In an incredibly descriptive article written for ZDNet by Catalin Cimpanu, the battle for better privacy from ISP monitoring and how the current golden child is a ruse is discussed. DNS over HTTPS has been the talk of the cyber-security community as of late. Mozilla has made moves with it, declaring that it will be on by default in their browser going forward. Unfortunately, while there is never harm in attempting a good thing, it has been made clear that the small benefits of DNS over HTTPS are heavily outweighed by the damage it does.
DNS over HTTPS essentially encrypts domain names before they are sent to the ISP. While there is a lot going on under the hood, the essentials are that traditionally domain names can be read in plain text by anyone with the desire to see them, but with this newer DNS over HTTPS method of encryption, the plain text doesn’t exist. However, this does not mean that there are not ways to see someone’s web destinations. In actuality, it is practically just as easy for an ISP to track what websites you have visited with DNS over HTTPS as it is if the query is sent as plain text. This is become the DoH protocol only affects one aspect of the packet sent to the servers. There is still plenty for someone to look at to determine the domain a user visited. Even moving further past the domain end of things, ISPs “can see to what IP address the user is connecting when accessing a website”, which is completely unrelated to DNS requests.
Aside from how it is effectively useless against ISP spying, it also has created a storm of issues for developers, and a swamp to play in for hackers. Because of the differences between the traditional methods of DNS requests and the DoH method, there have to be separate servers in many cases to handle these separate queries. This dilemma “makes monitoring for DNS hijacking almost impossible” according to Cimpanu. Secondly, enterprise controls for DNS queries has effectively been stepped on by this change. Hackers can make all sorts of malware that can abuse the way that DNS requests are handled under DoH. Because the DNS is encrypted, typical malware blockers don’t know when a user is visiting a malicious site.
While it is not by any means rare to see dissent in the technology community, it is interesting to see the split on DoH. On one hand, the method offers little protection from the most malicious forms of spying, if any at all. On the other hand, it is an easy way for businesses to tout that they are secure and forward thinking when it come’s to their user’s privacy, which is something the author mentions in the article. DNS over HTTPS isn’t just wishful thinking, it’s dangerous. I firmly stand behind the notion that there needs to be fundamental change in the way that user data is collected and made available online. I also believe that to do this, it will take substantial structural change to the internet and how it works. DoH is an empty promise, that even with absolute power and change can’t get the job done. When designing the future of the internet, the end user must always be held in the highest regard. DoH benefits hardly anyone, and mostly business bottom lines. There is certainly a better route.
Source Article: https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
Social Structures & Algorithms 