Home
 » Editorial Article, ISP News » 
Sponsored Links

Big UK Broadband ISPs Have Big Concerns About DNS over HTTPS

Thursday, Apr 11th, 2019 (11:31 am) - Score 28,273

A significant change is on the way that could improve the security of the internet’s Domain Name System (DNS) by adopting DNS over HTTPS (DoH), although this could also create lots of new problems for broadband ISPs and mobile operators (e.g. disrupting UK Government required censorship systems) that may be hard to overcome.

At present the existing Domain Name System (DNS) works to convert Internet Protocol (IP) addresses into a human readable form (e.g. 123.56.32.1 to examplefakeblah.co.uk) and back again. Most of the time your ISP runs the DNS servers, but advanced end-users can also tweak their own devices (e.g. routers) to use third-party DNS solutions like OpenDNS or Google’s Public DNS (i.e. taking some control away from your ISP but as these services are often unencrypted then your ISP can still intercept the data).

Unfortunately standard DNS systems do have plenty of vulnerabilities, such as situations where hackers can intercept your internet traffic through man-in-the-middle style attacks (e.g. eavesdropping, manipulation of DNS data or even blocking/censorship). Malicious actors target this method because end-users are often left none the wiser when it occurs (a very stealthy vulnerability to exploit).

In order to resolve this a new standard is being fast-tracked through the IETF called DNS over HTTPS (DoH). Anybody with some basic IT knowledge will recognise HTTPS as being the encrypted protocol that many modern websites use to help keep your connection to them secure from prying eyes (e.g. https://www.ispreview.co.uk is encrypted, while using http:// would be unencrypted).

The idea behind DoH is thus a simple one, with DNS requests being sent via HTTPS, sharing port 443 and secured via TLS as defined in IETF RFC 8484. The result is an encryption based protocol that has good privacy and security intentions, which is something that broadband ISPs do welcome as being of wider benefit to their users. This is of course assuming you trust the third-party DoH providers (see below).

Sounds good, so what’s the problem with DoH?

In order to work its magic DoH needs to function a bit differently from the normal DNS system and early adoption of this is also likely to be driven through centralised 3rd party DoH providers (e.g. Google, Cloudflare and Mozilla), effectively bypassing wider ISP capabilities that are dependent upon the existing DNS setup.

For example, Mozilla’s Firefox browser (since v62) has implemented DoH to automatically handle your DNS requests, although at present it’s not enabled by default (you have to activate it manually), but in the future that will change (developments around the DoH standard are still somewhat of a work-in-progress but we’d expect many more companies to follow).

In this setup the end-user (that’s you, dear reader) no longer has to worry about manually configuring their DNS settings to use a third-party provider. Instead the system is both encrypted and handled automatically by your web browser or other system. Essentially a significant security and privacy improvement, albeit without you having to do anything to benefit!

Firefox Statement

For more than 30 years, DNS has served as a key mechanism for accessing sites and services on the web. Browsers (including Firefox) use DNS to access a distributed database that turns URLs into TCP/IP addressing information. Firefox cannot do much without the service. DNS hails from the days of a kinder, more gentle Internet where it was normal to make this kind of query using unencrypted protocols and send them to any nearby server who claimed to be able to answer it.

This approach is no longer a fit for the modern Internet. Because there is no encryption, other devices along the way might collect (or even block or change) this data too. DNS lookups are sent to servers that can spy on your website browsing history without either informing you or publishing a policy about what they do with that information.

The downside of this approach to DoH (if you can call it a downside, as for others it’s more of an upside), at least from an ISP’s perspective, is that your DNS queries won’t hit the broadband provider’s own nameservers anymore and the provider itself would also struggle to separate out DoH from regular HTTPS traffic.

On top of that each application (e.g. Firefox) would now be able to select their own DoH provider, as opposed to a single ISP / DNS setting being used by the majority of users for every application and device. The DoH approach can thus create a number of problems with network management and control, particularly for the largest ISPs like BT, Sky Broadband, TalkTalk and Virgin Media.

Now it gets complicated

The ability to see browsing / application requests at a household level means that many ISPs can make some use of standard DNS for performing tasks like internet filtering (i.e. blocking / censoring websites – such as due to parental controls and anti-malware features or legal requirements) and identifying bad (malware) traffic. But it goes much further than that.

Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews
Comments
22 Responses
  1. Avatar photo New_Londoner says:

    As I see it, DoH creates a major new security vulnerability for malware, which can hide all of its actions including any DNS traffic within the regular HHTPS stream. That makes it harder both to detect and also to block.

    Also, it seems to involve exporting all of my browser traffic to a US tech company – what could possibly go wrong?! How long before the first report of this data being monetised or, worse still, hacked?

    This seems to be a backwards step in bringing centralised services to what was meant to be a distributed system. Does it even comply with GDPR regs?

    1. Avatar photo Joe says:

      DNS services will still be decentralised; just not at the isp level. Tbh if you don’t trust dns ‘x’ just use dns ‘y’ they aren’t all US tech firms. Ultimately you need to trust someone. I use my VPNs DNS.

      GDPR is so stupid its bound to cause a headache somewhere.

    2. Avatar photo spurple says:

      There is nothing that stops malware today from hiding it’s activities behind HTTPS.

      While you may be able to hide your DNS query, you still cannot hide the actual communication with the endpoint that you secretly resolved over DoH. Hence, it’s kind of ridiculous that ISPs think this poses them any challenge. DNS-level blocking is the easiest to defeat, so almost no competent ISP should rely on it.

      While DoH will hide the DNS queries themselves, the IP addresses users/clients connect to are still as plain as daylight, AND, when using HTTPS, the server name (which is effectively the DNS name) is also plain as daylight inside the SSL handshake (Server Name Indicatioon).

      One slightly small step forward for privacy, but barely an improvement in privacy if your ISP cares to look else where for the same signals.

      PS. I’m all in on this, and plan to deploy a DoH relay on my local network just to make spying that little bit harder for my ISP.

    3. Avatar photo alan says:

      “PS. I’m all in on this, and plan to deploy a DoH relay on my local network just to make spying that little bit harder for my ISP.”

      Indeed id sooner have a very small risk of my activity being monitored over a secured connection than an open one where your ISP has a nanny checking everything you do.
      risk. Anyone that thinks this increases rather than decreases security clearly has no idea how insecure things currently are.

  2. Avatar photo Joe says:

    “(e.g. disrupting UK Government required censorship systems) that may be hard to overcome.”

    Gosh I’m sure we’re all gutted by this !

  3. Avatar photo Phil says:

    I’ve tried this in Firefox and it did break some things, not unsurprisingly really as my own network has it’s own DNS server that serves up internal addresses for some URLs. It would also break if the internal DNS server was changed to any other one, however the problem here is if they start to enable it by default, it bypasses the internal DNS and of course ignores the DNS server given out by DHCP.

    I thought DNSSEC was suppose to prevent man in middle attacks, so why do we need another mechanism? It seems a lot of effort is being made to divert people away from their ISP DNS servers towards some other, what is the reasoning for this? What are these companies gaining by providing these services for free? At some point they will want to monetise these DNS servers, as there is no such thing as a free lunch.

    Also how secure is the browser? It’s going to be easier for some malware to access the browser settings to inject a different URL than it would be to reach out and into the operating system to change the DNS server. It is also making it easier for scammers to come up with some new trick asking people to change the URL the browser is using to point to their own servers, where they can then serve up fake websites.

    1. Avatar photo spurple says:

      When the transition is complete, there is nothing stoping your machines from getting the DNS address from your router as it’s done today. They’ll simply speak DoH instead of DNS to the target servers.

      Websites generally cannot change your browser preferences. It’s one of the core responsibilities of your browser to ensure this.

      Also, I can envision a situation where your DoH provider (perhaps your ISP) will allow you to configure your own LAN mappings so that you don’t lose the ability to have LAN only DNS names.

      It’s still early day yet.

  4. Avatar photo Phil says:

    @spurple

    The issue is FireFox is deciding what DNS service we will use and enable that without warning, that’s the problem I think for most people. If this is happening in companies, then FireFox is overwriting any specific company approved DNS servers that have been put in place via DHCP. I suspect Chrome will do the same thing eventually. Even if I had a different DoH provider, FireFox isn’t using that, it’s defaulting everyone to Cloudfare. That makes me ask how companies like Cloudfare make their money? Why are they offering these services for free at this time? If FireFox is making the DNS request, what other information is it sending to Cloudfare encrypted in that request that we can’t read?

    It wouldn’t be possible to use our own routers for DoH as they wouldn’t have a trusted SSL certificate, defeating the point of the whole thing, even then the web browser is using what it wants for the DoH URL.

    I can change the URL for DoH in FireFox without a UAC prompt, so it doesn’t seem that secure to me.

    1. Avatar photo Joe says:

      In fairness DNS is disabled by default in FF atm so its not the final version in regards to how it can be altered (w/wo prompts)

  5. Avatar photo NE555 says:

    > ISP blocking of non-compliant sites as a potential enforcement mechanism of last resort

    Except that won’t work. If the offending site is hosted on a CDN like Cloudflare (say), and you want to block by IP, then you have to block *all* sites on Cloudflare.

    And you can’t block DNS over HTTPS, because it also looks like normal HTTPS. Indeed, Cloudflare is the initial DOH partner for Firefox, so again you’d have to block all of Cloudflare to block their DOH service. Even if you did, there are plenty of other DOH providers to switch to.

    Right now there the remaining weakness is HTTPS Server Name Indication: that is, when you make a HTTPS connection, the name of the server you are connecting to is exposed in clear text, so a DPI box can block you there. But there’s in-progress work to eliminate that too.

    @Phil:

    > I thought DNSSEC was suppose to prevent man in middle attacks, so why do we need another mechanism?

    Two different issue. DNSSEC is about data integrity (it doesn’t encrypt DNS traffic), and it secures traffic between the cache and the authoritative servers.

    DOH and DOT are about encrypting the traffic between the client (stub resolver) and the DNS cache they are using.

    > It wouldn’t be possible to use our own routers for DoH as they wouldn’t have a trusted SSL certificate

    Sure you can. You can build your own DOH-speaking cache, and you can get free certificates from LetsEncrypt.

    1. Avatar photo spurple says:

      If Cloudflare puts customers on shared IP addresses, then they have only themselves to blame for collateral damage.

      Interesting enough, they’re selling shared IPs as an anti-piracy measure.

  6. Avatar photo Meadmodj says:

    Something was needed to be done with DNS for years and DoT just hasn’t been adopted so now we have DoH and DoQ in the wings.

    DoH’s real impact is the significant shift from system control to user control. But in return the user has to have trust in the DoH provider, what they do with the data, it has to perform efficiently and route to nearby IP addresses correctly.

    As always the thrust for this is from the US but DoH does not necessarily mean centralisation. The Mozilla partnership with Cloudfare was needed to provide real life trials but I expect country or ISP specific DoH going forward and the browsers to support more than one or the ability to discover DoH servers.

    Mozilla already recognises that they may need to configure by region and I am sure security agencies are already lobbying their governments. As MJ highlights it puts a complete hole in current ISP controls but I’m sure they will devise new methods to route the traffic and even temporarily inhibit DoH if they have to.

    The issue for the user may be the default DNS settings set on their device and that during the transition, for compatibility, you start out with DoH and if it fails it scales back to plain text DNS without you being aware.

  7. Avatar photo Sky says:

    If you’re an ISP and you’ve made software/websites/etc that only work on your DNS servers, you’ve made software that doesn’t work.

  8. Avatar photo Laurence "GreenReaper" arry says:

    Customers should not be scared of their ISPs; ISPs should be scared of their customers!

  9. Avatar photo Chris R says:

    BT presented this as UKNOF 43 on the 9th April.

    Further watching: Sara Dickinson from Sinodun at UKNOF41 (and RIPE77) – https://www.youtube.com/watch?v=3tMGD6J04Jk

  10. Avatar photo t0m5k1 says:

    ISP are scared they will not be able to implement the stupid censorship rules levied on them by the Gov.

    Many of us who value our privacy have either been running their own DNS server or using an encrypted connection to a trusted DNS server for some time now.

    Even if you use your ISP provided DNS there is no stopping them using EDNS to make marketers aware of your DNS look-ups, Remember user data is not the big commodity that is re-sold when you are the product and if they can get more then they will.

    The only issue is that the big ISPs will now need to employ DPS techniques to find out what customers are looking at, and currently SNI is not encrypted so this is still exposed however with the next firefox version SNI will be encrypted.

    Encryption is not the enemy and the Governments of the world should not see it as such, Encryption is employed for good reason:
    PRIVACY

    Using encryption inside a story about censorship is an obvious straw-man to lead you to think encryption is bad when in reality the continued erosion of your online privacy is bad and what should really be stopped.

  11. Avatar photo Roger_Gooner says:

    As an experiment I enabled DoH on Firefox and found that my hosts files was being bypassed, not good as I use it to block ads and nasty websites.

    1. Avatar photo t0m5k1 says:

      point dns to 1.1.1.1 (cloudflare) they will block all the adverts and nasties

    2. Avatar photo Soomme says:

      @t0m5k1, Cloudflare’s DNS, just like Google DNS, doesn’t do any filtering. Quad9 blocks malware domains. Adguard DNS blocks ads.

  12. Avatar photo Soomee says:

    On page 2, were it says “Content Delivery Network (DNS)”, it should be “CDN” not “DNS”.

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £24.00
132Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
145Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
Sky Broadband UK ISP Logo
100Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £15.00
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £19.99
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £21.00
150Mbps
Gift: £25 Love2Shop Card
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5443)
  2. BT (3497)
  3. Politics (2513)
  4. Openreach (2285)
  5. Business (2242)
  6. Building Digital UK (2226)
  7. FTTC (2040)
  8. Mobile Broadband (1954)
  9. Statistics (1770)
  10. 4G (1648)
  11. Virgin Media (1603)
  12. Ofcom Regulation (1446)
  13. Wireless Internet (1384)
  14. Fibre Optic (1384)
  15. FTTH (1380)
Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact
Mastodon