DNS transport: The race is on!

2020-12-17 Blog

Not one, not two, but three new protocols are offering internet transport layer options for the Domain Name System (DNS). We must not lose sight of the dernier cri (last shout) though. Here is a quick look at the catalogue of options and opinions on DNS over TLS (DoT), DNS over HTTPS (DoH) and DNS over Quic (DoQ).

End-destination better security

Securing DNS transport is becoming quite fashionable. Mozilla pressed the pace when announcing its implementation of browser-based DNS over HTTPs (DoH) in the US in 2019. Microsoft, Google and Apple all followed suit to announce implementations, as did network operators like ComCast, which partnered with Mozilla last summer.

There is also no shortage of European implementers of DoH on the network operator side. Both Deutsche Telekom and British Telecom are in on it. According to Nicolas Leymann, the German network operator will offer experimental DoH for its customers in the first quarter of 2021.

The original front-runner for a privacy-friendly solution was DNS over TLS (DoT). It is still seen as the natural evolution to secure infrastructure DNS and leaves the configuration of service parameters to users and network providers. Compared to DoH, DoT suffers from the fact that DoT traffic is easily discernible because it runs under a special port number.

In a recent column about DNS Trends, APNIC Chief Scientist Geoff Hustonalso points to another issue: DoT does not eliminate the potential for the manipulation of DNS answers, but places trust in the hands of the DNS provider of choice. In Huston’s words: “all you really know is who is lying to you”.

The candidates

Using HTTPS web transport as the substrate, DNS queries benefit from TLS encryption. They also become part of the vast HTTPS traffic flows and cannot be easily identified by networks. Mozilla engineers never tire of underlining these privacy gains for users. Using DoH DNS becomes part of the application, and it allows applications to bypass local and remote networks as well as platforms.

The most recent development is oblivious DoH (ODoH), just promoted by Cloudflare as the ultimate answer to concerns over the concentration of user information. ODoH adds a proxy between the public resolver and end user, separating DNS information from the user’s IP.

During IETF 109 Christian Huitema, an expert in privacy by design, further asked the DNS Privacy (DPRRIVE) working group if he could go ahead with secure DNS protocol number three, DNS over Quic (DoQ).

With Quic, the IETF’s new transport protocol, on the finish line, DoQ could be pursued in earnest. Quic is UDP-based and integrates the TLS stack to become the first natively privacy preserving transport protocol. Many believe it will become a big competitor to TCP. What could make DoQ attractive for DNS providers is that the encryption is dealt with at the transport level. Plus, the DNS could benefit from additional Quic features like multiplexing.

One to rule them all?

While Huston does not see a big future for DoT and also calls the half-forgotten UDP-based Datagram TLS (DTLS) – the fourth secure DNS transport - too fragile, other experts see a potential division of labour between the candidates.

DNS privacy expert Sara Dickinson from British-based consultant company Sinodun believes “we will have multiple protocols which have specialised areas”.

She can see that DoH is preferred by applications, while DoT makes more sense for basic stub resolvers. For DoQ, which came late to the game, she does not currently see enough appetite, at least for the path between the user’s stub and the provider’s recursive resolvers. On the other hand, Dickinson expects that the path between recursive and authoritative resolvers could be encrypted, running either DoT or DoQ. The DPRIVE working group just started to work on securing the upper part of the DNS resolution path. DoH is not being considered for this.

In the end, speed could be the decisive factor. “I happen to think DoQ will need to prove it is more performant in order for it to be chosen in preference to DoT for that role, because DNS folks are now reasonably comfortable with DoT”. However other voices are pointing out that DoQ could still beat DoT, even for stub to recursive resolvers, because DoQ might be simpler to use.

Burdened by parallel deployments

For implementers it is hard to decide who to put their money on. There was a certain risk that one of the candidates would become dominant – and efforts to deploy the other protocols would be wasted, Wes Hardaker from the University of Southern California's Information Sciences Institute (USC/ISI) warned during IETF 109. Yet picking a winner upfront has not been the means of choice in the IETF recently.

Furthermore, implementers at Deutsche Telekom are happy to deploy at least DoH and DoT in parallel for now, while waiting for DoQ to arrive. This means that the race is on...


This article was written for CENTR by Monika Ermert. Monika has been working as an IT journalist for over 20 years. She has covered the evolving internet governance landscape, EU and worldwide attempts to regulate and the risks and fun of technology. She holds an M.A. in Chinese/Media Studies from the University of Tuebingen and lives and works in Munich, Germany.