conference logo

Playlist "CTreffOS chaOStalks"

DNS privacy and security

Dr. Roland van Rijswijk-Deij

Post-Snowden, privacy became a prime focus of the IETF, and let to the improvement of a number of Internet protocols. Among these protocols is the Domain Name System, which maps human readable names to machine readable addresses. The original DNS protocol communicates mostly in plain text over UDP, making it highly susceptible to eavesdropping. Since knowing what names a person queries for is highly revealing about their Internet surfing behaviour, the IETF decided to address the privacy shortcomings of the DNS. Initially, this led to the standardisation of DNS-over-TLS (DoT), and more recently, the standardisation of DNS-over-HTTPS (DoH). Especially this latter protocol has recently sparked a strong debate on the Internet, because of the decision of Mozilla to incorporate support for DoH in the Firefox browser, and to enable DoH by default, in which all DNS traffic is sent to Cloudflare's 1.1.1.1 resolver instead of the system-configured DNS resolver. Mozilla argued that this benefits user privacy, but this stance is highly controversial. This talk will provide the context of the DoH debate, explaining DNS privacy problems, DNS-over-TLS and DNS-over-HTTPS as protocols, and will then dive into why this is such a contentious issue. The goal is to not just examine this from a privacy perspective, but also to touch on the increasing centralisation of key Internet services such as the DNS. The talk is intended to be highly interactive, engaging the audience in the debate. The talk will finish by discussing developments in the open source DNS space that hope to improve the situation for DoH deployment by creating implementation diversity.