Adapting to the reality of encrypted DNS deployment

News 03-12-2020

What do computer scientists, behaviour economists and cognitive psychologists have in common? They all appreciate the power of the default effect, i.e. whatever people get without making an active choice is what is likely to be the most popular. In the world of network protocol development, the story of deployment of encrypted DNS protocols is arguably centred around what will become the default.

With traditional, clear-text DNS still being the most common, the future of the default choice of encrypted DNS is still up for grabs. The Adaptive DNS Discovery (ADD) working group now has a variety of proposals from internet service providers, cloud service providers and web browsers.


The Domain Name System (DNS) is the way in which human-readable names (like centr.org) are converted to their network address (e.g. or 2a00:1c98:10:60:ffff:ffff:ffff:10) so you can connect to them. Notably, such queries have traditionally happened over plain text and therefore lacked security and privacy guarantees. Internet service providers, which have traditionally provided these services to users, can see what websites one is visiting. On-path attackers could also easily see this information, and even block certain websites based on it.

The possibility of more privacy in these queries finally opened up with the standardisation of protocols like DNS over TLS (DoT) and DNS over HTTPS (DoT) in 2016 and 2018 respectively. While there was consensus that these protocols increase on-path privacy, a matter of concern with them still remains: who does finally get to see these queries? Internet service providers (ISPs) were concerned that applications could easily run DoH queries to whatever resolvers they like, effectively bypassing them. Such private information would now be available to big tech companies operating browsers or cloud services, which have been involved in the development and deployment of DoH.

The Internet Services Providers Association in the UK even nominated Mozilla as an ‘Internet Villain’ for planning to roll out DoH in a way that bypassed them and their content filtering mechanisms. The European Telecommunications Network Operators’ Association published a position paper noting their concerns for how all DNS traffic may move to a small number of players, and called for more scrutiny of the impact of DoH deployment on regulation and competition in the industry.

New developments at the IETF may have significant policy consequences, given regulators in the EU and around the world becoming increasingly sensitive to both privacy and competition law concerns in the tech industry.

What’s happening now?

While Mozilla made DoH the default for users in the US, the fervent backlash that caught the eye of UK regulators meant that they stopped their plans to do the same in the UK. Several developments at the IETF provide an indication for what may happen with how DoH and DoT are rolled out increasingly around the globe.

Instead of going directly to third-party DNS resolvers, there may be two reasons for sticking to ISPs’ resolvers (now with DoH/DoT instead of plaintext DNS). First, ISPs can continue to provide parental controls or other filtering services if customers have opted for (or are involuntarily subject to) them. Second, the relationships that ISPs have with local cloud providers may mean that they provide better responses, i.e. the network addresses they provide in response to DNS queries may be closer, and thus such responses can result in more efficient traffic routing.

Earlier this year, the Adaptive DNS Discovery (ADD) working group was set up at the IETF to explore some related questions: How can a user or device discover DNS resolvers that are available to them in their network? How can a user select one if multiple resolvers are available?

Just add a DHCP option!

Traditionally, your device picks a DNS resolver that your access point tells it to using the Dynamic Host Configuration Protocol (DHCP). The access point itself retrieves these details from your ISP. One way then to implement a way for your ISP to instruct your device to use their DoH/DoT resolver is to have a way in DHCP to do that, which is exactly what a group of engineers have proposed with the Internet Draft DHCP and Router Advertisement Options for Encrypted DNS Discovery within Home Networks.

Discovering ‘equivalent’ resolvers

On the agenda for the Adaptive DNS Discovery working group at IETF109, however, was Discovery of Equivalent Encrypted Resolvers, which approaches the matter differently. Developed by technologists at Apple, Microsoft, Cloudflare and Fastly, the proposal seeks to answer the specific question of what a device can do once it does have a traditional DNS server that it seemingly trusts: how can it discover an equivalent service that uses DoH/DoT instead? In the usual case, the Internet Draft proposes that each device performs an additional DNS query (that uses the service binding and parameter records, being developed separately at the IETF) when it finds out an unencrypted resolver exists: the response to this query will contain information on how to contact related resolvers that support encrypted DNS protocols.

Of course, it would be uncharacteristic of IETF participants to leave potential for pedantry untapped. For around two hours at the IETF109, the discussion focused on what ‘equivalent’ could mean.

Other rooms, other wonders

A related Internet Draft comes in the context of Mozilla enlisting US telecom giant Comcast in their trusted resolver program. Their Internet Draft, CNAME Discovery of Local DoH Resolvers, proposes that a name ‘doh.test’ be reserved for a CNAME DNS query for discovering DoH resolvers. An application (like Mozilla’s browser Firefox) can perform this query with traditional plaintext DNS: if it receives a response with a resolver that exists in the trusted resolver program, the application will use it instead of using the default (which, for the Firefox is currently Cloudflare in the US).

A shifting mood

If the initial conversations on DoH seemed indifferent about the role of ISPs, the current phase of discussion centres around their involvement (or at least deployment not without their involvement). Two things are becoming increasingly clear however. First, that encrypted DNS is here to stay. Second, with all these proposals moving at the IETF, DoH/DoT deployment globally may be more conservative than originally anticipated: it has not, at least immediately, concentrated power in the hands of web browsers. Simply put, internet service providers may still continue to play an important role in providing DNS services to their users.


This article was written for CENTR by Gurshabad Grover, a technologist and legal researcher based in Bangalore, India, where he is Senior Researcher at the Centre for Internet and Society. Gurshabad's writing focuses on network security, privacy and censorship.

Published By Lydia Pernal-Stoddart