The penny has finally dropped inside ISPs and governments that a privacy technology called DNS over HTTPS (DoH), backed by Google, Mozilla and Cloudflare, is about to make web surveillance a lot more difficult.
In the UK, this matters because under the 2016 Investigatory Powers Act (IPA), ISPs are required to store a record of which websites citizens visit for the previous 12 months, which is done by noticing Domain Name System (DNS) requests, e.g. to xyz.com.
DNS over HTTPS (and its close relative DNS over TLS, or DoT) makes this impossible because it encrypts these requests – normally sent in the clear – hence the panic reported in a recent Sunday Times article (paywall).
For more detail on how DoH/DoT works, read our previous coverage on the topic. The takeaway, however, is that Britain’s National Cyber Security Centre (NCSC), and probably the US Government think its unexpectedly rapid evolution imperils the monitoring of terrorism and other illegal content.
Big ISPs also worry it will interfere with complex Content Delivery Network (CDN) traffic caching, make customer management through support and captive portals difficult, and leave them fielding calls from unhappy customers when the third-party DNS servers offering DoH fall over.
Confusingly, the Sunday Times story also says DoH will stymie the UK’s controversial porn block, which enforces age checks before adults can visit big porn sites, although it’s not clear how – encrypting DNS hides the domains people visit but not inherently the fact web requests are being made from UK ISPs (although it would stop ISPs from implementing their own domain filters).
Filter the hysteria and what you’re left with is a technological conflict between ISPs which have traditionally controlled the first leg of every internet connection and companies that control the software that sits on devices – this is primarily Google but also companies such as Cloudflare and partner Mozilla which promote privacy.
Today, users connect to the internet by paying an ISP for a connection. In effect, under DNS over HTTPS, they will then establish a second DNS connection to servers run by companies such as Google and Cloudflare to make web browsing private.
It’s come to a head now because Google is in the process of implementing DoH as part of its public DNS system (220.127.116.11/18.104.22.168), which will be supported at some point in the world’s most popular browser, Chrome, and is already supported in Android 9 (this has been possible for some time on older Android versions by using Google’s Intra app).
Currently, if a government agency wants to know which sites you’ve been visiting they can ask an ISP. In theory, under DoH they could do the same by asking Google, Cloudflare or Mozilla.
Unfortunately, the problem isn’t simply whether those companies would agree to comply, but whether they could even if they wanted to.
For example, Cloudflare has previously said it only logs DNS requests for 24 hours and plans to prove that with a public audit of its behaviour run by KPMG. Compare that to ISPs which in many countries now collect domain data for up to a year.
Here to stay?
It should have been obvious that something like DoH was coming, since a slew of proposed technologies for encrypting DNS requests started gathering momentum in 2017. Last October, the IETF formally adopted DoH (aka RFC 8484) as the simplest route for this to happen quickly.
Not everyone was happy with this for architectural reasons, not least because it places a lot of trust in the resolver, principally Google, Cloudflare and anyone else who adopts it.
Hitherto, the internet has been built as a compromise between what the user could do and what the service provider would let them do. DoH, some claim, upsets this balance.
The counter-argument is that too many ISPs and governments have lazily used DNS as a quick surveillance fix, for legal, political but also commercial reasons.