their intended use. The work entails manoeuvering between technical tasks and policy choices that other WGs, such as the DNS Operations (DNSOP) WG were reluctant to pick up.

DNS queries are invisible to most internet users. Typically, the query for mapping a domain name to a server is sent by the web browser to the resolver as the user tries to visit a web address. In many places, the crucial resolver services have been operated by the network provider unless the user has specifically indicated that they want a different resolver service. Neither network nor DNS providers have made big efforts to educate the users about privacy issues in this arrangement, nor were privacy failures high on the agenda in the underlying protocols until after 2013.

But with a rising tide of privacy and security priorities for the internet’s most fundamental infrastructures, service providers have launched a number of encrypted DNS initiatives. Choosing a secure and private DNS solution should be as easy as deciding whether to allow your browser access to your microphone or camera, seems to be the message.

Discovering Equivalent Encrypted Resolvers

A draft proposal by engineers from Apple, Cloudflare and Microsoft is making a first step with “Discovery of Equivalent Encrypted Resolvers” (DEER). Their aim is to provide two mechanisms for upgrading clients to encrypted DNS resolvers.

The first mechanism relies on querying a special domain in the .arpa TLD to look up encrypted DNS resolvers. The second mechanism fits the case when the hostname of an encrypted DNS server is already known to the user application. For the second case a new resource record type (SVCB) will convey information on the encryption protocol and blocked ports.

The proposal is yet to be adopted by the ADD WG, but nothing is easy in encrypted DNS. In a two-hour discussion the WG tried to establish whether the “equivalence” in „equivalent encrypted resolvers“ is limited to queries, responses, name-pools, performance requirements or laws.

Harald Alvestrand, former IETF Chair and Google engineer, recommended not to make any equivalence assertions in DEER at all. In the end, he argued, DEER contains mechanisms for providing recommendations to end-users on encrypted DNS services and the end-users are capable of deciding for themselves how similar or different they want their DNS services to be.

Privacy, law and user expectations

Many experts pointed out that the wide-spread use of unencrypted DNS in user home networks implies an a priori lack of privacy expectations. Switching on DNS encryption would be a net benefit for this large user group, who are often completely unaware of the DNS.

In opposition is the view that users have chosen to trust their network providers, including through long-standing society discussions on content management and liability. Sending their queries on to a third party provider would change that equation.

Balancing the commercial and social interests involved in information management remains an issue for the internet standardisation community. While our common networked infrastructures are being made more and more robust against privacy and security threats, power dynamics that have reigned since the beginning of the 1990s are being challenged with the deployment of new technical solutions by new commercial actors. And even as the wild, wild web is again attracting criticism from, among others, Commissioner Thierry Breton, it is also true that as long as tradition is allowed to rule, we all know what we have got.


This article was written for CENTR by Monika Ermert. Monika has been working as an IT journalist for over 20 years. She has covered the evolving internet governance landscape, EU and worldwide attempts to regulate and the risks and fun of technology. She holds an M.A. in Chinese/Media Studies from the University of Tuebingen and lives and works in Munich, Germany.