News

Back to square one: encrypted DNS keeps developers busy – and divided

2020-08-31 Blog

By Monika Ermert, eLance Journalist - For more than half a decade, DNS developers have tried to answer the question of how to switch from a traditional DNS resolver to one that allows the client’s DNS queries and answers to be encrypted. Encrypting DNS queries and answers was in part a reaction to Edward Snowden’s revelations about the widespread interception and surveillance of the internet, including DNS traffic, by intelligence agencies. While DNS over TLS (DoT) was intended to allow for an evolution of traditional DNS operations, it was eventually DNS over HTTPS (DoH) that was first ready for release (see CENTR’s interview with European DNS-engineer Sarah Dickinson from July 2018).

Mozilla’s DoH implementation – with Cloudflare providing the DNS resolving for all Firefox browser traffic – allowed applications to choose the DNS resolver. But circumventing the operating system and network administration layers has not come without pains. Firstly, DoH has caused a discussion on who should control the choice of DNS resolver, and secondly, there are strong concerns about an emerging concentration of commercial influence with companies that traditionally operate in the HTTP stack (for more information about deployment, see here).

Since 2019, the work on DNS privacy improvement has therefore not just continued in the IETF’s DPRIVE Working Group (see CENTR’s recent IETF108 DPRIVE blogpost) but also in the Adaptive DNS Discovery Working Group (ADD WG). However, after collecting and debating over a dozen proposals on how to move forward, the chairs of the ADD WG have had to accept taking a step back. In two interim meetings scheduled for September the WG will now make an attempt to agree on the exact problem the WG wants to solve first.

Requirements document urgently needed

The WG Chairs, David Lawrence and Glenn Dean, accepted to go back to discuss requirements and possibly also the problem statement in the first place. Usually these steps are taken upfront in order to organise the steps of IETF WGs, But with DoH being implemented by several large platforms and operators, WG members felt rushed to provide alternatives to what some saw as unilateral decisions by these operators.

A first round of discussions illustrated that the divisions the ADD WG have experienced so far could easily continue. The divide between those who favour keeping encrypted DNS close to the original DNS providers and those who are instead looking to make the DNS more adaptable and adapted to web traffic continues to be central.

Tommy Pauly, affiliated with Apple, suggested mapping between a public domain and an encrypted resolver that would look “less immediate due to the architectural change it implies, and the policy issues it creates”. Meanwhile, Vittorio Bertola, an engineer at Open Xchange, thinks it will continue to be an advantage to let networks communicate policy requirements to clients and then allowing client operating systems to make decisions. Controversies are not even limited to the level at which decision-making should occur and be communicated – additional contention has surfaced with respect to how much the privacy, security and authentication requirements should be addressed.

As networking evolves, older infrastructures adapted for the earliest days of wired communications between stationary terminals are coming under increasing stress, and a new generation of service providers in a ubiquitously connected environment are putting forwards not just requests for, but also their own proposed solutions to, the unique problems of these environments. How the ADD WG ends up conceptualising these problems will test not just the technical innovativeness of WG participants, but also the ability of the institution to adapt and mediate struggles between the old and the new. This is an interesting position to be in for the technical standards body that once revolutionised the ways in which technology specifications were developed.