Google Announces DNS over HTTPS ‘General Availability’

DNS hijacking

Google finalizes its DNS-over-HTTPS service.

Google announced general availability of its Public DNS-over-HTTPS service Wednesday, based on the Internet Engineering Task Force’s RFC 8484 standard. The move is a culmination of three years of Google fine-tuning DNS over HTTPS, otherwise known as DoH.

“Today we are announcing general availability for our standard DoH service. Now our users can resolve DNS using DoH at the dns.google domain with the same anycast addresses (like 8.8.8.8) as regular DNS service, with lower latency from our edge PoPs throughout the world,” wrote Marshall Vale, product manager and Alexander Dupuy, software engineer in a Google Security Blog.

The move is an effort by Google to boost consumer privacy, reduce the threat of man-in-the-middle attacks, and speed up the internet with a new solution for securing domain name server traffic that uses the encrypted HTTPS channel.

Another Layer of Privacy and Security

Currently, a user’s internet service provider is most often the only party privy to DNS requests made by a browser, primarily because the ISP alone is responsible for the routing of that request. Nearly everything a user does online begins with a DNS query. Its function is to map domain names (such as example.com) to the actual IP address of the server hosting a desired webpage.

DNS queries are sent in clear text (using UDP or TLS) and can reveal the websites a user visits, along with metadata such as a site’s name, when it was visited and how often. In other cases, when content filters are in place, DNS logs can capture user IDs or MAC addresses. And thanks to a loosening of privacy rules by lawmakers, now ISPs can share their users’ internet activity with third parties.

Similar Efforts by Familiar Stakeholders

For these reasons DNS over TLS (DoT) is considered a leaky aspects of the internet’s plumbing. That’s why Google and others, such as Mozilla and Cloudflare, a security focused content delivery network provider, have been building and promoting new alternatives to sending traffic using UDP and TLS.

In April 2018, Cloudflare launched its own DNS-over-HTTPS service called 1.1.1.1.  More recently, the Mozilla Foundation’s Firefox group also announced it was testing a DNS-over-HTTPS service with a small group of users.

Privacy, Security and Speed

These groups argue man-in-the-middle (MiTM) attacks often exploit the insecure nature of DNS via DNS Spoofing attacks or DNS Hijacking or DNS Poisoning. MiTM attacks involving DNS are when a hacker can abuse DNS servers to redirect webpage requests and return spoofed sites (or files) that appeared to be legitimate.

By putting DNS in an HTTPS encrypted channel the ISP (hotel or café Wi-Fi hotspot) can no longer eavesdrop on DNS queries. It also makes it harder for hackers to hijack or spoof DNS activity in order to leverage a MiTM attack.

Then there is the matter of efficiency and reliability. Cloudflare maintains that using a DNS resolver via an HTTPS request is more efficient and can shave up to 15 milliseconds off the time it takes to make DNS queries to render a webpage. Even more milliseconds can be shaved when Cloudflare acts as the authoritative DNS hosting service, Prince said. Google also promises lower latency, however doesn’t mention specific speed increases.

The adoption of the RFC 8484 is important. The standard has not yet been ratified by the IETF, but as more internet stakeholders adopt it, the closer it is to formally becoming a DoH standard. In April of 2018, experts said the standard could become adopted in a matter of weeks. Fast forward 14 months and RFC 8484 is still up for discussion. The last tweak to proposal was in October 2018.

Security and Privacy Concerns

While many cheer the upsides of using the encrypted HTTPS channel to secure DNS traffic, there are some that caution that doing so trades one privacy and security problem with another. They argue, by routing traffic through a content distribution network management system (such as Cloudflare and others) they are creating new central repositories for DNS queries that could be hacked or used to mine personal identifiable information (PII) data.

In an interview with Threatpost last year, Matthew Prince, co-founder and CEO of Cloudflare, said, “We are committed to not storing any DNS logs for the service for longer than 24 hours. We don’t write the source IP addresses to disc – which is the only data that could identify a customer. We have no interest in being a centralized repository for PII. Our business model is not advertising and it’s not about saving data.”

In Google’s DoH test its privacy policy states:

“Your client IP address is only logged temporarily (erased within a day or two), but information about ISPs and city/metro-level locations are kept longer for the purpose of making our service faster, better, and more secure.”

Suggested articles

Discussion

  • Anonymous on

    What about threat detection? With this, we lose critical dns data for detecting a malware when it tries to contact its C2 server. Domain names are very important part of IoCs. I think enterprises will either start blocking connection DoT services or be forced to decrypting it.
  • Jerry on

    And what prevents the owner of the DoH server from logging and selling the inquiries it has received over https, if this becomes a standard and widely adopted, ISPs will deploy DoH servers and still know what inquiries where made to them. Looks more like a solution looking for a problem.
  • Anonymous on

    Enterprise normally uses their own DNS resolver for internal services, often integrated with AD. It's supported out of the box in a pfSense router to have clients connect to it using corporate certificate secured DoT, then have internet domains resolve with DoT to an external resolver.
  • JohnG on

    Given that HTTPS sits uses TCP what conceivable benefit is there? Don't say security, we already have options for that within DNS. All I see is yet another layer, creating double (or more?) the overhead, causing thereby increased loads at all levels and slower throughput.

Leave A Reply to Anonymous Cancel Reply

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.