DNS over HTTPS is issued in RFC 8484 - but not everyone is happy with it

    In late October the Internet Engineering Task Force (IETF) introduced the DNS over HTTPS (DoH) standard for encryption DNS-traffic, issued it as RFC 8484. It endorsed many large companies, but there were those who remained dissatisfied with the decision of the IETF. Among the latter was one of the creators of the DNS system Paul Vixie (Paul Vixie). Today we will tell you what the point is.


    / photo Martinelle PD

    DNS problem


    The DNS protocol does not encrypt user requests to the server and responses to them. Data is broadcast as text. Thus, queries contain the names of the hosts that the user is visiting. From here it is possible to “overhear” the communication channel and intercept unprotected personal data.

    What is DNS over HTTPS?


    To remedy the situation, the DNS over HTTPS standard, or DNS over HTTPS, was proposed. The IETF began working on it in May 2017. It was authored by engineers Paul Hoffman of ICANN - the corporation for managing domain names and IP addresses - and Patrick McManus of Mozilla.

    A feature of DoH is that requests to determine IP addresses are not sent to a DNS server, but are encapsulated into HTTPS traffic and transmitted to an HTTP server, on which a special resolver processes them using an API. DNS traffic is disguised as normal HTTPS traffic, and client and server communication occurs through the standard HTTPS port 443. The content of the requests and the fact that DoH is used remain hidden.

    In RFC 8484, the Engineering Council cites examplesDNS queries to example.com with DoH. Here is the query with the GET method:

       :method = GET
       :scheme = https
       :authority = dnsserver.example.net
       :path = /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB
       accept = application/dns-message
    

    A similar request using POST:

    :method = POST
       :scheme = https
       :authority = dnsserver.example.net
       :path = /dns-query
       accept = application/dns-message
       content-type = application/dns-message
       content-length = 33
       <33 bytes represented by the following hex encoding>
       00000100000100000000000003777777076578616d 706c 6503636f 6d 0000010001

    Many of the representatives of the IT industry have supported the IETF standard. For example , APNIC lead registrant researcher Geoff Houston.

    The development of the protocol was supported by large Internet companies. From the beginning of the year (when the protocol was still at the draft stage), DoH is being tested by Google / Alphabet and Mozilla. One of the Alphabet divisions, has released an Intra application for encrypting users' DNS traffic. Mozilla Firefox browser supports DNS over HTTPS since June of this year.

    DoH implemented and DNS-services - Cloudflare and Quad9 . In Cloudflare recently released an application ( this was an article on Habré) to work with the new protocol on Android and iOS. It acts as a VPN to its own device (to the address 127.0.0.1). DNS queries begin to be sent to Cloudflare using DoH, and the traffic follows a “normal” route.

    A list of DoH-enabled browsers and clients can be found on GitHub .

    Criticism of the DoH standard


    Not all industry participants have responded positively to the IETF decision. Opponents of the standard believe that DoH is a step in the wrong direction and it will only reduce the level of security of the connection. The most dramatic about the new protocol was Paul Vixie, one of the developers of the DNS system. On Twitter, he called DoH "utter nonsense in terms of information security."

    In his opinion, the new technology will not effectively control the operation of networks. For example, system administrators will not be able to block potentially malicious sites, and ordinary users will be deprived of the possibility of organizing parental control in browsers.


    / photo TheAndrasBarta PD

    Opponents of DoH suggest using a different approach - the protocolDNS over TLS, or DoT . This technology is adopted as an IETF standard and is described in RFC 7858 and RFC 8310 . Like DoH, the DoT protocol hides the contents of requests, but sends them not over HTTPS, but uses TLS. To connect to the DNS server, a separate port is used - 853. Because of this, sending a DNS query is not hidden, as is the case with DoH.

    DoT technology is also being criticized. In particular, experts note: because the protocol works with a dedicated port, a third party will be able to track the use of a secure channel and, if necessary, block it.

    What is waiting for the protocols further


    According to experts, it is not yet clear which way to protect DNS queries will become more common.

    Now both Cloudflare, and Quad9, and Alphabet support both standards. If DoH Alphabet uses Intra in the above-mentioned application, then DoT protocol was used to protect the traffic in Android Pie. Google also included support for DoH and DoT in Google Public DNS - and the introduction of the second standard was not announced at all .

    The Register publication writes that the ultimate choice between DoT and DoH will depend on users and providers, and now none of the standards have a clear advantage. In particular, according to IT specialists, for the widespread adoption of the DoH protocol in practice, it will take a couple of decades.



    PS Other materials from our corporate IaaS blog:


    PPS Our channel in Telegram - about virtualization technologies:


    Also popular now: