As more and more websites turn on HTTPS and online communications rely on cryptographic protocols such as Transport Layer Security, the Internet is increasingly more encrypted. Except for one significant part: the Domain Name System.
DNS acts as the phonebook for the Internet and translates human-readable domain names to the actual address of the machine (numeric string for IPv4, alpha-numeric for IPv6) hosting the content or application the user is interested in. Since DNS queries are typically sent in plaintext via UDP or TCP, the entity operating the DNS server can see all the requests—essentially, the entirety of the user’s online activity. For many users and organizations, the internet service provider provides DNS, which means the ISP can monitor what websites the user visited, when the visits occurred, and what device was used.
Encrypting DNS traffic would make this kind of web surveillance harder because ISPs and other DNS providers won't be able to see what users are doing online. A number of technology companies have been working on alternatives to sending DNS queries over UDP and TCP. DNS over HTTPS, based on the Internet Engineering Task Force’s RFC 848 standard adopted last October, is perhaps the most well-known. Another is DNS over TLS.
There are several options for DNS over HTTPS, including Cloudflare with its 184.108.40.206 service, and non-profit Quad9's 220.127.116.11 service. Cisco's OpenDNS offers encrypted DNS and Mozilla has been working on its own efforts for Firefox. This week, Google announced general availability of DNS over HTTPS for its own public DNS service on 18.104.22.168.
“Today we are announcing general availability for our standard DoH service. Now our users can resolve DNS using DoH at the dns.google domain with the same anycast addresses (like 22.214.171.124) as regular DNS service, with lower latency from our edge PoPs throughout the world,” wrote Google product manager Marshall Vale and security engineer Alexander Dupuy.
Right now, if governments want to see where users are going online, they can demand to see the ISP’s records. In fact, in the United Kingdom, ISPs are required to track all the sites citizens visited for the previous 12 months under the 2016 Investigatory Powers Act (IPA). ISPs are also allowed to share the data with third-parties for content filtering and advertising purposes. Using public DNS services such as the one provided by Google (126.96.36.199) meant bypassing the ISPs, but it meant giving the data-hungry search giant access to all of the DNS requests.
Encrypted DNS queries just cuts out the ISP, or attackers lurking on the network. The DNS provider (say, Google or Cloudflare) still can see the DNS query, so there is a tradeoff on who gets to see the user's entire browing history. Cloudflare, to its credit, has pledged to keep only 24 hours worth of DNS queries, to keep the amount of data being collected low.
Along with boosting user privacy, DNS over HTTPS will reduce the threat of man-in-the-middle attacks against DNS infrastructure via DNS Spoofing, DNS Hijacking, and DNS Poisoning. By transmitting DNS queries through an encrypted HTTPS tunnel would prevent anyone from hijacking DNS queries to redirect users to some other site.