For fans of DNS-over-HTTPS (DoH) privacy, it must feel like a dam of resistance is starting to break.
Mozilla Firefox and Cloudflare were the earliest adopters of this controversial new way to make DNS queries private by encrypting them, followed not long after by the weight of Google, which embedded DoH into Chrome as a non-default setting.
This week an even bigger name joined the party – Windows 10 – which Microsoft has announced will integrate the ability to use DoH, and eventually also its close cousin DNS-over-TLS (DoT), into its networking client.
It looks like game over for the opponents of DoH, predominantly ISPs which have expressed a nest of worries – some rather self-serving (we can’t monetise DNS traffic we can’t see) and others which perhaps deserve a hearing (how do we filter out bad domains?).
Things got so hyperbolic that last summer the UK ISP Association (ISPA) even shortlisted Mozilla for an “Internet Villain” award to punish its enthusiasm for DoH before backing down after a public backlash.
Earlier this month, Mozilla retaliated, accusing ISPs of misrepresenting the technical arguments around encrypted DNS.
We’ve already covered how DoH and DoT work in previous articles, but the gist is they encrypt the queries a computer makes to DNS servers in a way that means intermediaries such as ISP and governments can’t easily see which websites are being visited.
Another way to think of it is that DoH extends the benefits of HTTPS security to DNS traffic. While not perfectly private (data still leaks via things like Server Name Indication), it’s better than sending DNS queries in the clear.
In fact, DoT has some advantages over DoH, but requires ports to be opened in routers/firewalls. DoH is indistinguishable from regular web browsing traffic whereas DoT runs in its own lane, making it easier to block or filter, and requires users to configure more settings to make it work.
Because DoH piggybacks HTTPS, it just works out of the box – as long as the client software supports it, that is. That’s why Windows 10 integration, whenever that appears, is important.
Given that DoH support is already turned on in Firefox (which uses Cloudflare resolution) and Google’s Chrome (which uses its own DNS), what does Windows 10 integration add?
The answer is that it might help re-decentralise the provision of encrypted DNS.
Today, the unencrypted DNS system is highly decentralised, which is good for stability (no single point of failure), and some aspects of security (DNS filtering is used to block malevolent sites). Anyone who doubts the importance of avoiding single points of failure might consider the Dyn DDoS attack of 2016, which caused major internet outages caused by targeting only one provider.
Even users who switch from their ISP’s DNS resolution to public alternatives such as Google’s 22.214.171.124/126.96.36.199 for performance reasons now have plenty of choice.
But if DoH or DoT ends up being turned on by default in browsers, DNS resolution could quickly shrink to a small number of providers, which might in time end up being bad for privacy.
According to Microsoft, the integration of encrypted DNS inside Windows is a way to resist this and hang on to the benefits of decentralisation:
There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn’t universal. To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and internet service providers alike to widely adopt encrypted DNS.
However, having decided to embrace encrypted DNS, Microsoft admits there are still technical issues to iron out.
For example, Windows won’t override the defaults set by the user or admin while still being guided by some privacy ground rules:
- Where a chosen DNS resolver offers encrypted DNS, Windows will opt over any unencrypted alternative by default.
- If encrypted DNS is disrupted, Windows won’t silently fall back to a non-encrypted server.
- Enabling encrypted DNS will be as simple as possible to avoid the problem that only experts end up using it.
Given that encrypted DNS has emerged from the IETF, ISPs must already know they are fighting a losing battle.
Although unfolding gradually, the shift to a more private online world appears to be underway whether its opponents like it or not. The battle now is to be on the inside of this change or risk being locked out forever.