Root Causes 84: What Is DNS over HTTPS?

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

April 20, 2020

DNS over HTTPS is a capability whereby DNS lookups can be encrypted to defend against certain man-in-the-middle attacks as well as protecting information about web usage from being revealed to third parties.

In this episode our hosts explain DNS over HTTPS, it potential uses, and how it works. They also explain some of the controversy and potential concerns that have been raised with this approach.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanSo, today, we are going to talk about DNS over HTTPS. Now obviously anything that says HTTPS is fair game for us to discuss and DNS, the world of DNS can get very bits and bitsy wouldn’t you say, Jay?

Jason SorokoIt’s been around forever.

Tim CallanRight.

Jason SorokoYou might think that the world just knows how to do it and it certainly does. There are all kinds of attacks against it nowadays. There’s all kinds of issues around performance. There’s all kinds of issues around privacy. But today, we are going to be talking specifically about encrypting DNS lookups between the client and the resolver.

Tim CallanOk. So, encrypting DNS lookups between the client and the resolver. I can see obvious use cases for that or some obvious benefits for that. You know, if I can sit and look at your lookups, I can learn something about your interests and your behavior. This could be used for intel for somebody who is trying a cyberattack. This could be used just to spy on people. This could be a violation of privacy. Are those the right benefits? Are those the real main benefits of this approach?

Jason SorokoMostly. Mostly. I think privacy is the one that comes into question quite a lot. I don’t think that there is a protection of privacy that is - - in fact, the privacy issues is the more interesting juicy bit of this that we will talk about in a bit, Tim, because you are really pushing the privacy question off to a different provider, which is interesting.

Tim CallanOk.

Jason SorokoReally the purpose here just first and foremost is to increase, you could call it privacy and security by essentially trying to prevent your ISP who is probably for the most part was doing your DNS resolving and pushing that DNS resolving to somebody else and then encrypting that resolving between you and the resolver so that your ISP can’t really either manipulate it or log it or do some sort of, you know, or somebody else do some sort of the man-in-the-middle attack against it.

Tim CallanSo that implies that you have a greater degree of trust for the new DNS resolver than you did for your original hosting provider?

Jason SorokoYeah. It could be. Your ISP could be in a jurisdiction where they are being compelled by government law to log what you are doing or perhaps even to redirect you. I know that in the U.K. that’s in fact the case because of some laws over there. We can get into that but that’s one reason. As well, I’m sure you remember the whole controversy around ISPs that would monitor your service for the types of traffic that are going through in order to be able to speed you up, slow you down. Those kinds of decisions. There’s all kinds of stuff that the ISPs do that either you may be aware of or you are not aware of and you might consider it a problem for you.

Tim CallanSo, I’m on the wrong end of net neutrality by virtue of what I do and I don’t want my performance to suffer so I do DNS lookup over HTTPS for instance.

Jason SorokoRight. Right. And, you know, to be honest with you there’s also cases – and this is true for me – where my internet speed in my jurisdiction is pretty good but my DNS resolving, the performance can sometimes be degraded for whatever reason and so therefore, sometimes I will switch over to a different DNS resolver just to speed up my DNS resolving.

Tim CallanAt a high level, how does it work?

Jason SorokoWell, at a high level, how this works is essentially you would redirect your DNS resolving to another provider using DNS over HTTPS. So how do you do that? Well, on a laptop with a browser Firefox was the first browser to start supporting this and there are some other browsers right now that are looking into it. I know Microsoft is in the middle of also giving native support to this through Windows 10.

Tim CallanOk. So, is this a third-party service that I go sign up for? How does that work? Like are there people in the business of doing this professionally?

Jason SorokoWell, if you choose to use Firefox as your browser, I’m not sure if it’s defaulted at the time of this podcast, but I think there was a period where it was default as part of Firefox.

Tim CallanOh, wow. Ok. So, are there any disadvantages?

Jason SorokoWell, again, it depends on who you trust. And very recently in the news, Cloudflare is the DNS resolver behind the Firefox DNS resolving DNS over HTTPS and a lot of you may also know of Cloudflare’s app that exists I believe on both Android and iOS which is Cloudflare’s 1.1.1.1 app, which actually performs - essentially it enables you to hijack your DNS requests and perform DNS over HTTPS for your mobile devices.

Tim CallanSo Cloudflare is in so many things. Like you run into Cloudflare just in so many places. They are so ubiquitous. They touch so much of your typical service, you know, that’s an interesting one, right? Where, you know, on the one hand I think Cloudflare obviously has displayed a lot of competence and on the other hand, some people might say gee, I have a lot of my eggs in the Cloudflare basket?

Jason SorokoYeah. That’s true. There’s an awful lot of the internet’s piping, if you will, that has to do with Cloudflare and hey, they’re a competitor and they’ve gotten into a lot of things. But this choice of becoming one of the big defacto DNS over HTTPS resolvers, of course it raised a lot of eyebrows at the beginning because like I said at the top of the podcast, you are really pushing your DNS request out to a different provider and that provider being Cloudflare. Now, one of the things Cloudflare said I think pretty much from the beginning was that they would wipe their logs within 24 hours and I think at the beginning as well, and I don’t want to misquote them, but there was some sort of an asterisk within the statements that said the only reason they were keeping the logs were for research purposes just to make sure that their performance was up to scratch. Something like that. And KPMG I believe, who was their auditor, released a privacy audit and has apparently said exactly that yeah, Cloudflare has kept their promise and all the things they said they were going to do they in fact are doing. So that’s a good thing. It means they are keeping their promises. Really, I guess if there is a fly in the ointment at all it might have to do with well what you are doing with those logs within those 24 hours. Is there any double check for whether that is being copied or sent elsewhere? I’m certainly not accusing Cloudflare of doing anything inappropriate. I’m more repeating what other people might have been thinking or what the controversy may still be.

Tim CallanBut there are other people? Like Cloudflare is not the only one in the world that does this, right?

Jason SorokoNo. There are others, but Cloudflare I think really is the dominant player.

Tim CallanOk. So, HTTPS, DNS over HTTPS. Sounds like it is a very real and certainly, what do I want to say? A potentially beneficial part of what you may have in your mix. Any other thoughts?

Jason SorokoNo, Tim. That’s really it. I wanted to make sure that folks listening to this podcast kind of got the basic gist of this. There is a lot more to it but I don’t want to get into the weeds especially because of the fact that it’s a pretty fluid situation anyway.

Tim CallanSure. Cool. So, thank you, Jay. Good. Nice explanation of a good fundamental thing that I think people don’t about that much and maybe we don’t know about that much.

Jason SorokoYeah. Thanks, Tim. These are the kinds of bread-and-butter podcasts that we like to do from time to time.

Tim CallanExcellent. Thanks, Jay. This has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!