If you agree that it’s high time that all Domain Name System (DNS) queries were encrypted to boost user privacy, two things Google has done in recent weeks will come as good news.
The first was the inclusion of a rapidly-emerging IETF DNS encryption standard called DNS over TLS (DoT) as a default setting in the latest Android 9 ‘Pie’, released in August.
The second arrived yesterday when Alphabet subsidiary Jigsaw (formerly Google Ideas) released a new app called Intra that allows Android users not running 9 (i.e. almost everyone) to get their hands on the same security technology but using a close cousin of DNS over TLS called DNS over HTTPS (DoH).
Under Android 9, DNS over TLS privacy is configured via Settings > Network & Internet > Advanced > Private DNS (the default setting routes via Google’s 126.96.36.199 or 188.8.131.52 but third-party alternatives can be added). Intra essentially offers the same options in the form of an app.
With encrypted HTTPS spreading, the last year has seen a surge in interest in another big part of the web privacy and security puzzle, DNS queries.
Naked Security has already covered DNS privacy in depth. Without it, anyone (ISPs, governments, cybercriminals) can monitor which internet domains someone is visiting – an obvious privacy risk.
In countries whose governments seek to control which websites their populations visit, DNS can also be used maliciously while cybercriminals can manipulate DNS settings to point to phishing sites. Said Intra’s creators:
DNS manipulation lets an attacker block certain websites, prevent people from accessing social media platforms and messaging apps, or redirect people to malicious websites that can download malware.
Why does the Intra app use DNS over HTTPS when Android 9 has plumped for DNS over TLS?
Both work along similar principles at different layers of the protocol stack, both implement server authentication, and both come with some performance overhead.
The short answer could simply be that in the censorship-loving countries the Intra app is aimed at, DNS-over-TLS might be easier to block as it uses a defined port, 853, while sending traffic to a DNS resolver other than the mandated local ISP.
Although not inherently more secure, DNS over HTTPS buries the DNS queries inside HTTPS, which makes it look more like ordinary web traffic. Governments and ISPs would have to block all encrypted web traffic (which is more than half of all web traffic) to stop DNS over HTTPS.
End of story?
Unfortunately, while securing HTTPS traffic and DNS queries makes it much harder to monitor sites being visited, it doesn’t remove that possibility completely.
Leaks can still happen through Server Name Identification (SNI), which started life as a way for lots of websites to share one IP address with the correct destination specified during a handshake which anyone watching this traffic can monitor.
It’s as if the industry has just plugged two large holes – HTTP and plaintext DNS queries – only to discover a small leak that is even more technically challenging to fix. The solution proposed by Cloudflare and Mozilla is Encrypted Server Name Indication (ESNI), although support will be needed in other browsers, notably Chrome, for that to fly.
A more basic problem could be that not everyone will be able to get hold of Intra from the Play Store, which some countries block. However, according to a report in CNET, Jigsaw has field tested it in one country, Venezuela, which shows that this can be overcome.
Users could, of course, try to cut out snooping with a VPN (Virtual Private Network). The downside of this approach is that providers are heavily controlled in some countries. Using a VPN also means placing enormous trust in the VPN provider because they become a de-facto ISP, with access to all of your web traffic.
The dream of a fully encrypted web is ticking off the to-do list of big problems – now for the small ones.