Is indirection of traffic the next big thing in DNS privacy and beyond?
After Oblivious DoH, the Internet Engineering Task Force (IETF) were presented with Oblivious HTTP and Confidential Computing during the IETF 110 meeting. In essence these proposed mechanisms will try to shield users’ information from uninvited data krakens.
Developers from Apple, Fastly and Cloudflare have proposed an ‘Oblivious DNS’ or ‘Oblivious DNS over HTTPS’ (ODoH) standard as a reaction to the backlash against DoH. Mozilla’s original DoH implementation raised many concerns over its concentration effects. Oblivious DoH is supposed to mitigate the risk of data collection by a centralised resolver.
By putting a proxy in between the user and the DNS resolver, ODoH will make requests for domains anonymous. Only the proxy will know the user’s IP address, but it will not see the content of the DNS query, as it is channelled back and forth in encrypted form. The resolver will only answer the requests without knowing who sent it.
Cloudflare, as the much criticised, centralised provider for Mozilla’s DoH starter implementation, rushed ahead to implement oblivious ODoH at the end of last year, partnering with PCCW, SURF and Equinix, who act as independent proxy providers.
Apple engineers Chris Wood and Tommy Pauly are now hoping for the ODoH draft to be adopted. According to Pauly, Apple intends to support ODoH in the future.
Nevertheless, the DNS Privacy Group (DPRIVE) hesitated, pointing to existing implementations that are underway and a second version of the ‘oblivious’ concept that is already on the horizon and which Wood himself hinted at during the meeting.
Generalising the ‘oblivious’ concept
Instead of limiting oblivious to DNS over HTTP, Martin Thompson (Mozilla) together with Wood made a step towards generalising the oblivious concept.
As in the ODoH concept, indirection is the mechanism to prevent servers from collecting and linking requests to profile users. A proxy server hides the users’ IP, and the request is encrypted to hide it from the proxy. The work was very much based on the ODoH concept, but there was a wish to generalise it beyond DNS queries, Thomson said during the SecDispatch session.
OHTTP is adapted to short-lived, atomic, transactional use cases according to Thomson - like DNS requests. It was less onerous than Tor browsing, but offered similar protection, he noted. Mozilla also hoped to use the tool for telemetry queries, for which no individual user data was sought, he underlined.
There is additional work ongoing in the IETF using proxying. A need to map the work and how it related was acknowledged by several participants. David Schinazi (Google) pointed to ongoing standardisation in the Masque WG in particular. OHTTP nevertheless addresses a special use case by focusing on short-lived requests, he said. Long-lived connections, surfing the web and the build-up of complete websites on the other hand were better addressed with Masque, Schinazi opined.
Like DoH and to a lesser degree ODoH, OHTTP received a quick nod to advance. IETF participants can look forward to seeing the quick formation of an OHTTP working group (WG).
Next steps towards a private DNS
The general trend to allow users to fetch resources anonymously is met by yet another piece of work presented during IETF110. Former IETF Chair and Ericsson engineer, Jari Arkko, told the DNS Operations WG that with the move towards encrypting DNS communications and hiding query meta data, next steps for privacy could be envisaged. Data at rest, he said, had to be covered to avoid leaks from resolvers, either by accident, or through commercial or malicious intent.
Instead of a proxy solution, Arkko made a proposal that considers Trusted Execution Environment (TEE) as a method to avoid the collection of data at resolvers. If DNS queries are performed inside the hardware embedded TEE, even cloud operators could be cut out of resolving. A well-functioning TEE must offer the attestability of its characteristics, code integrity and data confidentiality. Trust is needed here in the same way as for the proxy providers.
Whilst some participants are sceptical about confidential computing becoming DNS operation, Arkko is confident that it is not a thing of the future. According to his draft some TEEs are already being offered, for example by Intel (Software Guard Extension). Arkko announced his intention to experiment with it during the next IETF hackathon in July 2021.
This article was written for CENTR by Monika Ermert. Monika has been working as an IT journalist for over 20 years. She has covered the evolving internet governance landscape, EU and worldwide attempts to regulate and the risks and fun of technology. She holds an M.A. in Chinese/Media Studies from the University of Tuebingen and lives and works in Munich, Germany.