$_ BSDHowTo.ch
How To... Why not..? Scripts RSS logo

Why not use DNS over HTTPS (DoH)?

Last update: 2018-10-26

tl;dr

DoH is not about protecting your DNS queries from peepers. That is a big lie. It is about making sure only one peeper can see all of your queries.

Refuse to use it today: Open about:config in Firefox and set network.trr.mode to 5. This will prevent Firefox from using DoH under all circumstances.

What is DNS over HTTPS (DoH)?

DNS over HTTPS is described in RFC 8484 as a way perform DNS by wrapping it in HTTP and additionally encrypt the data using TLS. Advocates of DoH stress that the transport encryption protects your DNS queries from peepers like your ISP or your network admin at work. Adversaries critic that all DNS queries are directed to single DNS provider who becomes the one known peeper.

The basic idea

The basic idea behind new developments like DoH is to protect your DNS queries from peepers by implementing transport encryption. The same type of transport encryption that protects many other application protocols like HTTP and SMTP. This is a very good idea because DNS queries in clear text contain very interesting metadata about the sites you communicate with over the Internet. This can be useful information for any kind of bad guy, be it the NSA or the cybercriminal.

DoH encrypts, so it must be a good thing

The public didn’t care about this RFC until Mozilla announced that they implement this new protocol in Firefox for broad field testing in collaboration with Cloudflare. The first reactions to this were: “DNS gets encryption? This must be good thing.” But slowly people started to realize what the collaboration between Mozilla and Cloudflare really means: Cloudflare gets all your DNS queries.

But Cloudflare has a data protection policy

So what? Cloudflare is a commercial company. And commercial companies, by definition, must earn money. How does a modern company in the IT business earn money? By selling data.

Is there an alternative way?

Yes, there is. It is called DNS over TLS and is specified as a proposed standard in RFC 7858. This provides transport encryption to DNS without abusing HTTP as transport protocol.

Why are you against changes in DNS?

I’m not. The DNS needs modernization. The DNS needs security features that prevent the peepers from reading your DNS traffic. I’m all in for it. But DoH is NOT the answer to this.

But the protocol itself is a good idea

No, it is not. Abusing HTTP as a transport protocol for DNS data adds a unneded complexity to the protocol. You must add a HTTP module to all DNS servers or interact with a separated HTTP server on the same system in order to support DoH. That is a lot of code which can contain a lot of bugs and security flaws. Complexity is the enemy of security.