Broadband ISP BT Experiments with Own DoH – DNS over HTTPS

UK ISP BT has become the first of the major broadband providers to trial their own DNS over HTTPS resolver, which encrypts Domain Name System (DNS) requests (i.e. turning IP addresses into human readable domains like ISPreview.co.uk and back again) in order to make the process more secure.

Over the past few months DNS over HTTPS (DoH), as well as DNS over TLS (DoT), have been in the news quite a lot (here, here and here). On the one hand DoH is about protecting user privacy and making internet connections more secure (much like HTTPS has done by encrypting your connection to websites), which is something that many in the wider internet community praise.

On the other hand big ISPs, which run their own DNS servers (usually unencrypted), and politicians are concerned that large third-party deployments of DoH, such as via popular website browsers like Chrome (Google) or Firefox (Mozilla), could disrupt their ability to censor (website blocking), track and control various internet / account services (parental controls, optimising content delivery networks etc.) by moving such requests off their networks.

One way for ISPs to tackle such concerns is to adopt their own DoH solutions, which is partly because some of the major browsers will fall-back to the provider’s own DNS if they detect an approved DoH solution. However adapting DoH so that it works as expected, while also allowing the ISP to perform all of its usual DNS related features (website filtering, account controls etc.), is still a complicated problem to overcome.

As such it’s significant that BT, which has spent a long time examining this issue, have just begun their first “experimental DoH trial” (Credits to Andrew Campling for spotting). The experiment was announced at the ISPA’s DoH Policy Conference on Friday, which was sponsored by Open-Xchange and BT Group and featured speakers from BT, Mozilla, Cloudflare, Google, Open-Xchange, Sky, Article 19, Comcast, Farsight Security and ETNO.

BT Trial statement

BT are currently investigating roadmap options to uplift our broadband DNS platform to support improvements in DNS security – DNSSEC, DNS over TLS (DoT) and DNS over HTTPS (DoH). To aid this activity and in particular gain operation deployment insights, we have enabled an experimental DoH trial capability.

We are initially experimenting with an open resolver, but our plan is to move a closed resolver only available to BT customers.

The BT DoH trial recursive resolver can be reached at:

https://doh.bt.com/dns-query/

The following test page can be used to confirm successful use of BT DoH and is only resolvable via the BT DoH servers:

http://splashpage.doh.bt.com

The provider stresses that this is “not [yet] an official service in any way” and remains “purely experimental,” as such there could be potential issues with performance, bugs and connectivity. Likewise BT could take it out of service at any time and thus if you’re a BT broadband customer then feel free to play or give feedback to the operator, but just remember that this is only an early experiment.

Despite this BT does state that their DoH solution “should support any existing BT customer parental control and/or web protect settings, however if you are testing the capability on family devices we would recommend that you check that parental controls are still applied.” As usual BT says that personal data will be processed in accordance with their privacy policy.

Naturally ISPs that don’t need to filter, manipulate or snoop on DNS traffic will find it much easier to establish their own DoH solution, much as AAISP (Andrews and Arnold) recently did (here). But otherwise today’s news is a positive development for BT and one that may be an early indicator of a future where DoH becomes widely adopted by the major ISPs.