Home
 » ISP News » 
Sponsored

Broadband ISP BT Experiments with Own DoH – DNS over HTTPS

Monday, December 9th, 2019 (7:57 am) - Score 17,654

UK ISP BT has become the first of the major broadband providers to trial their own DNS over HTTPS resolver, which encrypts Domain Name System (DNS) requests (i.e. turning IP addresses into human readable domains like ISPreview.co.uk and back again) in order to make the process more secure.

Over the past few months DNS over HTTPS (DoH), as well as DNS over TLS (DoT), have been in the news quite a lot (here, here and here). On the one hand DoH is about protecting user privacy and making internet connections more secure (much like HTTPS has done by encrypting your connection to websites), which is something that many in the wider internet community praise.

On the other hand big ISPs, which run their own DNS servers (usually unencrypted), and politicians are concerned that large third-party deployments of DoH, such as via popular website browsers like Chrome (Google) or Firefox (Mozilla), could disrupt their ability to censor (website blocking), track and control various internet / account services (parental controls, optimising content delivery networks etc.) by moving such requests off their networks.

NOTE: It’s always been possible for people to optionally use a different DNS provider from the one deployed by your ISP (Google Public DNS, OpenDNS etc.), but enabling DoH by default on a browser is a much bigger step.

One way for ISPs to tackle such concerns is to adopt their own DoH solutions, which is partly because some of the major browsers will fall-back to the provider’s own DNS if they detect an approved DoH solution. However adapting DoH so that it works as expected, while also allowing the ISP to perform all of its usual DNS related features (website filtering, account controls etc.), is still a complicated problem to overcome.

As such it’s significant that BT, which has spent a long time examining this issue, have just begun their first “experimental DoH trial” (Credits to Andrew Campling for spotting). The experiment was announced at the ISPA’s DoH Policy Conference on Friday, which was sponsored by Open-Xchange and BT Group and featured speakers from BT, Mozilla, Cloudflare, Google, Open-Xchange, Sky, Article 19, Comcast, Farsight Security and ETNO.

BT Trial statement

BT are currently investigating roadmap options to uplift our broadband DNS platform to support improvements in DNS security – DNSSEC, DNS over TLS (DoT) and DNS over HTTPS (DoH). To aid this activity and in particular gain operation deployment insights, we have enabled an experimental DoH trial capability.

We are initially experimenting with an open resolver, but our plan is to move a closed resolver only available to BT customers.

The BT DoH trial recursive resolver can be reached at:

https://doh.bt.com/dns-query/

The following test page can be used to confirm successful use of BT DoH and is only resolvable via the BT DoH servers:

http://splashpage.doh.bt.com

The provider stresses that this is “not [yet] an official service in any way” and remains “purely experimental,” as such there could be potential issues with performance, bugs and connectivity. Likewise BT could take it out of service at any time and thus if you’re a BT broadband customer then feel free to play or give feedback to the operator, but just remember that this is only an early experiment.

Despite this BT does state that their DoH solution “should support any existing BT customer parental control and/or web protect settings, however if you are testing the capability on family devices we would recommend that you check that parental controls are still applied.” As usual BT says that personal data will be processed in accordance with their privacy policy.

Naturally ISPs that don’t need to filter, manipulate or snoop on DNS traffic will find it much easier to establish their own DoH solution, much as AAISP (Andrews and Arnold) recently did (here). But otherwise today’s news is a positive development for BT and one that may be an early indicator of a future where DoH becomes widely adopted by the major ISPs.

Leave a Comment
19 Responses
  1. Avatar NE555

    I don’t see any benefit. If you are a BT customer, you are only protecting the DNS traffic along the “first mile”. Critically, your data is still being decrypted and processed by BT’s own servers.

    BT have a particularly bad track record in this area: read up about their extensive parternship with Phorm (thankfully now defunct).

    • Avatar Andrew Campling

      @NE555
      That’s a defunct trial from a decade ago, a lot has happened in the industry since then! Critically for anyone in Europe, our ISPs (and other local resolvers) are covered by GDPR and ePrivacy regulations. For services offered by US tech companies you’re mainly reliant on voluntary privacy policies that are subject to change and can be overruled by US law enforcement at any time without the need for a warrant.

      The last privacy breach for a U.K. ISP that springs to mind is the TalkTalk cyber security fail of ~ 5 years ago. In contrast, I can think of multiple privacy failings of US tech companies from this year alone, so let’s get some context to any criticism of the UK industry!

  2. Avatar Laurence "GreenReaper" Parry

    If your concern is the first mile, which is a valid concern, this is good news.

    If you’re concerned about snooping by your ISP on behalf of your government, which the UK government has made very clear it uses, this is just another sign that you need to select a DNS provider outside of their jurisdiction, rather than rely on your browser defaults.

  3. Avatar Frank Duffy

    As a long time low broadband speed customer I would much prefer BT, or Openreach since tend to change name depending on whether its goodnews/bad news day, give customers like myself a useable product. For over 8 years they have been promising faster speeds. If anything the service is poorer, and much dearer!

    • Avatar Stephen Wakeman

      Which, whilst no doubt a valid issue in and of itself to you, bears about as much relevance to this news article as an announcement of a new Pukka Pie filling.

  4. Avatar Col

    If this is about censorship and control, I’ll stick to my own protection systems thanks very much.

    • Avatar Andrew Campling

      @Col
      The challenge that you may find with DoH is that any application can decide to use its own resolver, may not seek your agreement to do so or even inform you of this. So you could find that some applications bypass your protection systems without warning and in a way that is very difficult for you to either detect or block. Some malware is already doing this, no doubt some badly behaved apps are too.

  5. Avatar Michael Bowden

    Crap lnternit

  6. Avatar beany

    Makes no sense…
    “Despite this BT does state that their DoH solution “should support any existing BT customer parental control and/or web protect settings”

    If you were encrypting DNS requests you would not know what is being requested and your save the children filter would not work. Yet this statement would imply they still know if little billy has typed in biggygigglyboobies.com into his browser or not.

    Me thinks this is BTs way to still have control… Pretend they care about your privacy but in reality BAH.

    • Avatar Andrew Campling

      The DNS is encrypted between the user and resolver, which in this case is BT. The privacy here is from any “man in the middle” attackers.

      The advantage of a U.K. ISP doing this is that user data is still covered by GDPR, and also any ISP-provided malware protection and/or parental controls should still work if integrated with the DoH resolver.

    • Avatar beany

      “The DNS is encrypted between the user and resolver, which in this case is BT. The privacy here is from any “man in the middle” attackers.”

      and again if the request is encrypted how does the resolver (IE BT) know if little billy has typed in biggygigglyboobies.com before it sends him to that site?

      Either that is a plain unencypted request to the DNS or it is encrypted and looks different each time.

      Info with regards to DoH and HTTPS protocol is to encrypt the data between the DoH client and the DoH-based DNS resolver.

      Either the DoH client (IE BTs customer and its browser configured to BTs DNS) is sending encypted data or it is not?

      The second stage the resolver is either directly taking that encrypted request (if it is even encrypted properly to begin with) and then resolving to biggygigglyboobies.com or it is not.

      If it is not then the request is being intercepted before the DoH DNS is parsing the encrypted request. Comparing it to a “safe” list (Like their DNS currently does) and then is saying NO to little billys request.

      The man in the ” “man in the middle” attackers. As you put it to the DoH request if it is not being directly parsed but examined first appears to be BT.

    • Avatar Andrew Campling

      @beany
      You appear to have misunderstood how this works.

      If you select BT as the provider of your DoH resolver, as would be the case here, then your DNS request is encrypted at your device and then decrypted by the BT resolver. That is how DoH is meant to work.

      The encryption ensures that the DNS request is not observed by a third party as it is transmitted from your device to the BT resolver; obviously the BT resolver has to decrypt your DNS request in order to provide your device with the relevant IP address. If you have selected parental controls or malware filtering then this will still work as it should using the now decrypted DNS request. Again, this is not a problem as this has been selected by you in this example and is part of the resolver functionality.

      So no conspiracy, no man in the middle attack from BT in this example.

    • Avatar Go away

      NO he is right. YES the DNS resolver decodes/decrypts the request. However, it should then proceed to deliver the request which was made by the user.

      If the resolver is taking a encrypted request, decrypting it passing the decrypted result to another system or part of the same system to first check it against a naughty list of sites then the encryption in the first place is pointless as any action done with it is at the mercy of a system that intercepts and looks at the decrypted request first.

      That is NOT the way DoH is supposed to work.

    • Avatar Andrew Campling

      @Go Away
      I think that you’re confusing how you’d like DNS queries to be handled with the way that the DoH protocol works. Whilst I accept that some people would like every DNS query answered, there is no requirement to do this using DoH (or DoT or Do53)- nor is there any guarantee, even if an answer is provided by the resolver to every query, that it is accurate unless you also implement DNSSEC.

      In this case, if you don’t want parental controls or malware filtering then don’t enable these options, they are not mandatory. Or use a resolver that doesn’t offer such choices if this is user-configurable in a given application. That said, it baffles me why anyone would insist on getting a DNS response to a known malware site but that is up to you. By the way, I do acknowledge that there are some at the IETF that would share your rejection of any filtering as I spoke to a number with that view at the last meeting in Singapore, however there are plenty that would disagree too.

      To be clear though, your preferred way of DNS working is not the only way, or even the “correct” way, to implement DoH, it is simply your preference and nothing more.

  7. Avatar Martin Ross

    If you change the DNS settings on your phone, tablet or laptop you may have trouble connecting to Wi-Fi in hotels and cages. This is because the hotel can redirect any page request to the hotel wifi login page if you leave your DNS on auto.

  8. Avatar Twaddle Expert

    Have tried this out, DNS address now ‘leaked’ when using VPN (all traffic being routed through BT’s DNS), so BT would be able to see what any VPN user was doing when online. As a Firefox user, reset network.trr back to 5 and removed BT string – leak is stopped.

    So, if privacy matters to you then avoid this.

    • Avatar Andrew Campling

      @Twaddle Expert
      Not all VPNs are successful in routing all DNS traffic though the VPN itself so you would be well advised to check your VPN software – it might not be configured correctly or your VPN provider might not even offer a DNS service. For example, I know that NordVPN claims to provide a secure DNS service through its VPN, however that’s certainly not true of all VPN software.

      I’m assuming that your setup would leak DNS addresses with any DoH resolver, not just the BT one, as there’s nothing unusual about the operation of BT’s DoH resolver – other than perhaps the TLS session length is short than with some, which is a good thing. I think that you need to check with your VPN provider to confirm that it supports DNS over its VPN and, if so, to review your configuration settings.

      Of course DoH is not really of foolproof privacy option anyway. If you really want to ensure a private browsing experience then use a purpose-designed tool like the Tor Browser, noting of course that even with this privacy is not 100% guaranteed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £19.95 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: Promo Code: HYPER20
  • Plusnet £21.99 (*35.98)
    Avg. Speed 36Mbps, Unlimited
    Gift: £50 Reward Card
  • SSE £22.00
    Avg. Speed 35Mbps, Unlimited
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited
    Gift: None
  • TalkTalk £22.95 (*29.95)
    Avg. Speed 38Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2721)
  2. FTTP (2611)
  3. FTTC (1757)
  4. Building Digital UK (1705)
  5. Politics (1611)
  6. Openreach (1569)
  7. Business (1390)
  8. FTTH (1315)
  9. Statistics (1208)
  10. Mobile Broadband (1178)
  11. Fibre Optic (1044)
  12. 4G (1015)
  13. Wireless Internet (1002)
  14. Ofcom Regulation (993)
  15. Virgin Media (980)
  16. EE (672)
  17. Sky Broadband (657)
  18. TalkTalk (644)
  19. Vodafone (642)
  20. 5G (474)
New Forum Topics
Promotion
Helpful ISP Guides and Tips
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact