Needing the DoH: The Ongoing Encryption and Centralization of DNS

The presentation discusses the evolution of middleware and its impact on privacy in the context of DNS encryption.

• HTTP shifted to an encrypted model with HTTPS, making it difficult for anyone to intercept or manipulate data passing through the HTTP connection to the web server.
• Reverse proxies and cloud computing made the destination IP address less useful as a piece of information.
• TLS handshake used to establish HTTPS connections sends the host name in the clear using SNI, which is a problem as it shares data that is not easily inferable from any other place in the HTTP connection.
• DOH and DOT are new protocols that encrypt DNS queries, but their adoption could lead to the consolidation and aggregation of DNS servers into a few players, which could be problematic for privacy.
• TLS 1.3 is replacing TLS 1.2 and predecessors with an encrypted version that makes the entire HTTPS connection opaque to middleware.

In the early days of the internet, the fact that someone knew the host name was not a particularly egregious oversharing of information because there was a close to one-to-one mapping between IP addresses and hosts. However, with the rise of reverse proxies and cloud computing, the IP address became less useful as a piece of information. Today, the TLS handshake used to establish HTTPS connections sends the host name in the clear using SNI, which is a problem as it shares data that is not easily inferable from any other place in the HTTP connection.

Most connections on the Internet start with a DNS request. As the connections themselves increasingly have moved to encrypted methods (primarily HTTP to HTTPS), surveillance and data aggregation by service providers and nation states have transitioned from monitoring the contents of the connection itself to monitoring unencrypted headers and their DNS requests.In an attempt to protect DNS queries from Monster in the Middle (MITM) interception and manipulation, DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) have emerged as new proposed standards. These have evoked some concerns as they represent major changes to both the end user and network operators.These concerns fit into three broad categories: *Centralization* as users move to the few DNS providers that support DoT/DoH; *Visibility & Control* as network operators continue to use DNS as a way to provide services, security, and gather network data; *Moving to Layer 7* as some software decides to handle DNS internally rather than push it down the network stack.I will demonstrate that while the concerns around centralization are well founded, they are in all likelihood temporary. The concerns around visibility and control are well founded but can be addressed without losing the guarantees of encryption or network administrator control and visibility. I will show that the concerns regarding the move into Layer 7 are the most significant for benign network operators, but also a substantial improvement for consumers on public and home networks and how these concerns can be balanced against each other.I will also be open sourcing a tool which detects DoT/DoH support on DNS servers that are advertised in the DHCP leases and optionally uses the encrypted protocols on systems that do not natively support DoT/DoH. This is to encourage the encryption of DNS while also respecting the provided DNS servers.