In the past few days, we’ve written about both Mozilla and Google adopting DNS-over-HTTPS in their browsers.
We’re supposed to use HTTPS wherever we can, so “something-over-HTTPS” sounds as though it ought to be more secure than “the-same-something-not-encrypted-at-all”…
…and yet not everyone is happy about this whole DNS-over-HTTPS thing.
Can more security really mean less privacy? We went live to discuss the issues:
(Watch directly on YouTube if the video won’t play here.)
Farid Tahery
Call me dumb, but I don’t understand why browser has to query DNS for every web page of a website we visit. Why can’t it cache the DNS query results for 2-3 hours to avoid redundant queries? This way the meta data collectible by DNS provider would be much less significant and raises much less privacy concerns.
Paul Ducklin
It does cache the data, but [a] one lookup is enough to reveal your apparent interest in a domain and [b] in this modern era of content delivery networks where web pages are served from thousands of different possible locations to adapt to changes in load, DNS caching times are often a lot shorter than 2 hours anyway. Five minutes is pretty common these days – after that much time has passed you’re supposed to check back with the DNS network anyway.
Farid Tahery
When a web page is served from different locations, does it mean that DNS lookup of a domain name may result in different IP addresses? If not, then cached results’ life-cycle can be extended well beyond 5 minutes. Changing IP address associated with a domain doesn’t happen frequently and whenever it does, we expect a delay of up to 48 hours for the change to propagate. Addition of a couple of hours to the life-cycle of DNS cache seems like an acceptable trade off considering gains in performance and privacy when using DNS over HTTPS.
Paul Ducklin
When you look up a DNS record you get back a TTL (‘time to live’) value with it, given in seconds. 300 is commonly used these days, so that for the next 5 minutes your DNS resolver will feed you the original value it got back if you request it again. After that, it should do another lookup to see if the record changed. TTLs of hours or days for busy domain names seem to be pretty rare these days.
You could choose to ignore the TTL but you aren’t supposed to (for obvious reasons) and even if you did, you would have to do a genuine lookup the first time you accessed a domain. So your DNS provider would still have a record of that.
Farid Tahery
Thanks Paul. So, if I understand correctly, it is possible for a single domain name to be associated with more than one IP addresses at the same time, and DNS server determines which IP address is returned at a given time for a given request.
Paul Ducklin
A DNS reply can give multiple IP numbers. The lookup can be different every time you try it.
The issue here is how often you need to repeat cached lookups – it doesn’t matter what the answer is – because that determines how much logging data the DNS provider obtains from you…
RedSpark
Been using simple DNSCript for a while so ALL my DNS traffic is secure (as far as i know).
Good to see the masses adopting it.
Bam Bam
I would like to know if browser managed DNS queries will be re-directed to a Google name servers(for example) thereby overwriting DNS values defined in the local TCP-IP stack. If so, this would be yet another vector for data harvesting. What’s in your wallet?
Paul Ducklin
For now, Mozilla’s DNS-over-HTTPS lookups will go via Cloudflare DNS service by default. Cloudflare is a massive content delivery network and anti-DDoS company. Google’s will go via one of a short list of providers, including Google’s own DNS service.
Mozilla’s option will be turned on by default, so you may get autoswitched from your current DNS provider to Cloudflare.
Google’s option will be turned on only if you are already using one of the services on its list, so you may get ‘bumped up’ to DNS-over-HTTP but you won’t get autoswitched to a different DNS provider.
Only DNS requests from the browser will be affected for both Firefox and Chrome.
For more info, click on the links under the words Mozilla and Google in the article…
GeekInside
No mention on why this is a bad thing for Enterprise networks that use internal Active Directory DNS servers to resolve for internal web sites which the browsers DoH servers would not be able to resolve to. Mozilla’s approach will have to time out before you can get DNS to internal sites making me believe the best option will be to simply disable it. Chrome’s implementation seems to be a bit smarter where it will only enable DoH if your Operating Systems DNS servers are pointed to a provider who supports DoH, thereby, the assumption would be that you are not going to need internal name lookup services.
Paul Ducklin
Mozilla’s DNS-over-HTTPs can be disabled centrally by making your company DNS server reply NXDOMAIN to DNS requests for use-application-dns.net.
See here (go to comments):
https://nakedsecurity.sophos.com/2019/09/10/mozilla-increases-browser-privacy-with-encrypted-dns/
creekoblog
I recently read that Microsoft have released Edge in beta for macOS.
Paul Ducklin
Yes! You’re right – the announcement was in fact back in May 2019.
I’ll stand by the strict correctness of my claim that you don’t get Edge for Mac – not yet – because it is still a work in progress, yet you can get it if you want.
Might give it a try myself, although I am one of the “significant minority” who’s chosen Firefox simply because it isn’t from one of the Big Three OS makers. I am not sure there is any science to that but it seems harmlessly comforting enough…