Clarity needed as we approach DNS over HTTPS

26th July 2019

Russell Haworth

Russell Haworth

As the internet approaches its thirty-sixth birthday, something significant about how it works may be changing. It concerns the heart of the Domain Name System (DNS) and, given this is so integral to our operations at Nominet, I wanted to share some thoughts on the growing discussion on DNS over HTTPS (DoH).

The change concerns the technical process behind how websites are found when users seek them. It’s a process that most internet users would not even be aware of, which is a big part of the challenge. The DNS is used for all manner of applications and services, including email, but most users come into contact with it when they want to access a website.

A user types in the domain name they want and a resolver, usually one run by their Internet Service Provider or mobile operator (e.g. BT, Sky or Vodafone), will find the corresponding IP address where the content is hosted. With the new approach – DNS over HTTPS (DoH) – a web browser like Mozilla’s Firefox or Google’s Chrome, will circumvent a conventional resolver and send an encrypted request to a remote DoH resolver, which will provide the answer. We have summarised this change in the simple infographic below:

DNS over HTTPS infographic

It is worth mentioning that DoH isn’t the only other approach to this process. You may have heard of DoT, or DNS over a Transport Layer Security (TLS) protocol. This is another alternative to the current process, and one with both merits and flaws, but for now our attention is on DoH because it is most likely to have a wide impact soon.

Firefox and Google Chrome – the two biggest web browsers with a combined market share of over 70% – are both looking to implement DoH in the coming months, alongside other operators. The big question now is how they implement it, who they offer to be the resolvers, and what policies they use. The benefit offered by DoH is encryption, which prevents eavesdropping or interception of DNS communication. However, DoH raises a number of issues which deserve careful consideration as we move towards it.

Some of the internet safety and security measures that have been built over the years involve the DNS. Parental controls, for example, generally rely on the ISP blocking particular domains for their customers. The Internet Watch Foundation (IWF) also ask ISPs to block certain domains because they are hosting child sexual abuse material. There may also be issues for law enforcement using DNS data to track criminals. In terms of cyber security, many organisations currently use the DNS to secure their networks, by blocking domains known to contain malware. All of these measures could be impacted by the introduction of DoH.

Sitting above all of these is one question: Will users know any of this is happening? It is important that people understand how and where their data is being used. It is crucial that DoH is not simply turned on by default and DNS traffic disappears off to a server somewhere without people understanding and signing up to the privacy implications. This is the reason what we have produced a simple explainer and will be doing more to communicate about DoH in the coming weeks.

DNS over HTTPS infographic

DoH can bring positive changes, but only if it is accompanied by understanding, informed consent, and attention to some key principles, as detailed below:

Informed user choice: users will need to be educated on the way in which their data use is changing so they can give their informed consent to this new approach. We also need some clarity on who would see the data, who can access the data and under what circumstances, how it is being protected and how long it will be available for.

Equal or better safety: DoH disrupts and potentially breaks safety measures that have built over many years. It must therefore be the responsibility of the browsers and DoH resolvers who implement DoH to take up these responsibilities. It will also be important for current protections to be maintained.

Local jurisdiction and governance: Local DoH resolvers will be needed in individual countries to allow for application of local law, regulators and safety bodies (like the IWF). This is also important to encourage innovation globally, rather than having just a handful of operators running a pivotal service. Indeed, the internet was designed to be highly distributed to improve its resilience.

Security:  Many organisations use the DNS for security by keeping suspicious domains that could include malware out of networks. It will be important for DoH to allow enterprises to continue to use these methods – at Nominet we are embracing this in a scalable and secure way for the benefit of customers through our cyber security offering.

Change is a constant in our digital age, and I for one would not stand in the way of innovation and development. This new approach to resolving requests could be a real improvement for our digital world, but it must be implemented carefully and with the full involvement of Government and law enforcement, as well as the wider internet governance community and the third sector.

Find out more about Nominet’s cyber security services on our website.


Like this? Try these...