I turned on our commercial service (CIRA DNS Firewall) at home, and had a ton of fun looking at how much DNS activity happened when I wasn’t around. I could see my operating system, Roomba, smart speaker and other smart devices all communicating back to their host systems. Again, in clear text and over the internet. This is possible because with our commercial service, IT managers generally need to monitor what happens on their network and in this context I was my home IT manager.
Is DNS concentration in the hands of big corporations a problem?
Application implementation of DoH is happening in a way that hides the nuance from the user. This results in message boards and comment sections getting filled with negative opinions, like one commenter saying, “the guys pushing for DNS-over-HTTPS are the worst privacy offenders out there (Google, Cloudflare).”
Regardless of your opinion of any big company, the trend towards pervasive information gathering and marketing has probably led to the growth of search alternatives like Duck Duck Go and increasing marketing by browser alternatives centered on privacy. For example, Microsoft is taking a very strong privacy stance with their latest Edge browser, while Mozilla has been touting its privacy capabilities for a long time now.
Arguments against corporate control often point to corporate histories littered with long, complicated licensing agreements and best intentions that have a tendency to slip over time. However, with DoH implemented correctly, it doesn’t really matter because it gives the consumer the choice to stay or switch at any time.
The other side of the corporate coin is the impact on large telcos. In the U.S., telecommunications deregulation has enabled ISPs to, in theory, use internet behavior to track and market to their customers. On this note, it is very important to point out that this is not happening in Canada. ISPs are not prohibited from using customer DNS data for commercial purposes; however, to do so they must clearly inform their customers as opposed to burying it in the terms and conditions. If a Canadian ISP were to begin this practice, it would likely be a public relations and sales nightmare. Frankly, Canadian ISPs deserve kudos for their hands-off approach. That said, we can’t forget that they aren’t always perfect when it relates to the DNS. Both Rogers and Bell have been accused in the past of overstepping marketing using DNS-based activities.
As a top level domain, CIRA participates in a number of global internet governance activities, and we have heard some rumblings in the halls about DNS concentration through DoH. Traditional DNS resolvers (like Google 188.8.131.52) were never an issue, it is the move to the application layer that has raised this concern. This is likely due to an already highly-concentrated market at that layer where only four companies control more than 93 per cent of the web browser market share in Canada.
So now that we understand the marketing and criticisms at the application layer – how is implementation happening?
Mozilla was first out of the gate when they made DoH the default setting in Firefox using Cloudflare as the chosen resolver. After rolling out the change in the U.S., the company is taking a country-by-country approach and are allowing users to change their default resolver.
Mozilla has recognized that there are situations where defaulting to DoH is not appropriate. This includes networks that are using DNS filtering for malware or parental controls. It is an issue that was particularly critical for enterprises due to serious cybersecurity threats from unfiltered internet access. Since the standard didn’t address this issue, Mozilla implemented a canary domain before it is enabled. If the browser can resolve the canary domain of a known and approved DNS provider, then it will not enable DoH by default. It will also check the Windows and macOS settings for parental controls in the operating system. If an end-user manually enables DoH then the signal from the network will be ignored, and the user setting will predominate. For I.T. administrators, we recommend that they implement network-based systems for updating config files across the network to use approved resolvers to limit the risk of this activity. We also recommend choosing (if relevant) a DoH provider that provides a level of network security in the form of a DNS firewall or similar (we might know one you will like).
Mozilla has also developed a Trusted Recursive Resolver program with specific privacy, transparency, and censorship requirements that must be met. These requirements are well designed for the good of end-user privacy.
Chrome is the big daddy of the browser market, and its approach has been different. DoH will not be a default setting for enterprise versions of the browser; they will continue to get instructions from Active Directory. For other users, the browser will recognize the presence of recursive resolver filtering and keep that default when present. This means that if, for instance, your ISP supported a DoH equivalent and Chrome was aware of it, then they will switch to DoH. It is an interesting approach that considers the on-path encryption of the DNS to be the primary benefit versus the question of who gets that data at the end of the path. That said, it is certainly less intrusive to the end-user.
They are in the experimental phase with a small number of American providers. Chrome will maintain a table to map non-DoH DNS servers to their equivalent DoH servers. As of the date of publication of this blog, they have not published plans to implement a canary domain similar to Mozilla.
Windows and Edge
Edge and Windows go hand in hand, and so it makes sense that they are looking to implement DNS at the OS level.
Their design strategy is that the Windows DNS needs to be as private and functional as possible without the need for user admin or configuration. In this way, they are taking a similar approach to Chrome. Of course, being an operating system-focused approach, they do want power users to continue to be able to manage the settings with as much flexibility as is available.
The first milestones will be for Windows to ship with a list of configuration mappings for DNS IP addresses to DoH URIs. All queries will use the DoH address when needed. This means that no user involvement is necessary to support DoH when it is an available option for DNS privacy. If a DoH capable server is not on the list, then it will require manual configuration, so this is a recognized first step to the future. The one disadvantage to this principle is that users can’t be educated on the value of DNS privacy.
Crickets chirping (yeah, we haven’t heard much).
However, for those using macOS, DNS over HTTPS would require the installation of a proxy switcher. This is definitely not something an average user would be comfortable doing. Again, not a lot of information on OS level implementation from Apple.
It is certainly reasonable that critical applications (like banking tools) could use an encrypted DNS to communicate directly to their servers. Still, we don’t know of any public plans to take this approach. It is an interesting idea to help protect privacy and security. On the same note malware can, and already has done the same.
What remains to be seen is whether these moves to protect privacy with DoH and other technologies can make a difference in the browser market share and can help Microsoft and Mozilla to claw back into the market.
We are still early days, but from all indications, the major software companies are taking reasoned approaches to balance security, privacy and the circle of trust as it relates to the DNS. It is up to the consumer to make a choice – and that is a good thing.