News

The DNS community brought DNS over HTTPS on itself

2018-07-28 News

Interview with Sara Dickinson - Sara Dickinson is one of the most prolific DNS privacy experts around, and currently editor of a document detailing “Recommendations for DNS Privacy Operators”. She also coded Stubby, a DNS over TLS client, and is following very closely the race between the latter technology and the challenger, DNS over HTTPS (DoH). While that race is still open, she thinks that DoH will certainly bring a decisive change in the trust model of DNS queries for users and new challenges for traditional DNS operators.

With DNS over TLS and DNS over HTTPS racing for deployment – and some of the big players, like Cloudflare, offering both paths – how to decide where to send traffic?

It is up to the client to choose the protocol. The thing is that at the moment, browsers say “we only consider DoH. We’re not even thinking about using DNS over TLS under any circumstance”. Whereas if you look at it from a protocol perspective, DNS over TLS is a better fit if all you are doing is DNS, so that is where a bit of a split is coming. Will we see most operators offering both? In that case, there will be a split in the client population. But if people decide that they want to offer DoH and they don't see the value in offering DNS over TLS as well, then I think that will drive the client population to DoH instead. It is too early to figure out where this may go.

What are the drivers for one or the other?

The reason we did DNS over TLS is that we had two goals. One was privacy, to encrypt DNS on the wire, and the second was to disrupt to the current ecosystem as little as possible. Therefore, we thought: let's take what we do over TCP, fix the performance problems, encrypt it and stop. That was the vision and the focus of DPRIVE. DoH has five or six goals: one of them happens to be privacy.

Privacy is just a side effect...

I described it as a happy side effect. In a blogpost, Patrick McManus described the advantages he sees in bringing DNS into the http ecosystem. This is because http does things DNS doesn't do, like proxying and caching, and they can just fit DNS into that world. They see latency wins from doing the query directly in the browser and not having to go through a system browser. They see latency wins in being able to do HTTP on the same connection as existing HTTP traffic. They see gains in having key HTTP-specific features like server push – so DNS is query-response. But their model is: if you ask for this thing, we can just push you a whole lot of records and you have got them in your local cache before you ask for it.

Those are clearly transport-related features. As soon as you are doing DoH, you can extend that and do a whole lot of interesting things, so one of the things that will be happening quite soon is that at the moment, they are using the DNS wire format inside http, but there is a JSON representation. I think there are a lot of cases, just because it is easier to do from a Web App implementation.

Then we get into the ideas of trust models. I am still coming to grips with what effects we will see from ideas that the far end could customize the queries to suit the client because it knows what the client is asking for, what kind of content. Does customization mean geolocation? Probably. Does it mean more than that? I don't know.

There is no statement, such as we only do that if it is DNSSEC-signed from the root. And that was one of the side questions: we can see the use case, but it raises a lot of security concerns. Ultimately, however, website owners will be able to make the clients’ experience better and better targeted.

How will (regular, non-technical) users experience the difference between DoH, DNS over TLS and just DNS? Will I even notice?

I don't think they will notice. With DoH, there is an argument that you will get a better website experience, and that is absolutely true. They could also argue that under certain circumstances, you get better privacy and that will be true. But under the hood, the trust model regarding who is seeing your DNS queries will have changed, and there could be advantages to that because you are not leaking outside of where you are going.

A lot of people are still reacting badly to the idea that Firefox is just going to start using Cloudflare by default because they feel very challenged by that change of consent model. It feels like once they start doing that and they get a bit of a foothold, they can say that they don’t have any other way yet. Once that's there long enough, it becomes the default and the norm. They can also argue that we know how that works. That is good, that is stable. It works for our users and we are not going to change it.

Is concentration a concern, as Jari Arkko pointed out in Montreal?

Everybody is talking about Firefox at the moment, but Chrome has a working DoH implementation. It is called Bromite and you can do it today; Chrome just has not turned it on. There is no way they are not going to do it. For me, one of the fascinating questions at the moment is: when will Chrome turn it on? Will they turn it on by default and will they send everything to 8.8.8.8 by default, with the argument that they want to protect their users’ privacy and they have no alternative but to hard code a set of resolvers?

Given that the European Commission just fined Google for bundling services with Android OS, could the bundling of browser and DNS service result in yet another case for EU competition authorities? Maybe, and I think this is untested waters for consent about where your DNS queries go.

You said recently that the system we might see soon will still look like DNS, but won’t really be DNS…

I started using the phrase hybrid names system – nobody else uses this. It is not pure DNS. It is going to evolve into something that probably uses certificates as the root of trust and possibly no DNSSEC between the stub and the resolver. A lot of people have been talking about the fact that if they have a secure way to discover an encrypted DNS end-point, then actually that will serve them, and they won't need to do DNSSEC. I can just trust the resolver doing that upstream and for a long time, a lot of people argued that these are not orthogonal things. However, now the ground is shifting a little bit.

What would be your guess of how many DoH operators there will be?

I can see Cloudflare, Google, Apple and maybe one two other big players. Quad9, and it depends how much the big CNDs get into it.

Akamai...

Akamai and Fastly might do it. I think they all might do it soon and the question becomes: if they are doing it, will anybody else bother? So there could be step from there where everybody does it, because ISPs and enterprise networks want the opportunity that their DoH server gets discovered and used as opposed to one of the big ones. Or will we just see this sort of dominance by these big players? I don't feel I can predict which way this is going.

Do you still think there is an option that we will see both DoH and DNS over TLS used?

I don’t know. We have enough of a footprint for DoH. ISPs might feel more comfortable going to DNS over TLS, just because it is a smaller delta on the service they offer already and because they know how to run a recursive resolver and most of them are implementing DNS over TLS. I was asked by some of the implementers: do you think it is worth it to put DoH in the open source software? Will anybody do it? I am not convinced it is worth it.

We could end up with a short-term split, which is not necessarily a bad thing. But on the other hand, it depends what will be happening with the browsers: they just move so quickly. We simply need to compare what has happened with DoH in the last year compared to DNS over TLS in four years.

We've been having a lot of discussions this week about how the DNS community brought DoH on themselves. It was just so slow to react. It didn't see it coming, and now it is kind of too late: DNS currently feels quite fragile and people have been adding complexity. As a result, there has been a big space left in here and the browsers are just walking straight in, because if they were already getting what they needed from DNS, they might be less eager to go down the DoH route. However, they are just not getting what they need, and I think they kind of feel they never will.

It is interesting to look at the attempts to bring people together. Paul Hoffmann (ICANN) has been doing this and told people, hey, the http people have real use cases and they would benefit from doing it this way, but the DNS people have genuine concerns about changing the security and the trust model, and the HTTP people need to listen. So I think that we are beginning to hear each other and that the DNS people realize this is going to happen regardless; they need to figure out how to be involved.