Why the choice of DNS over HTTPS server needs to be automatic (a sysadmin view)

March 15, 2020

At a general level, what DNS servers you should (and sometimes can) use depends on what network you're connected to. If you're connected to a network that just gives you general Internet access, then you (just) need a DNS server that gives you general public IP addresses. If you're connected to some sort of internal network, your network may have both special DNS names that aren't visible in the public DNS and special resolution for DNS names that are visible in the public DNS (often called split horizon DNS); resolving these names properly requires using the network's local DNS server. This is independent of whether you talk to those DNS servers with plain DNS, DNS over HTTPS the protocol, or DNS over TLS. We can call the public Internet and every different internal network environment a (network) world, and say that each world potentially needs a different DNS server setup.

A machine that doesn't move between network worlds can afford to have its DNS server settings configured manually, including manually setting it to use DNS over HTTPS to a local DNS server. A machine that moves between network worlds could theoretically be manually reconfigured after every move, but in practice these reconfigurations need to happen automatically (otherwise, someday they won't be done and then various problems appear). The generally available state of the art for automatic reconfiguration of DNS servers based on the network you're connected to is DHCP for IPv4 and DHCP6 or NDP for IPv6 (probably NDP, since I believe that Android devices still refuse to do DHCP6, so they can only find your DNS server through NDP); all of these give you plain old DNS servers.

(You can't automatically bootstrap to DNS over HTTPS or DNS over TLS with just this basic information, because normally all you get is the IP address and verifying TLS certificates requires you to know the name of what you're connecting to.)

The current state of the art of Firefox's use of DNS over HTTPS (the second and more common meaning of 'DNS over HTTPS') is mixed. Firefox doesn't have any way of switching DNS over HTTPS settings around based on the network world it's connected to, and while it attempts to work out when to use DNS over HTTPS those heuristics face an impossible job. Essentially Firefox is assuming that the majority of computers are connected mostly to the general Internet world. Sooner or later everyone will have to explicitly signal to Firefox that their internal networks are not in this general Internet world (using Firefox's canary domain for this). Even then, Firefox has no automatic way of reconfiguring which DNS over HTTPS server it uses; instead, all it has is enabling or disabling DoH (the protocol).

Until we get some form of support in Firefox for automatically changing its DNS over HTTPS server as it moves between network worlds, setting up your own local DoH server has only moderate practical use unless you're dealing only with machines that never move out of your local network world. If you truly need a local DNS server (as opposed to it being an efficiency or privacy thing), people can't use it all of the time, so when their machine moves outside your world their DNS over HTTPS settings have to change. But there's no way of doing that automatically today, so things are guaranteed to go wrong sooner or later.

(If you have some machines that don't move out of your local network world, you can set up a DNS over HTTPS server for them. Since this potentially enables encrypted SNI, there's some use for this. If you have no such machines, there's no point; your nice local DoH server will sit unused.)

PS: Using a local DNS over HTTPS server still allows you to keep track of local DNS lookups for things like malware detection, although you may not be able to use your fancy expensive IDS any more (at least until you can arrange to have your DNS server provide a feed of lookups to the IDS instead of having the IDS snoop on network traffic). Firefox using external DNS over HTTPS servers makes this worse than Firefox using external DNS servers in general, because you previously could snoop on that traffic without having to hunt down the owners of the devices to get them to change their DNS configuration to the right one.


Comments on this page:

At the time of this writing, there are two IETF drafts on discovering and bootstrapping DoT and DoH servers:

[...] although you may not be able to use your fancy expensive IDS any more (at least until you can arrange to have your DNS server provide a feed of lookups to the IDS instead of having the IDS snoop on network traffic).

If anyone is curious as to how to do this, one possibility is dnstap, which is supported by recent versions of most DNS software that runs on Unix-y systems (BIND, Unbound, Knot, NSD, PowerDNS, etc):

Written on 15 March 2020.
« The two meanings of 'DNS over HTTPS' today
How Firefox could support automatically using local DNS over HTTPS servers »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Mar 15 01:20:54 2020
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.