So a couple of weeks ago I read this article and wanted to comment on it, but was taken ill preventing me commenting at that time. Since then I have had plenty of time to think, and the subject of that article has been on my mind more than I expected it to be. The post I was going to make at the time was how I felt it was the wrong solution to the problem it purports to solve, but upon reflection I have come to the conclusion that it is worse than that, it is not only the wrong solution, but it is also a demonstration of everything wrong with the IT industry today.

So lets look at the solution first, before explaining what is wrong with it. DOH (DNS over HTTPS) is a Google suggested enhancement to DNS, it protects the DNS queries from snooping by wrapping it in encryption, and by including the confidentiality of encryption and the integrity features of a TCP connection it ensures the reply is from the DNS server you requested it from. This makes DNS queries reliable and private. It is a very clever solution to a problem that has existed on the internet since it's early days, and one that has gained increasing prominence in more recent times.

So why do I hate it so? Because it doesn't actually solve much of a problem in the real world, and it doesn't solve any problem that hasn't already been solved in one way or another.

First off is the privacy issue. Now DNS queries are plain text, so anyone who can view your network packets can see the domains you are connecting too, and so deduce a pattern of browsing that can be used to profile you. This is true, and one of the things that this new standard purports to solve, but for someone to be able to read your network packets they must be on the same network as you, or between that network and the DNS servers you use as recursive resolvers. For most people this means on their home network (game over anyway) or to be their ISP (whose DNS servers they use by default). So for the vast majority of people this will only protect their privacy against their ISP, whose DNS servers they use anyway so will still be able to see their DNS queries. The only DNS servers that currently supports DOH are Google's. So for most people to use this standard they would have to protect their privacy from their ISP by giving it wholesale to a company that makes it's money by profiling people and using that to sell advertising. Selling your privacy to a company with a vested interest in not respecting that privacy in order to protect it from a company that you have a contractual relationship with, and therefore has a vested interest in doing what is right by you (lest you end the contract for one of their competitors) is just silly. The only other time this privacy is an issue is on an open public network, where a snooper could indeed use your DNS queries to view the sites you look at, or thanks to modern browsers they could use SNI to see what sites you look at, a solution to a different internet problem that sends the domain you are connecting too in plain text at the start of the HTTPS connection before any encryption is negotiated, so not much of a privacy protection. And on open public networks it is possible to connect to a VPN and wrap all your traffic (DNS included) in an encrypted tunnel back to a network you trust, thus sidestepping the problem in the first place.

Second is the integrity issue. Again all of the issues of people controlling the network between you and your recursive resolver apply here, so if your adversary is your ISP, get a new ISP that doesn't screw with your DNS requests. Plus DNSSEC offers DNS integrity if people would deploy it (this new standard will also require deployment if it is to be used, so neither is currently risk free). Again open networks pose a risk, but again you can open a VPN, and the DNS spec has been altered with techniques that make intercepting DNS queries in order to present an altered answer is more difficult, but if your adversary controls the network all bets are off on that score, and in that case they can simple block HTTPS access to Google's (or anyone else's) DNS servers, forcing you to either use plain text DNS or use the DNS servers they provide.

So this new standard, as clever as it is, isn't really worth much, it over blows a small issue, and then doesn't provide a realistic solution. How does this mean it demonstrates everything wrong with the IT industry? The IT industry is plagued with the sort of thinking that leads us to solutions like this one, the thought that an idea that is clever in isolation must therefore solve the problem in the real world, and is therefore worthy of praise and publication. No consideration is given to the wider issues and the actual impact in the real world, no one thinks about the interplay of diverse and intersecting technologies and systems. We expend effort and creativity on "solutions" that offer no real advantage over and above ideas that actually work simply because the "solution" is a clever one, absent of any real world consideration, whilst the idea that works is often one that is far simpler. We repeatedly fall into the trap that clever and complicated ideas are better than simple but effective ones.

posted at 4:24 pm on 1 Jan 2018 by Craig Stewart

Tags:standards comment rant opinion privacy