Home
 » ISP News » 
Sponsored Links

Broadband ISP BT Experiments with Own DoH – DNS over HTTPS

Monday, Dec 9th, 2019 (7:57 am) - Score 19,098
bt beyond limits uk isp logo

UK ISP BT has become the first of the major broadband providers to trial their own DNS over HTTPS resolver, which encrypts Domain Name System (DNS) requests (i.e. turning IP addresses into human readable domains like ISPreview.co.uk and back again) in order to make the process more secure.

Over the past few months DNS over HTTPS (DoH), as well as DNS over TLS (DoT), have been in the news quite a lot (here, here and here). On the one hand DoH is about protecting user privacy and making internet connections more secure (much like HTTPS has done by encrypting your connection to websites), which is something that many in the wider internet community praise.

On the other hand big ISPs, which run their own DNS servers (usually unencrypted), and politicians are concerned that large third-party deployments of DoH, such as via popular website browsers like Chrome (Google) or Firefox (Mozilla), could disrupt their ability to censor (website blocking), track and control various internet / account services (parental controls, optimising content delivery networks etc.) by moving such requests off their networks.

NOTE: It’s always been possible for people to optionally use a different DNS provider from the one deployed by your ISP (Google Public DNS, OpenDNS etc.), but enabling DoH by default on a browser is a much bigger step.

One way for ISPs to tackle such concerns is to adopt their own DoH solutions, which is partly because some of the major browsers will fall-back to the provider’s own DNS if they detect an approved DoH solution. However adapting DoH so that it works as expected, while also allowing the ISP to perform all of its usual DNS related features (website filtering, account controls etc.), is still a complicated problem to overcome.

As such it’s significant that BT, which has spent a long time examining this issue, have just begun their first “experimental DoH trial” (Credits to Andrew Campling for spotting). The experiment was announced at the ISPA’s DoH Policy Conference on Friday, which was sponsored by Open-Xchange and BT Group and featured speakers from BT, Mozilla, Cloudflare, Google, Open-Xchange, Sky, Article 19, Comcast, Farsight Security and ETNO.

BT Trial statement

BT are currently investigating roadmap options to uplift our broadband DNS platform to support improvements in DNS security – DNSSEC, DNS over TLS (DoT) and DNS over HTTPS (DoH). To aid this activity and in particular gain operation deployment insights, we have enabled an experimental DoH trial capability.

We are initially experimenting with an open resolver, but our plan is to move a closed resolver only available to BT customers.

The BT DoH trial recursive resolver can be reached at:

https://doh.bt.com/dns-query/

The following test page can be used to confirm successful use of BT DoH and is only resolvable via the BT DoH servers:

http://splashpage.doh.bt.com

The provider stresses that this is “not [yet] an official service in any way” and remains “purely experimental,” as such there could be potential issues with performance, bugs and connectivity. Likewise BT could take it out of service at any time and thus if you’re a BT broadband customer then feel free to play or give feedback to the operator, but just remember that this is only an early experiment.

Despite this BT does state that their DoH solution “should support any existing BT customer parental control and/or web protect settings, however if you are testing the capability on family devices we would recommend that you check that parental controls are still applied.” As usual BT says that personal data will be processed in accordance with their privacy policy.

Naturally ISPs that don’t need to filter, manipulate or snoop on DNS traffic will find it much easier to establish their own DoH solution, much as AAISP (Andrews and Arnold) recently did (here). But otherwise today’s news is a positive development for BT and one that may be an early indicator of a future where DoH becomes widely adopted by the major ISPs.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews
Comments
19 Responses
  1. Avatar photo NE555 says:

    I don’t see any benefit. If you are a BT customer, you are only protecting the DNS traffic along the “first mile”. Critically, your data is still being decrypted and processed by BT’s own servers.

    BT have a particularly bad track record in this area: read up about their extensive parternship with Phorm (thankfully now defunct).

    1. Avatar photo Andrew Campling says:

      @NE555
      That’s a defunct trial from a decade ago, a lot has happened in the industry since then! Critically for anyone in Europe, our ISPs (and other local resolvers) are covered by GDPR and ePrivacy regulations. For services offered by US tech companies you’re mainly reliant on voluntary privacy policies that are subject to change and can be overruled by US law enforcement at any time without the need for a warrant.

      The last privacy breach for a U.K. ISP that springs to mind is the TalkTalk cyber security fail of ~ 5 years ago. In contrast, I can think of multiple privacy failings of US tech companies from this year alone, so let’s get some context to any criticism of the UK industry!

  2. Avatar photo Laurence "GreenReaper" Parry says:

    If your concern is the first mile, which is a valid concern, this is good news.

    If you’re concerned about snooping by your ISP on behalf of your government, which the UK government has made very clear it uses, this is just another sign that you need to select a DNS provider outside of their jurisdiction, rather than rely on your browser defaults.

    1. Avatar photo 125us says:

      I’m curious – what do you think that would achieve?

  3. Avatar photo Frank Duffy says:

    As a long time low broadband speed customer I would much prefer BT, or Openreach since tend to change name depending on whether its goodnews/bad news day, give customers like myself a useable product. For over 8 years they have been promising faster speeds. If anything the service is poorer, and much dearer!

    1. Avatar photo Stephen Wakeman says:

      Which, whilst no doubt a valid issue in and of itself to you, bears about as much relevance to this news article as an announcement of a new Pukka Pie filling.

  4. Avatar photo Col says:

    If this is about censorship and control, I’ll stick to my own protection systems thanks very much.

    1. Avatar photo Andrew Campling says:

      @Col
      The challenge that you may find with DoH is that any application can decide to use its own resolver, may not seek your agreement to do so or even inform you of this. So you could find that some applications bypass your protection systems without warning and in a way that is very difficult for you to either detect or block. Some malware is already doing this, no doubt some badly behaved apps are too.

  5. Avatar photo Michael Bowden says:

    Crap lnternit

  6. Avatar photo beany says:

    Makes no sense…
    “Despite this BT does state that their DoH solution “should support any existing BT customer parental control and/or web protect settings”

    If you were encrypting DNS requests you would not know what is being requested and your save the children filter would not work. Yet this statement would imply they still know if little billy has typed in biggygigglyboobies.com into his browser or not.

    Me thinks this is BTs way to still have control… Pretend they care about your privacy but in reality BAH.

    1. Avatar photo Andrew Campling says:

      The DNS is encrypted between the user and resolver, which in this case is BT. The privacy here is from any “man in the middle” attackers.

      The advantage of a U.K. ISP doing this is that user data is still covered by GDPR, and also any ISP-provided malware protection and/or parental controls should still work if integrated with the DoH resolver.

    2. Avatar photo beany says:

      “The DNS is encrypted between the user and resolver, which in this case is BT. The privacy here is from any “man in the middle” attackers.”

      and again if the request is encrypted how does the resolver (IE BT) know if little billy has typed in biggygigglyboobies.com before it sends him to that site?

      Either that is a plain unencypted request to the DNS or it is encrypted and looks different each time.

      Info with regards to DoH and HTTPS protocol is to encrypt the data between the DoH client and the DoH-based DNS resolver.

      Either the DoH client (IE BTs customer and its browser configured to BTs DNS) is sending encypted data or it is not?

      The second stage the resolver is either directly taking that encrypted request (if it is even encrypted properly to begin with) and then resolving to biggygigglyboobies.com or it is not.

      If it is not then the request is being intercepted before the DoH DNS is parsing the encrypted request. Comparing it to a “safe” list (Like their DNS currently does) and then is saying NO to little billys request.

      The man in the ” “man in the middle” attackers. As you put it to the DoH request if it is not being directly parsed but examined first appears to be BT.

    3. Avatar photo Andrew Campling says:

      @beany
      You appear to have misunderstood how this works.

      If you select BT as the provider of your DoH resolver, as would be the case here, then your DNS request is encrypted at your device and then decrypted by the BT resolver. That is how DoH is meant to work.

      The encryption ensures that the DNS request is not observed by a third party as it is transmitted from your device to the BT resolver; obviously the BT resolver has to decrypt your DNS request in order to provide your device with the relevant IP address. If you have selected parental controls or malware filtering then this will still work as it should using the now decrypted DNS request. Again, this is not a problem as this has been selected by you in this example and is part of the resolver functionality.

      So no conspiracy, no man in the middle attack from BT in this example.

    4. Avatar photo Go away says:

      NO he is right. YES the DNS resolver decodes/decrypts the request. However, it should then proceed to deliver the request which was made by the user.

      If the resolver is taking a encrypted request, decrypting it passing the decrypted result to another system or part of the same system to first check it against a naughty list of sites then the encryption in the first place is pointless as any action done with it is at the mercy of a system that intercepts and looks at the decrypted request first.

      That is NOT the way DoH is supposed to work.

    5. Avatar photo Andrew Campling says:

      @Go Away
      I think that you’re confusing how you’d like DNS queries to be handled with the way that the DoH protocol works. Whilst I accept that some people would like every DNS query answered, there is no requirement to do this using DoH (or DoT or Do53)- nor is there any guarantee, even if an answer is provided by the resolver to every query, that it is accurate unless you also implement DNSSEC.

      In this case, if you don’t want parental controls or malware filtering then don’t enable these options, they are not mandatory. Or use a resolver that doesn’t offer such choices if this is user-configurable in a given application. That said, it baffles me why anyone would insist on getting a DNS response to a known malware site but that is up to you. By the way, I do acknowledge that there are some at the IETF that would share your rejection of any filtering as I spoke to a number with that view at the last meeting in Singapore, however there are plenty that would disagree too.

      To be clear though, your preferred way of DNS working is not the only way, or even the “correct” way, to implement DoH, it is simply your preference and nothing more.

  7. Avatar photo Martin Ross says:

    If you change the DNS settings on your phone, tablet or laptop you may have trouble connecting to Wi-Fi in hotels and cages. This is because the hotel can redirect any page request to the hotel wifi login page if you leave your DNS on auto.

    1. Avatar photo Andrew Campling says:

      @Martin
      Cages?! Cafés perhaps? 🙂

  8. Avatar photo Twaddle Expert says:

    Have tried this out, DNS address now ‘leaked’ when using VPN (all traffic being routed through BT’s DNS), so BT would be able to see what any VPN user was doing when online. As a Firefox user, reset network.trr back to 5 and removed BT string – leak is stopped.

    So, if privacy matters to you then avoid this.

    1. Avatar photo Andrew Campling says:

      @Twaddle Expert
      Not all VPNs are successful in routing all DNS traffic though the VPN itself so you would be well advised to check your VPN software – it might not be configured correctly or your VPN provider might not even offer a DNS service. For example, I know that NordVPN claims to provide a secure DNS service through its VPN, however that’s certainly not true of all VPN software.

      I’m assuming that your setup would leak DNS addresses with any DoH resolver, not just the BT one, as there’s nothing unusual about the operation of BT’s DoH resolver – other than perhaps the TLS session length is short than with some, which is a good thing. I think that you need to check with your VPN provider to confirm that it supports DNS over its VPN and, if so, to review your configuration settings.

      Of course DoH is not really of foolproof privacy option anyway. If you really want to ensure a private browsing experience then use a purpose-designed tool like the Tor Browser, noting of course that even with this privacy is not 100% guaranteed.

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £24.00
132Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
145Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
Sky Broadband UK ISP Logo
100Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £15.00
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £19.99
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £21.00
150Mbps
Gift: £25 Love2Shop Card
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5443)
  2. BT (3497)
  3. Politics (2513)
  4. Openreach (2285)
  5. Business (2242)
  6. Building Digital UK (2226)
  7. FTTC (2040)
  8. Mobile Broadband (1954)
  9. Statistics (1770)
  10. 4G (1648)
  11. Virgin Media (1603)
  12. Ofcom Regulation (1446)
  13. Wireless Internet (1384)
  14. Fibre Optic (1384)
  15. FTTH (1380)
Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact
Mastodon