Wandering Thoughts archives

2020-03-14

The two meanings of 'DNS over HTTPS' today

When I wrote about how sensible heuristics for when to use DNS over HTTPS can't work for us, in a comment Guus asked about us setting up a DNS over HTTPS services along side our existing resolver. Depending on your perspective, this is either an obvious good question or one with an obvious answer, and the thing is, neither of those perspectives are wrong. In common usage today, 'DNS over HTTPS' has become ambiguous; depending on context it can mean one of two things.

The first thing it means is DNS over HTTPS the protocol. In this usage, you can set up your own DoH server, set things to use it, and so on. Whether this is a sensible action depends on your threat profile and what clients want to do. My general feeling is that right now it mostly doesn't make sense, because there should not normally be any untrusted snooping on your networks happening between your clients and your local DNS servers. If clients really want to use DoH you could set it up anyway, but it's not really adding much security.

The second and more common thing it means is DNS over HTTPS as used in Firefox (and soon other browsers). This is not just DNS over HTTPS the protocol but DNS over HTTPS to specific public resolvers, with the choice of public resolvers out of the control of the people running the local network. This is the version of DNS over HTTPS that Firefox users in the US are getting now (if they accept Mozilla's offer) and that will presumably come to other parts of the world for at least Firefox (and other browsers are thinking about it too). You can't set up a DNS over HTTPS server that's useful for this version of DNS over HTTPS, because one security problem that Firefox's DNS over HTTPS environment is designed to deal with is that on the modern Internet, ISPs are one of your threats. If you use your ISP's resolver, it can log your DNS lookups and then use that information, so Firefox goes straight to trusted DoH servers and ignores yours.

As a practical matter, the 'DNS over HTTPS as used in Firefox' usage is the dominant one. I don't think very many people are setting up local DoH servers and I don't expect them to become popular until there's both a well supported protocol for automatically discovering or configuring them in local network clients and a solid benefit to having clients use DNS over HTTPS instead of plain internal DNS queries.

(Encrypted SNI may be one driver for this, since as currently implemented it requires using a DNS over HTTPS or DNS over TLS resolver. But it's not clear that organizations will care about ESNI for their own outgoing traffic.)

tech/DNSOverHTTPSTwoMeanings written at 01:00:51; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.