DoH, the last step to ensure web privacy

2019/12/01 Leturia Azkarate, Igor - Informatikaria eta ikertzaileaElhuyar Hizkuntza eta Teknologia Iturria: Elhuyar aldizkaria

In order to ensure the privacy and security of users in the activities of the web, the main agents of the network have introduced in recent years a series of changes. The last step in this path is to establish confidentiality in requests made by the DNS system, encouraging requests to be made through the secure HTTPS protocol through the technology called DoH.
Ed. Gerd Altmann/Pixabay

In an article written in this section almost five years ago (specifically in January 2015), it was told how the main agents of the web were taking measures so that no one could spy on the activity of users. As indicated there, a new version of the HTTP/2 protocol had just been presented in which browsing is done whenever possible over HTTPS (all communication is encrypted in the HTTPS protocol). All web browsers had already implemented the HTTP/2 protocol by the end of 2015.

The article also reported the forthcoming Let’s Encrypt certificate issuer promoting the use of HTTPS on web servers. This initiative would allow web servers for the first time to obtain and renew digital certificates for free and simple. The service was launched in April 2016 and I think it has been greatly expanded.

However, even when communications with a website are made entirely through HTTPS, there is another very important and necessary complement to web browsing, which at the moment does not have security and privacy measures, and which leaves us defenseless in the face of spying and traps: DNS system.

What is the DNS system?

DNS stands for Domain Name System, i.e. the domain name system. Domain names are names used by humans to identify services and websites: www.google.com, www.berria.eus... However, web servers are identified and located on the Internet via an IP address such as 172.217.4 or 145.239.192.54. Therefore, in order for a web browser to access a web page, it is necessary that it know in advance the IP address to which the requested domain name belongs. And that's the DNS system.

DNS is one of the Internet services. And this is a distributed service, in which some servers have information from some domains and others from others. Our computer makes the first request to a DNS resolver, who channels requests to other servers until they get the IP address corresponding to the domain name.

DNS protocol issues

The DNS protocol is prior to the web in 1983 and has barely undergone major security changes or updates since then. DNS requests and responses are not encrypted, leading to security risks and lack of privacy.

On the one hand, our Internet service provider, the owner of the WiFi we have connected to, as well as all the intermediate servers and routers that cross the DNS request and response path, see the DNS request we are making and therefore the web we want to visit. This can be used, for example, to profile our preferences and sell it to advertising companies.

On the other hand, anyone in progress can modify the IP address of the response and send it to an unnecessary page. Thus, when we request a visit to the website of our bank or mail provider, they can direct us to a malicious website of the same aspect and steal our data. Or if we are at a great point of sale and want to take advantage of the phone to see if a product has less competition cost, if we connect through the WiFi of the point of sale, they can tell us that the competition web does not work. Although these cases are somewhat extreme and not so common, this same modification of the DNS response is used for censorship; recently, for example, to close the Tsunami Democràtic websites. Internet providers are responsible for redirecting requests to these domains to another IP address where a website is displayed indicating that the website has been closed.

DoH solution

The solution may be DoH (DNS over HTTPS), the technology that performs DNS requests and responses through the HTTPS encrypted protocol. Thus, since the messages are encrypted, those involved cannot see which domain we want to visit and change the response IP address.

The main web browsers have already implemented it. Firefox more than a year ago but not by default, we must activate it manually. Google’s Chrome browser also allows it since September this year and Android from version 9.

Even some DNS resolvers have already implemented it, such as the well-known company Cloudflare, which is the one that uses Firefox by default. Chrome, for its part, uses a DoH resolutor offered by Google.

Is it really the solution?

DoH is spreading but not everyone sees it well. It is also receiving criticism and has sparked more than one controversy.

On the one hand, they say that with DoH nothing guarantees that the DNS resolution does not make the profile of our browsing and sells it to advertising companies and they are right, in this case we would have to call it DNS ebasle (sorry, joke;-). But that is something that can never be avoided, we will always have to trust dance.

On the other hand, so far all Internet services have used a DNS resolution defined for all at the computer operating system level. In home networks, our Internet service provider is usually the resolution defined on the router and on business networks, defined by system administrators. They can place filters on DNS resolutions or on the router itself to prevent access to different places. The software used to restrict the websites on which our children can navigate also uses the DNS system, as well as antivirus and firewalls that prevent malicious websites. They cannot do so if the web browser replaces the system DNS with a DoH resolution.

Finally, the DoH system avoids the aforementioned censorship. You can easily check it: Activate DoH in the settings of Firefox and you can see the Tsunami Democràtic website without problems. And, of course, governments don't like that...

In view of criticism from companies, internet providers, software manufacturers and governments, Mozilla has stated that Firefox will check whether there is a business or parental filter installed on the network or system and that in that case it will not use DoH. He adds that in some countries he will not prioritize DoH until he remembers how to accept possible government blockades. But how will you decide which countries are legitimate government blockades and what are censorship? Only in China, Turkey, etc. will DoH stop censorship? And in Spain and France? In the end, among other things, Mozilla opens the way for the system created to avoid censorship to be accepted in some cases.

In view of all this, it is clear that when in the title we have said that DNS over HTTPS is the last step to ensure privacy on the web, which means the latest and that it will only be necessary... This topic of security and privacy on the web will still bring a long string.