Encrypted DNS outside of the US

October 23, 2019

Currently, attempts are being made to encrypt the DNS traffic end users are sending to their resolvers. In most cases, the solution is going to be DNS over HTTPS, or DoH for short. Browser vendors are implementing this by setting their default DNS resolver to Cloudflare. With Mozilla Firefox, this is happening only for US users, not worldwide.

So, the question arises: how can we improve DNS security and privacy for the rest of the world?

There are a few requirements that have to be met:

Traffic to the DNS resolver must be encrypted and authenticated
Untrusted network connections such as Wi-Fi hotspots must not be able to modify or view plain-text DNS traffic
DNS queries should not leave your current jurisdiction or at least not be send to a jurisdiction with worse privacy protections than your current one.

The first two requirements are easily met by setting some DoH resolver as the default and assume it is secure. For example, the DoH resolver of Cloudflare or Google. The last requirement is where it gets difficult. Setting an address as a default will send your queries to a single organisation which may not be trustworthy for all users.

This problem could be solved with sending a DoH URL over DHCP and thus use the DoH resolver provided by your trusted ISP. This solution will violate the second requirement, as this allows any rogue Wi-Fi AP to override your current setting.

My proposed solution

DNS queries are one of the most sensitive pieces of metadata in internet traffic, so we really have to make sure we’re choosing the right partner to handle these queries.

I propose to have a DoH resolver in every jurisdiction and let browsers or system resolvers use that resolver. This won’t protect against evil governments, but it can at least protect against companies abusing valuable user data. In my opinion government control over DNS is usually a bad idea. However, in the case of taking down botnets or similair situations it can be a good thing.

How can we decide which resolvers are trusted? Browser vendors could make a set of rules together, audit DoH providers and revoke them from the trusted list when they violate the rules. This can be compared to the CA system. I’m not sure if browser vendors are the best choice for this task, but they have showed they are able to blatantly revoke quite large CAs even when websites were still relying on them, such as DigiNotar and Symantec.

Additional security measures

An additional security measure that could be taken: make sure that every authoritive DNS server in the world supports DoH, starting from the root servers to every individual authoritive DNS server. This way, caching resolvers can do secure lookups of the DNS RRs and end users could also choose to make secure lookups without having to trust a particular resolver. This truly is a large change and will take years to complete, if ever, but this is way better than DNSSEC which does not provide confidentiality.

Please let me know your opinion in the comments on Lobste.rs or Hacker News!