Home
 » Editorial Article, ISP News » 
Sponsored

Big UK Broadband ISPs Have Big Concerns About DNS over HTTPS

Thursday, April 11th, 2019 (11:31 am) - Score 15,610
dns domain name system logo uk isp

ISPs have also built crucial relationships with Content Delivery Network (CDN) vendors, which help them to more efficiently cache and serve on-net content to give consumers the best experience and minimise network costs (indirectly this also keeps the price you pay for broadband down). But ISPs say some of that might be impacted if DoH providers get in the way of their normal DNS (i.e. more difficult for providers to steer certain content).

Furthermore ISPs can also use DNS redirects for common support tasks, such as device/router setup, mobile top-ups, network performance metrics (as often demanded by Ofcom) and broadband support. Getting these important features to work with DoH will be difficult and could impact a provider’s ability to help their customers. Not to mention issues for public Wi-Fi hotspots, which often start you off on “captive portals“.

At this point it becomes clear that for all the benefits of DoH, there are also some potentially big challenges and costly problems for ISPs too. The risk of inconsistent experiences and thus greater complexity for end-users (e.g. needing to setup Parental Controls on each device you use instead of via a central control) is not something that the big players can lightly ignore.

Admittedly the alternative perspective here is that when DoH becomes widespread and Government’s start asking why the DNS-level blocks that ISP use for certain tasks are no longer effective (not that they were ever very effective) then it becomes, as one provider put it to us, “someone else’s problem” (e.g. the DoH providers problem).

Governments will thus end up needing to talk with many more parties in the internet connectivity process than just an ISP (e.g. Google, Mozilla etc.) in order to get their desire for greater use of censorship or other DNS dependent systems realised, which creates another set of problems for them. Meanwhile the DoH providers will rightly argue for the security benefits.

Andrew Glover, Chair of the UK ISPA, said:

“The [Online Harms White Paper] lists ISP blocking of non-compliant sites as a potential enforcement mechanism of last resort. However, as technology evolves, including through new technical protocols such as DNS-over-HTTPS, the ability of ISPs to put in place technical measures could be substantially reduced. The legal basis of any blocking action taken will also need to be clear.”

Granted there are more sophisticated methods of network-level filtering available for ISPs than mere DNS level blocking, which is one of the easiest methods, but the costs may be unaffordable for all except the largest players (e.g. big ISPs can use DPI – Deep Packet Inspection but even this has its limits). Of course DPI won’t solve every other problem mentioned above and can carry a performance impact.

Work is now on-going within the industry to find ways of adapting to the challenges created by DoH, particularly among the largest providers, although it remains to be seen how much success they have. The very nature of DoH makes all of these issues quite fundamentally difficult to resolve. DoH could also create new security risks of its own by potentially making it easier for certain malware to hide bad traffic, as well as being difficult to block without hindering HTTPS.

Explaining the complexity of all this to end-users, when in the future they inevitably ask why something doesn’t work as intended, is another challenge entirely (support teams would need significantly more technical familiarity). For now none of the major DoH players have chosen to enable the feature by default, instead preferring to give end-users the option, but we expect this to change (e.g. it will become the default in Firefox).

Tech-savvy end-users will of course be keen to manually enable this feature and in doing so we hope that they remain mindful of how it may impact some of the services offered by their ISP, which could cease to function correctly (i.e. don’t blame your ISP if you enable a third-party feature like this and suddenly something you use on their network stops working or doesn’t function at its best).

Add to Diigo
Mark Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
22 Responses
  1. Avatar New_Londoner

    As I see it, DoH creates a major new security vulnerability for malware, which can hide all of its actions including any DNS traffic within the regular HHTPS stream. That makes it harder both to detect and also to block.

    Also, it seems to involve exporting all of my browser traffic to a US tech company – what could possibly go wrong?! How long before the first report of this data being monetised or, worse still, hacked?

    This seems to be a backwards step in bringing centralised services to what was meant to be a distributed system. Does it even comply with GDPR regs?

    • Avatar Joe

      DNS services will still be decentralised; just not at the isp level. Tbh if you don’t trust dns ‘x’ just use dns ‘y’ they aren’t all US tech firms. Ultimately you need to trust someone. I use my VPNs DNS.

      GDPR is so stupid its bound to cause a headache somewhere.

    • Avatar spurple

      There is nothing that stops malware today from hiding it’s activities behind HTTPS.

      While you may be able to hide your DNS query, you still cannot hide the actual communication with the endpoint that you secretly resolved over DoH. Hence, it’s kind of ridiculous that ISPs think this poses them any challenge. DNS-level blocking is the easiest to defeat, so almost no competent ISP should rely on it.

      While DoH will hide the DNS queries themselves, the IP addresses users/clients connect to are still as plain as daylight, AND, when using HTTPS, the server name (which is effectively the DNS name) is also plain as daylight inside the SSL handshake (Server Name Indicatioon).

      One slightly small step forward for privacy, but barely an improvement in privacy if your ISP cares to look else where for the same signals.

      PS. I’m all in on this, and plan to deploy a DoH relay on my local network just to make spying that little bit harder for my ISP.

    • Avatar alan

      “PS. I’m all in on this, and plan to deploy a DoH relay on my local network just to make spying that little bit harder for my ISP.”

      Indeed id sooner have a very small risk of my activity being monitored over a secured connection than an open one where your ISP has a nanny checking everything you do.
      risk. Anyone that thinks this increases rather than decreases security clearly has no idea how insecure things currently are.

  2. Avatar Joe

    “(e.g. disrupting UK Government required censorship systems) that may be hard to overcome.”

    Gosh I’m sure we’re all gutted by this !

  3. Avatar Phil

    I’ve tried this in Firefox and it did break some things, not unsurprisingly really as my own network has it’s own DNS server that serves up internal addresses for some URLs. It would also break if the internal DNS server was changed to any other one, however the problem here is if they start to enable it by default, it bypasses the internal DNS and of course ignores the DNS server given out by DHCP.

    I thought DNSSEC was suppose to prevent man in middle attacks, so why do we need another mechanism? It seems a lot of effort is being made to divert people away from their ISP DNS servers towards some other, what is the reasoning for this? What are these companies gaining by providing these services for free? At some point they will want to monetise these DNS servers, as there is no such thing as a free lunch.

    Also how secure is the browser? It’s going to be easier for some malware to access the browser settings to inject a different URL than it would be to reach out and into the operating system to change the DNS server. It is also making it easier for scammers to come up with some new trick asking people to change the URL the browser is using to point to their own servers, where they can then serve up fake websites.

    • Avatar spurple

      When the transition is complete, there is nothing stoping your machines from getting the DNS address from your router as it’s done today. They’ll simply speak DoH instead of DNS to the target servers.

      Websites generally cannot change your browser preferences. It’s one of the core responsibilities of your browser to ensure this.

      Also, I can envision a situation where your DoH provider (perhaps your ISP) will allow you to configure your own LAN mappings so that you don’t lose the ability to have LAN only DNS names.

      It’s still early day yet.

  4. Avatar Phil

    @spurple

    The issue is FireFox is deciding what DNS service we will use and enable that without warning, that’s the problem I think for most people. If this is happening in companies, then FireFox is overwriting any specific company approved DNS servers that have been put in place via DHCP. I suspect Chrome will do the same thing eventually. Even if I had a different DoH provider, FireFox isn’t using that, it’s defaulting everyone to Cloudfare. That makes me ask how companies like Cloudfare make their money? Why are they offering these services for free at this time? If FireFox is making the DNS request, what other information is it sending to Cloudfare encrypted in that request that we can’t read?

    It wouldn’t be possible to use our own routers for DoH as they wouldn’t have a trusted SSL certificate, defeating the point of the whole thing, even then the web browser is using what it wants for the DoH URL.

    I can change the URL for DoH in FireFox without a UAC prompt, so it doesn’t seem that secure to me.

    • Avatar Joe

      In fairness DNS is disabled by default in FF atm so its not the final version in regards to how it can be altered (w/wo prompts)

  5. Avatar NE555

    > ISP blocking of non-compliant sites as a potential enforcement mechanism of last resort

    Except that won’t work. If the offending site is hosted on a CDN like Cloudflare (say), and you want to block by IP, then you have to block *all* sites on Cloudflare.

    And you can’t block DNS over HTTPS, because it also looks like normal HTTPS. Indeed, Cloudflare is the initial DOH partner for Firefox, so again you’d have to block all of Cloudflare to block their DOH service. Even if you did, there are plenty of other DOH providers to switch to.

    Right now there the remaining weakness is HTTPS Server Name Indication: that is, when you make a HTTPS connection, the name of the server you are connecting to is exposed in clear text, so a DPI box can block you there. But there’s in-progress work to eliminate that too.

    @Phil:

    > I thought DNSSEC was suppose to prevent man in middle attacks, so why do we need another mechanism?

    Two different issue. DNSSEC is about data integrity (it doesn’t encrypt DNS traffic), and it secures traffic between the cache and the authoritative servers.

    DOH and DOT are about encrypting the traffic between the client (stub resolver) and the DNS cache they are using.

    > It wouldn’t be possible to use our own routers for DoH as they wouldn’t have a trusted SSL certificate

    Sure you can. You can build your own DOH-speaking cache, and you can get free certificates from LetsEncrypt.

    • Avatar spurple

      If Cloudflare puts customers on shared IP addresses, then they have only themselves to blame for collateral damage.

      Interesting enough, they’re selling shared IPs as an anti-piracy measure.

  6. Avatar Meadmodj

    Something was needed to be done with DNS for years and DoT just hasn’t been adopted so now we have DoH and DoQ in the wings.

    DoH’s real impact is the significant shift from system control to user control. But in return the user has to have trust in the DoH provider, what they do with the data, it has to perform efficiently and route to nearby IP addresses correctly.

    As always the thrust for this is from the US but DoH does not necessarily mean centralisation. The Mozilla partnership with Cloudfare was needed to provide real life trials but I expect country or ISP specific DoH going forward and the browsers to support more than one or the ability to discover DoH servers.

    Mozilla already recognises that they may need to configure by region and I am sure security agencies are already lobbying their governments. As MJ highlights it puts a complete hole in current ISP controls but I’m sure they will devise new methods to route the traffic and even temporarily inhibit DoH if they have to.

    The issue for the user may be the default DNS settings set on their device and that during the transition, for compatibility, you start out with DoH and if it fails it scales back to plain text DNS without you being aware.

  7. Avatar Sky

    If you’re an ISP and you’ve made software/websites/etc that only work on your DNS servers, you’ve made software that doesn’t work.

  8. Avatar Laurence "GreenReaper" arry

    Customers should not be scared of their ISPs; ISPs should be scared of their customers!

  9. Avatar Chris R

    BT presented this as UKNOF 43 on the 9th April.

    Further watching: Sara Dickinson from Sinodun at UKNOF41 (and RIPE77) – https://www.youtube.com/watch?v=3tMGD6J04Jk

  10. Avatar t0m5k1

    ISP are scared they will not be able to implement the stupid censorship rules levied on them by the Gov.

    Many of us who value our privacy have either been running their own DNS server or using an encrypted connection to a trusted DNS server for some time now.

    Even if you use your ISP provided DNS there is no stopping them using EDNS to make marketers aware of your DNS look-ups, Remember user data is not the big commodity that is re-sold when you are the product and if they can get more then they will.

    The only issue is that the big ISPs will now need to employ DPS techniques to find out what customers are looking at, and currently SNI is not encrypted so this is still exposed however with the next firefox version SNI will be encrypted.

    Encryption is not the enemy and the Governments of the world should not see it as such, Encryption is employed for good reason:
    PRIVACY

    Using encryption inside a story about censorship is an obvious straw-man to lead you to think encryption is bad when in reality the continued erosion of your online privacy is bad and what should really be stopped.

  11. Avatar Roger_Gooner

    As an experiment I enabled DoH on Firefox and found that my hosts files was being bypassed, not good as I use it to block ads and nasty websites.

    • Avatar t0m5k1

      point dns to 1.1.1.1 (cloudflare) they will block all the adverts and nasties

    • Avatar Soomme

      @t0m5k1, Cloudflare’s DNS, just like Google DNS, doesn’t do any filtering. Quad9 blocks malware domains. Adguard DNS blocks ads.

  12. Avatar Soomee

    On page 2, were it says “Content Delivery Network (DNS)”, it should be “CDN” not “DNS”.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £15.00 (*22.00)
    Avg. Speed 30Mbps, Unlimited
    Gift: Code: FLASH19
  • Vodafone £22.00 (*24.00)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • TalkTalk £22.45
    Avg. Speed 38Mbps, Unlimited
    Gift: None
  • Direct Save Telecom £22.95 (*29.95)
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • Origin Broadband £23.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2410)
  2. FTTP (2000)
  3. FTTC (1596)
  4. Building Digital UK (1549)
  5. Politics (1343)
  6. Openreach (1336)
  7. Business (1181)
  8. Statistics (1042)
  9. Mobile Broadband (968)
  10. FTTH (966)
  11. Fibre Optic (943)
  12. Ofcom Regulation (880)
  13. Wireless Internet (862)
  14. 4G (849)
  15. Virgin Media (808)
  16. Sky Broadband (574)
  17. TalkTalk (556)
  18. EE (556)
  19. Vodafone (469)
  20. Security (394)
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact