Google announced general availability of its Public DNS-over-HTTPS service Wednesday, based on the Internet Engineering Task Force’s RFC 8484 standard. The move is a culmination of three years of Google fine-tuning DNS over HTTPS, otherwise known as DoH.
“Today we are announcing general availability for our standard DoH service. Now our users can resolve DNS using DoH at the dns.google domain with the same anycast addresses (like 126.96.36.199) as regular DNS service, with lower latency from our edge PoPs throughout the world,” wrote Marshall Vale, product manager and Alexander Dupuy, software engineer in a Google Security Blog.
The move is an effort by Google to boost consumer privacy, reduce the threat of man-in-the-middle attacks, and speed up the internet with a new solution for securing domain name server traffic that uses the encrypted HTTPS channel.
Another Layer of Privacy and Security
Currently, a user’s internet service provider is most often the only party privy to DNS requests made by a browser, primarily because the ISP alone is responsible for the routing of that request. Nearly everything a user does online begins with a DNS query. Its function is to map domain names (such as example.com) to the actual IP address of the server hosting a desired webpage.
DNS queries are sent in clear text (using UDP or TLS) and can reveal the websites a user visits, along with metadata such as a site’s name, when it was visited and how often. In other cases, when content filters are in place, DNS logs can capture user IDs or MAC addresses. And thanks to a loosening of privacy rules by lawmakers, now ISPs can share their users’ internet activity with third parties.
Similar Efforts by Familiar Stakeholders
For these reasons DNS over TLS (DoT) is considered a leaky aspects of the internet’s plumbing. That’s why Google and others, such as Mozilla and Cloudflare, a security focused content delivery network provider, have been building and promoting new alternatives to sending traffic using UDP and TLS.
In April 2018, Cloudflare launched its own DNS-over-HTTPS service called 188.8.131.52. More recently, the Mozilla Foundation’s Firefox group also announced it was testing a DNS-over-HTTPS service with a small group of users.
Privacy, Security and Speed
These groups argue man-in-the-middle (MiTM) attacks often exploit the insecure nature of DNS via DNS Spoofing attacks or DNS Hijacking or DNS Poisoning. MiTM attacks involving DNS are when a hacker can abuse DNS servers to redirect webpage requests and return spoofed sites (or files) that appeared to be legitimate.
By putting DNS in an HTTPS encrypted channel the ISP (hotel or café Wi-Fi hotspot) can no longer eavesdrop on DNS queries. It also makes it harder for hackers to hijack or spoof DNS activity in order to leverage a MiTM attack.
Then there is the matter of efficiency and reliability. Cloudflare maintains that using a DNS resolver via an HTTPS request is more efficient and can shave up to 15 milliseconds off the time it takes to make DNS queries to render a webpage. Even more milliseconds can be shaved when Cloudflare acts as the authoritative DNS hosting service, Prince said. Google also promises lower latency, however doesn’t mention specific speed increases.
The adoption of the RFC 8484 is important. The standard has not yet been ratified by the IETF, but as more internet stakeholders adopt it, the closer it is to formally becoming a DoH standard. In April of 2018, experts said the standard could become adopted in a matter of weeks. Fast forward 14 months and RFC 8484 is still up for discussion. The last tweak to proposal was in October 2018.
Security and Privacy Concerns
While many cheer the upsides of using the encrypted HTTPS channel to secure DNS traffic, there are some that caution that doing so trades one privacy and security problem with another. They argue, by routing traffic through a content distribution network management system (such as Cloudflare and others) they are creating new central repositories for DNS queries that could be hacked or used to mine personal identifiable information (PII) data.
In an interview with Threatpost last year, Matthew Prince, co-founder and CEO of Cloudflare, said, “We are committed to not storing any DNS logs for the service for longer than 24 hours. We don’t write the source IP addresses to disc – which is the only data that could identify a customer. We have no interest in being a centralized repository for PII. Our business model is not advertising and it’s not about saving data.”
“Your client IP address is only logged temporarily (erased within a day or two), but information about ISPs and city/metro-level locations are kept longer for the purpose of making our service faster, better, and more secure.”