Needing the DoH: The Ongoing Encryption and Centralization of DNS

Wednesday, August 5, 2020 9:30 PM to 10:10 PM


Most connections on the Internet start with a DNS request. As the connections themselves increasingly have moved to encrypted methods (primarily HTTP to HTTPS), surveillance and data aggregation by service providers and nation states have transitioned from monitoring the contents of the connection itself to monitoring unencrypted headers and their DNS requests.

In an attempt to protect DNS queries from Monster in the Middle (MITM) interception and manipulation, DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) have emerged as new proposed standards. These have evoked some concerns as they represent major changes to both the end user and network operators.

These concerns fit into three broad categories: *Centralization* as users move to the few DNS providers that support DoT/DoH; *Visibility & Control* as network operators continue to use DNS as a way to provide services, security, and gather network data; *Moving to Layer 7* as some software decides to handle DNS internally rather than push it down the network stack.

I will demonstrate that while the concerns around centralization are well founded, they are in all likelihood temporary. The concerns around visibility and control are well founded but can be addressed without losing the guarantees of encryption or network administrator control and visibility. I will show that the concerns regarding the move into Layer 7 are the most significant for benign network operators, but also a substantial improvement for consumers on public and home networks and how these concerns can be balanced against each other.

I will also be open sourcing a tool which detects DoT/DoH support on DNS servers that are advertised in the DHCP leases and optionally uses the encrypted protocols on systems that do not natively support DoT/DoH. This is to encourage the encryption of DNS while also respecting the provided DNS servers.
Primary Track
Secondary Track
Network Security