There’s an awful lot going on in the world of DoH at the moment – so rather than writing one huge rambling post I’m going to try and cover everything in several shorter rambling posts. I’m going to start with taking a look at a presentation that Mozilla did regarding “DNS in applications”, which I have many issues with and I think highlights the fundamental disconnect between the Mozilla developers and people that actually have to deal with network and user security. A lot of this has been discussed extensively on the IETF “Applications doing DNS” discussion list. If you’re on that list I’m not going to be saying anything much new, but with that said let’s start looking at the presentation.
The slide starts with the seemingly reasonable statement that:
“Individuals’ security and privacy on the internet are fundamental and must not be treated as optional.”
This becomes problematic when the goals of “privacy” and “security” are at odds. For instance I choose to use a DNS service that filters out malware sites, I lose a little privacy but I gain greater security. If I’m using someone else’s network when does there security trump my privacy? Moving a crucial setting such as DNS resolver from system to user space, and thus making it trivial to change also isn’t going to improve anyones security. With the rush to deploy DoH far too much attention has been paid to the “privacy” element to the great detriment of the security element.
“But we also care about who gets the information”
I think we all care about who gets our DNS information, to a greater or lesser extent, which is why Mozilla deciding that that’s a decision they can make our on behalf is so galling. The argument Mozilla have made repeatedly is that end users don’t know about DNS so aren’t making informed choices. As a response to ill informed users, Mozilla have taken on the burden of making that choice on behalf of everyone. They’ve decided that they’ll get to pick who gets to see our DNS information. They can’t argue that we can just change it because their entire premise is that we’re too ignorant to be making that choice. So rather than my DNS going to my ISP with whom I have a legal contract, it now goes to a provider chosen by Mozilla with whom I have no legal standing and who ( currently at least ) are in a foreign jurisdiction that is well known for snooping on the internet as a whole. You’ll forgive me if I don’t see that as an improvement.
“Individual control, with strong privacy properties for defaults”
I’m really not sure how DoH is any more individual control than choosing my DNS provider at the normal OS level or using any of a number of DNS VPN type solutions. Further as previously mentioned as I won’t have a legal relationship with the “Trusted recursive resolver” I’d argue that my individual control is reduced. Just because Mozilla have decided they can be trusted I may not have the same view on the matter. That strong privacy is also dependent on the TRR keeping it’s word and not abusing the data they will be seeing and the large tech firms really don’t have a good track record on that and neither does the USA – so not exactly filled with confidence on that score.
“An important value of a single communications network resides within the concept of a single referential framework, where my reference to some network resource can be passed to you and still refer to the same resource.”
This is entirely true, and by each application having it’s own DNS settings this may well no longer be the case. With CDNs providing answers based on location two applications querying for the same resource may get different answers. This will, as Mozilla admit, be a distinct problem for environments that use split resolution DNS – but that it seems is a problem for other people to clean up.
“Lots of reasons for applications not to do DNS”
On this longer list of reasons not to let applications do DNS, they correctly say that applications will screw it up. This is utterly true I’ve already observed several applications doing DoH without doing certificate validation. It may not be a race to the bottom but it will represent a massive centralisation of DNS services. Which is an entire different conversation, but it’s widely agreed that this is not a good thing. This also ignore the overhead of supporting and managing a system where every application has a different DNS server or has to have its DNS setting changed manually.
“DNS is was an effective control point”
They do sort of have that right now, as they’ve driven a massive hole through a very effective control point. Repeatedly on the ADD list I’ve seen this justified by the attitude that the control should be on the end point, and that VPNs are easy to set up to avoid a DNS control point. There is just so much wrong with this attitude. Firstly no DNS isn’t 100% effective, but it is a very cheap and simple method to provide a solution that is probably 80% effective. Then having simply dealt with the easy stuff and people that aren’t actively trying to get round your controls you have a smaller haystack to examine to find the genuinely trouble some behaviour. The idea that security should be on the end point whilst laudable also ignores the cost and complexity of actually implementing that. In a BYOD situation, WiFi hotspot or even on your home network that you let friends use, you don’t have control over the end point but you may still want to enforce a degree of policy which can be reasonably achieved with DNS – not perfect but good enough. Likewise ISPs could meet legal filtering requirements using DNS because it solved enough of the problem. If the bad guys wanted to spin up their own alternative DNS protocol they had to maintain that infrastructure and were thus more easily detected. Of course now that Google and Cloudflare are providing the infrastructure for them in a way deliberately designed to be “difficult” to block and that explicitly won’t stop the bad guys traffic the bar has been substantially lowered. So people that Mozilla considered to be not technical enough to consider their DNS settings now have to buy, install and manage security solutions for every connected endpoint in their house. In the name of protecting users privacy DoH has substantially degraded many users security. As DoH usage becomes more widespread and eventually renders DNS controls insufficient at which point alternative methods will have to be used and I doubt we’ll like those solutions. Those alternative solutions will inevitably be more invasive and have far higher overheads.
“Alternative name resolution happens”
Yes it does but not an awful lot of it, so you could put in a simple DNS based solution and have the majority of your name resolution covered leaving you more resources free to deal with those alternatives. Also this is a bit like saying the doors aren’t because windows exist, and therefore you may as well just knock a massive hole in the wall. DNS based security isn’t enough on it’s own and I’ve never seen anyone argue that it was, but that doesn’t make it ineffective. If you can stop a lot of problematic traffic with DNS, then your other measures have less to deal with.
“DNS for captive portals”
Again the argument they seem to be using is that the current solutions aren’t perfect so it doesn’t matter that we’re going to make things substantially worse. In many ways this is the typical response of DoH advocates to any objection:
“Your current usage isn’t perfect, so it doesn’t matter if we make it even worse. We’re going to piss all over your current methods and you’ll just have to clean it up.”
Yes the increase of HTTPS does make captive portals less effective, but there aren’t yet any good, easily deployed alternatives. Especially ones that are device agnostic and easy for people to use without having to deploy yet more clients.
“Content filtering by DNS name”
Again the argument of the filtering not being perfect because it doesn’t cover the case where you just want to block a single page or image. No DNS might not be that granular but it does a great job when you want to block an entire site or an entire domain. So yet again DNS filtering does a great job blocking a large chunk of the stuff you want to block, meaning that firewalls and other protections only have to deal with the smaller set of more granular blocking. Also to block a specific resource you need to be have visibility of the entire session rather than just the DNS request. If there is a way that specific resources can be blocked without all of a users traffic being inspected I’d love to hear it. It seems to me that to protect the privacy of my DNS requests I’m having to give up the privacy of all of my traffic. Now that the cheap, light weight non-invasive DNS based methods have been declared ineffective, what’s left is full traffic inspection so that a more granular and slightly more effective control can be put in place. So much for privacy being fundamental and not optional. As they rightly say “Endpoint cooperation is necessary to be fully effective”, but in many cases you don’t need to be fully effective just effective enough. To be fully effective the user has to surrender their privacy entirely to whoever manages the end point security, which is fine as long as that is never compromised and can be entirely trusted, just ignore the increased cost and overhead.
“DNS is NOT an effective control surface”
By now you should have gathered that I think this is a risible statement. DNS is a perfectly effective control surface for a large percentage of use cases. It’s not perfect but no control surface is. It is however easy to implement, has low overheads, minimal impact on the user and allows the user to have a high degree of privacy and freedom on whatever device they’re using. I do wonder just how Mozilla are judging the effectiveness of DNS as a control surface – it may not be perfect but it is effective. A control surface doesn’t need to provide 100% efficacy to be effective.
“DNS is plumbing”
DNS is plumbing and users shouldn’t need to care about it, but DoH makes users care about it. By bringing DNS into the application the user now has to deal with multiple systems, and to manage more complex and invasive alternative control points. Instead of being able to make an informed choice about how to handle DNS once, people will now have to check every application for how it has it’s DNS configured and set that to their choice. Enterprises will now have to deal with ensuring that every application isn’t leaking internal addresses out to the DoH provider of the applications choice. DNS should be encrypted, but DoH is a cure far far worse than the disease.
“Applications will choose who they trust with data”
I think this line is very telling. they started by saying that users privacy and security was paramount, but now it’s the applications choosing who to trust not the user. Users will now have to be on constant guard against applications not honouring their choices, or updates deciding that they know better than the user who to trust.
“Entities looking to exert control will have to engage with owners of endsystems”
This has always been true, and DNS is one of the ways that the owners of endsystems can be engaged with.
I think there is a great deal of hubris and arrogance in Mozilla’s position. They acknowledge that many people are using DNS as a solution for many problems currently, but have apparently decided that because those solutions aren’t perfect they can be wilfully degraded further and everyone else can be left to fix the mess and pick up the cost of moving to “better” solutions.