DNS over HTTPS (DoH) – A Possible Replacement for VPN?

[harlan4096]

Should DNS over HTTPS become the golden standard?

The Cambridge Analytica scandal may be old news, but it has far-reaching implications – Internet users grew more concerned over their online visibility and website owners were compelled to list their data-collection privacy. We can state for a fact that some good came out of it, although the amount alone of paperwork can be a powerful demotivator for someone with a sound business idea.

Since we’re on the topic of privacy, it would appear that we may have another Cambridge Analytica in the making. There’s been a lot of buzz around the implementation of DoH (DNS over HTTPS), a somewhat new encrypted communication protocol that should, theoretically, uphold privacy.

As one of my colleagues pointed out, DNS over HTTPS is poised to become the next “golden standard”, since it has achieved “an unprecedented default level of privacy and data protection”. DoH does have its merit –in a traditional DNS comm model, the user queries the domain name system for the numerical IP address associated with that specific website.

In turn, the DNS returns the address, allowing the user to view the requested web content. That’s, more or less, how web-surfing works. The major caveat of this comm protocol is that the DNS lookups are not encrypted. In essence, each time you’re trying to connect to a website, the endpoint pings the ISP about your request. Of course, your Internet Service Provider is blind to what you’re doing on that website, but can still ‘see’ and even log your request(s).

That’s a pain-point right there, and Google, Mozilla et al. have done a bang-up job speculating the market’s ‘needs.’ The push for DNS over HTTPS is at its peak, with browsers now allowing the users to implement the protocol. Despite limited effectiveness against MiM (man-in-the-middle) attacks, it would appear that the early adoption could, allegedly, paint a gigantic bullseye on the users’ backs.

Back in October, ZDNet pointed out that the premature adoption of DoH will not only wreak havoc in the enterprise/SMB/startup sector but could, presumably, give malicious hackers the upper hand. I’ll cover all these points throughout the article.

Since the topic du jour revolves around privacy/data protection or the lack thereof, here’s an interesting dilemma: should DNS over HTTPS replace VPN or work together? Should we completely forget about VPNs and stick with this new and ‘wobbly’ technology?

B2B – What does a VPN do?

In trying to figure out just how DoH can replace a VPN, I find myself compelled to go on a little B2B (back to basics trip). So, bear with me on this one.

Now, consider the way your endpoint (i.e. smartphone, tablet, PC, Mac) connects to the Internet. Let’s say that you want to search YouTube for the latest Witcher trailer. In order to do that, you will need to get out ‘into the wild’ and inquire about your ISP’s DNS for YouTube’s numerical IP.

Once the server finds the right address, you will be able to go to that place on the Internet where YT resides (here be dragons!). At a glance, the mechanism itself appears to be straightforward and secure. However, do bear in mind that the communication goes both ways (endpoint to ISP and ISP to the Internet), and, to our very misfortune, both are unsecured.

The time-honored solution to this is the VPN. What the VPN does is that it interposes a VPN client and VPN server between the querying machine, ISP, and the Internet. Breaking it down even further, it should look, more or less, like this: endpoint wants to end up on Wikipedia.

The request is sent in an unencrypted form to a VPN client. The client encrypts the packages containing the request and pipes them through to the ISP. In turn, the ISP sends the encrypted request to a VPN server, which communicates with the Internet. Basically, the ISP will be oblivious to your search strings.

So, that’s how a VPN works. Next, let’s take a closer look at DNS over HTTPS.

B2C Part 2 – How does DNS over HTTPS work?

DNS over HTTPS – the crux of this article. It may as well be the best thing that happened to privacy ever since GDPR was enforced, but I seriously have my doubts about that statement. More on that a bit later.

As I’ve mentioned, DoH is or was supposed to be the golden standard of data privacy and protection. The idea behind DNS over HTTPS was to prevent everyone (ISP, Government, secret services, hackers) from peeking at your traffic. It’s more than that; up until now, DNS queries were made in plaintext.

Remember the golden rule of password-making? Never leave them in plaintext, which can mean anything from writing them down in a notepad document from keeping network logs on your machine.

Basically, this is what happens in the traditional DNS comm model – plaintext DNS queries can be retrieved and reviewed by any of the IP matchmaking entities. Thus, the need for a more secure comm solution. Here enters DNS over HTTPS. It was specifically engineered to deal with this particular issue. Should it become the norm? Perhaps, but not in its current state.

Headbutting DoH is DNS over TLS, yet another security protocol that uses a dedicated communication port on your machine. While some sysadmins argue that neither of them solves the issue, they are inclined to choose the ‘lesser evil’ which, in this case, is DNS over TLS. Why is that?

As I’ve mentioned, DNS over TLS uses a dedicated comm port on your machine (853), whereas DoH uses port 443, which is the standard port for HTTPS traffic. So, why is this important? Traffic routed through 853, albeit encrypted, can still be seen at the network level. And, in some countries, such as the United States, DNS over TLS connections can raise some suspicions regarding your online activity.

Moving on to more pressing matters – DNS over HTTPS hides traffic info in HTTPS streams. DoT (DNS over TSL) does not. That’s not even the main issue. The endorsement of DoH means that we will need to change the way we look at the entire network infrastructure.

In order to make this happen, ISPs will need to implement DoH resolvers (DNS servers capable of handling DoH-type queries). Evidently, the existing architecture would have to undergo a rather radical makeover. And that translates into more money, time, and energy, which, in the end, maybe wasted on a solution that adds more to the issue than actually solving it.

It all boils down to this – encrypted DNS comm should be an industry standard, but neither DoH nor DoT are the answers.

DoH vs DoT vs VPN

The entire debate revolves around privacy vs. security – are you willing to let your guard down, even for a brief moment, to ensure that no one can spy on you? If we were to remove the context and ask the same question, the answer would be a staunch ‘no’. However, given what we know so far, it’s very difficult to predict the outcome, let alone make a decision that could ultimately tear down that modicum of privacy we thought we had.
...

Continue Reading