'The inmates have taken over the asylum': DNS godfather blasts DNS over HTTPS adoption
Can those who need lookup privacy afford architectural purism?
The Internet Engineering Task Force (IETF) has formally adopted DNS-over-HTTPS as a standard, and reignited a debate over whether it's a danger to the web's infrastructure.
The IETF gave the proposal its blessing late last week by elevating it to Request For Comment (RFC) level as RFC 8484.
The idea was to guarantee the confidentiality and integrity of DNS lookups, as co-author Mozilla's Patrick McManus explained to The Register in December 2017, because governments and bad actors alike interfere or snoop on DNS requests.
Encryption provides confidentiality, quite simply because instead of sending a plain-text DNS request over UDP, RFC 8484 sends it over HTTPS, secured by Transport Layer Security (TLS). Integrity protection comes from using the server's public key to guarantee that nobody's spoofing the DNS server.
IETF protects privacy and helps net neutrality with DNS over HTTPSREAD MORE
Those sound like good things, but Mauritian coder and contributor to IETF work Logan Velvindron pointed out to The Reg that not everybody's happy about the RFC.
Paul Vixie, one of the architects of the DNS, reckoned it's nothing short of a disaster. On Friday, he tweeted: "RFC 8484 is a cluster duck for internet security. Sorry to rain on your parade. The inmates have taken over the asylum."
Vixie has said that DoH is incompatible with the basic architecture of the DNS because it moves control plane (signalling) messages to the data plane (message forwarding), and that's a no-no.
Network admins, he argued on Twitter, need to be able to see and analyse DNS activity, and DoH prevents that. "DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH."
DoT is DNS over TLS, RFC 7858, a separate standard from DoH that works towards the same integrity and privacy aims.
Which matters more, network or user?
While DoT achieves those aims, it's still subject to a level of interference that DoH resists: DoT has port 853 to itself, and can therefore be blocked, and a user's DoT request (but not the content of, or response to, that request) is visible from the network.
DoH, on the other hand, shares port 443 with other HTTPS traffic.
The Register spoke to a network engineer, who asked not to be named because of the heat surrounding this debate.
He said DoH removes a discriminator that can be used to distinguish DNS from other traffic, and that's a problem for anyone wanting to interfere with DNS traffic.
Instead of blocking a host that's blocking DNS over TLS, the "attacker" has to block the entire host serving DoH – which could mean blocking a CDN, a search engine, or a company like Cloudflare.
From that point of view, DoH is backed by a strong human rights argument: a hostile government could detect that an activist is using encrypted DNS if they're sending requests as DoT, but not if they're using the same port as HTTPS traffic.
There are, however, legitimate security applications for inspecting and interfering with DNS operation – a parent relying on OpenDNS (now rebranded by its new owner as Cisco Umbrella) to sanitise what their children look at, or a sysadmin protecting an enterprise network against domains that only exist to serve malware to compromised endpoints.
Crying shame, self to blame
Whichever approach prevails, as Mozilla's Daniel Steinberg wrote at the end of last week, the main reason the controversy exists is that the DNS world has failed for decades to act to preserve user privacy.
"To me, DoH is partly necessary because the 'DNS world' has failed to ship and deploy secure and safe name lookups to the masses and this is the one way applications 'one layer up' can still secure our users."
That echoes what DNS privacy expert Sara Dickinson (author of DoT test platform Stubby) said in a July interview with the Council of European National Top-Level Domain Registries. The industry, she said, brought DoH on itself by being slow to react. "The browsers are just walking straight in, because if they were already getting what they needed from DNS, they might be less eager to go down the DoH route. However, they are just not getting what they need, and I think they kind of feel they never will."
It is just as likely that DoT-versus-DoH will be solved by user or provider choices, since both are being deployed, as is documented by the DNS Privacy Project.
Besides the protocol tension, Velvindron pointed out via email that the final RFC baked in a feature, server push, that wasn't on the list when The Register first discussed the Internet-Draft last year. "Basically, by scanning requests, the server can infer about what the next request would be and serve it to the user faster." ®