A new report co-authored by myself and published yesterday by the Open Rights Group delves into the topic of encrypted DNS services and concludes that, despite recent concern from politicians, encrypted DNS is not a set of concerning anti-censorship proposals ‘in the making’. Encrypted DNS revolves around fully-fledged standards already implemented by a number of devices and services, is already seeing widespread adoption from the tech industry, and provides notable benefits to user privacy.
The issue of DNS encryption has been raised in Parliament multiple times recently, including questions about its potential impact on content blocking by ISPs and the Internet Watch Foundation. Concerns about the impact of encrypted DNS services on the effectiveness of age verification have also been raised on multiple occasions.
Does the Secretary of State agree that online companies are outsmarting the Government, and that we urgently need to know how the Government plan to catch up?
– Cat Smith MP (House of Commons discussion, 20 June 2019)
In a nutshell, most of the concern expressed about encrypted DNS is that it will lead to increased difficulty in policing internet content and filtering websites. According to an April 2019 report in The Times, the technologies “will make it harder to block harmful material, including child-abuse images and terrorist propaganda”.
Encrypted DNS generally involves one of two similar standards: DNS-over-HTTPS (DoH), or DNS-over-TLS (DoT). For whatever reason, most political discussion seems to only make reference to DoH, even though DoT is the older and more mature of the two standards (and has already been available in Android since 2018).
At a simple level, both standards work to encrypt Domain Name System (DNS) queries issued by a user or a user’s device so that they cannot be read or modified in transit between the user’s hardware and the DNS server which responds to the query. DNS queries are used to translate human-readable web addresses (such as alexhaydock.co.uk) into machine-readable IP addresses (such as
188.8.131.52). Traditional DNS services do not offer encryption which means that, for the majority of internet users, records about the websites they visit are available to anyone with the ability to eavesdrop on their connection. Attackers could also choose to maliciously modify the replies provided by a user’s DNS server to send a user’s traffic to a malicious destination.
In recent years there has been a drastic shift towards fully encrypted web services. Modern web browsers now even mark pages which do not use HTTPS as “Not Secure”. Many of the core standards underpinning the modern internet are still relatively unchanged since their development decades ago – before security was a major concern. Over the years, most of these have been augmented to haphazardly staple-on enough security features to remain relevant in the modern era. Until now, DNS was one of the few core internet standards which had yet to be viably updated for the modern encrypted world.
There are a great number of stakeholders who have already indicated their support, or intent to add support, for DoH and DoT:
- Android - Supports DoT natively as of Android 9, and DoH via Cloudflare App.
- Apple iOS - Supports DoT and DoH via Cloudflare App.
- Cloudflare DNS - Supports DoH and DoT.
- Google Chrome - Currently testing DoH.
- Google PublicDNS - Supports DoH and DoT.
- IIJ (Japanese ISP) - Currently testing DoH.
- Mozilla Firefox - Supports DoH natively, and plans to roll out for all users.
- Quad9 DNS - Supports DoH and DoT.
It’s worth noting that, since the function of a DNS server is to translate web addresses into the corresponding IP addresses required by internet connected devices, it is possible to create DNS services which provide encryption and also offer filtering for those who expressly wish to use it (such as parents, schools, or public Wi-Fi operators). This allows users to gain the privacy and security benefits of encrypted DNS without sacrificing the ability to filter out unwanted domains. This recommendation, along with many others, is discussed at length in the full report linked below.
The march of encryption for core web standards is inevitable. The Government must recognise the level of interest that encrypted DNS is receiving from the tech industry. The pursuit of user privacy is a central interest of many internet stakeholders and the collective interest in encrypting all of the core technologies underpinning the internet will not go away, regardless of any battles the Government may mount against DoH or DoT. Instead of fruitlessly trying to cling onto broad and ineffective domain filtering powers, the Government must work with stakeholders to embrace DoH and DoT as an opportunity to provide user privacy whilst also enabling optional content filtering for those who expressly want it.
More detail on all of the above, including the Open Rights Group’s full recommendations, can be found in the full report here.