Redmond giant Microsoft has joined Google and Mozilla in support of DNS over HTTPS (DoH), promising upcoming integration of DoH into Windows 10.
The move in theory raises security levels for all internet users by encrypting DNS requests that would otherwise be in plaintext. Leaving DNS queries unencrypted allows ISPs to monitor customers traffic, as well as enables malicious actors to hijack, read and redirect browser traffic. However, enterprise DNS filters also rely on this visibility to restrict access to malicious and unwanted content from within their networks.
In addition, some industry bodies have argued that DoH centralises power in a few large corporates. Microsoft rebutted this in a blogpost: "There is an assumption by many that DNS encryption requires DNS centralisation. This is only true if encrypted DNS adoption isn’t universal," Microsoft said. "To keep the DNS decentralised, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS."
Paul Gagliardi, senior director of threat intelligence and security operations at SecurityScorecard told SC Media UK that the knock on effects could be considerable: "Ultimately, content (DNS in this case) cannot be secured/monitored without having the ability to observe it. Just as companies/organisations inspect their HTTPS traffic, the same needs to happen with encrypted DNS/DoH. Decrypting DoH would be the exact same mechanism as observing HTTPS traffic, using a Man in the Middle proxy to decrypt traffic on the fly and implement security mechanisms. There are no shortage of commercial solutions for this, however, things get more complicated in "Bring Your Own Device" environments.?
DoH forces the privacy vs security defence debate to be more localised. A company or organisation can balance those decisions in their network differently than a private individual. Unfortunately for those organisations/companies, the ability to censor traffic is now more technical and requires more investment on their part."
Microsoft was keen to emphasise that any changes made would not impact on content filtering tools, stating that DNS server configurations will not be changed. "Many people use ISP or public DNS content filtering to do things like block offensive websites. Silently changing the DNS servers trusted to do Windows resolutions could inadvertently bypass these controls and frustrate our users. We believe device administrators have the right to control where their DNS traffic goes."
However, Peter Draper, technical director EMEA at Gurucul believes that visibility will be an issue if DoH becomes widely implemented: "For users concerned about their privacy, this is a good thing. However, many organisations rely on the DNS request data to monitor, identify and control users access. This is especially true for enterprise users. The widespread deployment of DoH will cause visibility issues for many organisations."
ISPs are particularly unimpressed with the strengthening support for DoH, with the UK’s Internet Services Providers Association (ISPA) being forced to withdraw the Internet Villain category at a recent awards after nominating Mozilla over DoH. The ISPA originally claimed that the scheme was a way to "bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK", but pulled the somewhat tongue in cheek category entirely after a sizeable backlash.