“Loves and dislikes”: DNS over HTTPS
We analyze opinions regarding the features of DNS over HTTPS, which have recently become a "bone of contention" among Internet providers and browser developers.
/ Unsplash / Steve Halama
Recently, large media and thematic platforms (including Habr), often write about the protocol DNS over HTTPS (DoH). It encrypts queries to the DNS server and responses to them. This approach allows you to hide the host names that the user accesses. From the publications, we can conclude that the new protocol (IETF approved it in 2018) divided the IT community into two camps.
')
Half believe that the new protocol will increase the security of the Internet, and integrates it into its applications and services. The other half is convinced that technology only complicates the work of system administrators. Next, we analyze the arguments of both parties.
Before moving on to talking about why Internet service providers and other market participants are in favor of or against DNS over HTTPS, we will briefly discuss its working principles.
In the case of DoH, an IP address request is encapsulated in HTTPS traffic. Then it goes to the HTTP server, where it is processed using the API. Here is an example request from RFC 8484 ( p. 6 ):
Thus, DNS traffic is hidden in HTTPS traffic. The client and server communicate on standard port 443. As a result, requests to the domain name system remain anonymous.
Opponents of DNS over HTTPS say the new protocol will reduce connection security. According to Paul Vixie, a member of the DNS development team, it will be more difficult for system administrators to block potentially malicious sites. At the same time, ordinary users will lose the ability to configure conditional parental control in browsers.
Paul's opinion is shared by UK Internet service providers. Country law requires them to block resources with prohibited content. But DoH support in browsers complicates the task of filtering traffic. Critics of the new protocol also include the Government Communications Center of England ( GCHQ ) and the Internet Watch Foundation ( IWF ), which maintains a register of blocked resources.
Experts say that DNS over HTTPS can become a cybersecurity threat. In early July, Netlab security experts discovered the first virus that used a new protocol for DDoS attacks - Godlua . The malware turned to DoH to retrieve text records (TXT) and retrieve the URLs of the management servers.
Encrypted DoH requests were not recognized by antivirus software. Information security experts fear that after Godlua other malware will come that are invisible to passive DNS monitoring.
In defense of DNS over HTTPS, APNIC engineer Geoff Houston spoke on his blog. According to him, the new protocol will allow to deal with DNS hijacking attacks, which have recently become more common. This fact confirms the January report of the information security company FireEye. The development of the protocol was supported by large IT companies.
Back at the beginning of last year, DoH began to be tested at Google. And a month ago, the company introduced General Availability version of its DoH service. Google hopes that it will increase the security of personal data on the network and protect against MITM attacks.
Another browser developer, Mozilla, has been supporting DNS over HTTPS since last summer. At the same time, the company is actively promoting new technology in the IT environment. For this, the Internet Services Providers Association (ISPA) even nominated Mozilla for the "Internet Villain of the Year" award. In response, company representatives said they were disappointed with the reluctance of telecom operators to improve outdated Internet infrastructure.
/ Unsplash / TETrebbien
Large media and some Internet service providers have spoken in support of Mozilla. In particular, British Telecom believes that the new protocol will not affect the filtering of content and increase the security of British users. Under public pressure, the ISPA had to withdraw the "villainous" nomination.
Also, the adoption of DNS over HTTPS was supported by cloud providers, such as Cloudflare . They already offer DNS services based on the new protocol. A complete list of browsers and clients with DoH support is available on GitHub .
In any case, there is no need to talk about the end of the confrontation between the two camps yet. IT experts predict that if DNS over HTTPS is destined to become part of the massive stack of Internet technologies, it will take more than a decade .
/ Unsplash / Steve Halama
The essence of the disagreement
Recently, large media and thematic platforms (including Habr), often write about the protocol DNS over HTTPS (DoH). It encrypts queries to the DNS server and responses to them. This approach allows you to hide the host names that the user accesses. From the publications, we can conclude that the new protocol (IETF approved it in 2018) divided the IT community into two camps.
')
Half believe that the new protocol will increase the security of the Internet, and integrates it into its applications and services. The other half is convinced that technology only complicates the work of system administrators. Next, we analyze the arguments of both parties.
How DoH Works
Before moving on to talking about why Internet service providers and other market participants are in favor of or against DNS over HTTPS, we will briefly discuss its working principles.
In the case of DoH, an IP address request is encapsulated in HTTPS traffic. Then it goes to the HTTP server, where it is processed using the API. Here is an example request from RFC 8484 ( p. 6 ):
:method = GET :scheme = https :authority = dnsserver.example.net :path = /dns-query? dns=AAABAAABAAAAAAAAAWE-NjJjaGFyYWN0ZXJsYWJl bC1tYWtlcy1iYXNlNjR1cmwtZGlzdGluY3QtZnJvbS1z dGFuZGFyZC1iYXNlNjQHZXhhbXBsZQNjb20AAAEAAQ accept = application/dns-message Thus, DNS traffic is hidden in HTTPS traffic. The client and server communicate on standard port 443. As a result, requests to the domain name system remain anonymous.
Why they do not favor him
Opponents of DNS over HTTPS say the new protocol will reduce connection security. According to Paul Vixie, a member of the DNS development team, it will be more difficult for system administrators to block potentially malicious sites. At the same time, ordinary users will lose the ability to configure conditional parental control in browsers.
Paul's opinion is shared by UK Internet service providers. Country law requires them to block resources with prohibited content. But DoH support in browsers complicates the task of filtering traffic. Critics of the new protocol also include the Government Communications Center of England ( GCHQ ) and the Internet Watch Foundation ( IWF ), which maintains a register of blocked resources.
In our blog on Habré:
Experts say that DNS over HTTPS can become a cybersecurity threat. In early July, Netlab security experts discovered the first virus that used a new protocol for DDoS attacks - Godlua . The malware turned to DoH to retrieve text records (TXT) and retrieve the URLs of the management servers.
Encrypted DoH requests were not recognized by antivirus software. Information security experts fear that after Godlua other malware will come that are invisible to passive DNS monitoring.
But not everything is against
In defense of DNS over HTTPS, APNIC engineer Geoff Houston spoke on his blog. According to him, the new protocol will allow to deal with DNS hijacking attacks, which have recently become more common. This fact confirms the January report of the information security company FireEye. The development of the protocol was supported by large IT companies.
Back at the beginning of last year, DoH began to be tested at Google. And a month ago, the company introduced General Availability version of its DoH service. Google hopes that it will increase the security of personal data on the network and protect against MITM attacks.
Another browser developer, Mozilla, has been supporting DNS over HTTPS since last summer. At the same time, the company is actively promoting new technology in the IT environment. For this, the Internet Services Providers Association (ISPA) even nominated Mozilla for the "Internet Villain of the Year" award. In response, company representatives said they were disappointed with the reluctance of telecom operators to improve outdated Internet infrastructure.
/ Unsplash / TETrebbien
Large media and some Internet service providers have spoken in support of Mozilla. In particular, British Telecom believes that the new protocol will not affect the filtering of content and increase the security of British users. Under public pressure, the ISPA had to withdraw the "villainous" nomination.
Also, the adoption of DNS over HTTPS was supported by cloud providers, such as Cloudflare . They already offer DNS services based on the new protocol. A complete list of browsers and clients with DoH support is available on GitHub .
In any case, there is no need to talk about the end of the confrontation between the two camps yet. IT experts predict that if DNS over HTTPS is destined to become part of the massive stack of Internet technologies, it will take more than a decade .
What else are we writing in our corporate blog:
Source: https://habr.com/ru/post/461431/
All Articles