On February 25, Mozilla made DNS-over-HTTPS (DoH) the default protocol in its browser for all US users. In general, the IT community welcomed this decision positively, noting that encrypting DNS traffic will increase Internet security. But there were also those who think differently, for example, representatives of the RIPE Internet registrar.In today's article, we analyze the main opinions.
/ Unsplash / MuukiiSmall educational program
Before moving on to a review of opinions, we briefly discuss how DoH works and why its implementation causes heated debate in the IT community.Data exchange between the browser and the DNS server occurs in the clear. If desired, an attacker can eavesdrop on this traffic and trace what resources the user is visiting. To solve the problem, the DoH protocol encapsulates an IP address request in HTTPS traffic. Then it goes to a special server, which processes it using the API and generates a response ( p. 8 )::status = 200
content-type = application/dns-message
content-length = 61
cache-control = max-age=3709
<61 bytes represented by the following hex encoding>
00 00 81 80 00 01 00 01 00 00 00 00 03 77 77 77
07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 1c 00
01 c0 0c 00 1c 00 01 00 00 0e 7d 00 10 20 01 0d
b8 ab cd 00 12 00 01 00 02 00 03 00 04
Thus, DNS traffic is hidden in HTTPS traffic, and requests to the domain name system remain anonymous.Who supports DoH
In support of DoH, Western cloud providers, telecoms and Internet providers are speaking out. Many of them already offer DNS services based on the new protocol - a complete list is on GitHub . For example, British Telecommunications says hiding DNS queries in HTTPS will increase the security of UK users.A couple of materials from our blog on Habré:
A year ago, DNS-over-HTTPS began testing on Google. Engineers have added the ability to activate DoH in Chrome 78. According to the developers, the initiative will protect users from DNS spoofing and pharming , when hackers redirect the victim to a false IP address.
At the beginning of the article, we mentioned another browser developer, Mozilla. This week, the company has turned on DNS-over-HTTPS for all US users. Now, when installing the browser, the new protocol is activated by default. Those who already have Firefox are planning to migrate to DoH in the coming weeks. Other countries will bypass the new initiative , but those who wish can turn on the transfer of DNS queries over HTTPS on their own.Arguments against
Those who oppose the implementation of DoH say that it will reduce the security of network connections. For example, Paul Vixie, one of the authors of the domain name system, claims that it will become more difficult for system administrators to block potentially malicious sites on corporate and private networks.Representatives of the RIPE Internet registrar, responsible for the European and Middle Eastern regions, also opposed the new protocol. They drew attention to the problems of personal data security. DoH allows you to transmit information about the visited resources in encrypted form, but the corresponding logs still remain on the server responsible for processing DNS queries using the API. This raises the question of trust in the browser developer.RIPE employee Bert Hubert, who was involved in the development of PowerDNS , says the classic DNS-over-UDP approach provides great anonymity because it mixes all requests to the domain name system from the same network (home or public). In this case, matching individual queries with specific computers becomes more difficult.
/ Unsplash / chrispanas Some experts also attribute DoH deficienciesthe inability to configure parental controls in browsers and difficulties with optimizing traffic in CDN networks. In the latter case, the delay may increase before the content transfer starts, as the resolver will look for the address of the host closest to the DNS-over-HTTPS server. It is worth noting here that a number of IT companies are already working to solve these difficulties. For example, Mozilla also said that Firefox will automatically disable DoH if the user sets up parental control rules. And the company plans to continue working on more advanced tools in the future.What we write about in the VAS Experts corporate blog: