DNS over HTTPS / DNS over TLS / DNSSEC

DNS is undergoing changes. As of 2019, two standards for encrypted DNS are gaining traction: DNS over HTTPs and DNS over TLS. In addition, for many years DNSSEC has been available to provide signed DNS answers that are guaranteed to be authentic. PowerDNS has support for all these protocols.

DNS is one of the last main internet protocols not to be encrypted and recently there has been a push to finally remove DNS as a privacy leak.

Although as an operator of telecommunication network it may not be apparent how unencrypted DNS is a problem, subscribers also access your network over unencrypted channels, like open WiFi. It is therefore useful to encrypt DNS, even if your network itself is regarded as trusted.

Privacy push

Firefox (Mozilla) and Chrome (Google) are both pushing for the use of encrypted DNS. Since operating system vendors operate on far slower refresh cycles, Firefox and Chrome (and Android) are taking DNS into their own hands. In short, browsers have gained the ability to ask DNS questions over an encrypted channel. And by default, they are configured to not use your nameservers, but those provided by third parties.

Although published policies differ, it appears likely that at least some browsers will 'upgrade' users to such third party encrypted DNS by default.

Service provider consequences

For providers this has a number of unwelcome consequences. For starters, troubleshooting will become a lot more difficult - if "the browser doesn't browse" this could suddenly be caused by a third party nameserver that was silently enabled.

Secondly, any locally hosted Content Distribution Network nodes, that get routed traffic via DNS infrastructure, may become underutilized - suddenly users get sent to the CDN location that is optimal according to the location of the third party nameserver.

Thirdly, this development may break 'local' names that are used during provisioning. Any names provisioned to the service provider nameserver will not exist in the third party nameserver. This may break enrollment or walled-garden messaging of late payment or abuse reports, for example.

Fourthly, it is not clear that sending a copy of all DNS lookups to a third party, often in another country, is actually a privacy win for customers and consumers.

Finally there is the question of network hygiene and customer ownership - if all of the internet starts flowing through third parties, a telecommunication service provider loses its autonomy.

Retaining DNS

Both Mozilla and Google have indicated that if a service provider offers encrypted, private and secure DNS, their browsers and phones may be able to continue to use your own nameservers. This allows operators to retain control of their DNS, but only if they provide the right kind of DNS.

At the very least, this involves operating a DNS over HTTPS and a DNS over TLS service. It may also be necessary to enable DNSSEC verification and further privacy features.

PowerDNS is well engaged with the browser vendors and is slated to become part of the Google DNS over HTTPs provider family, thus enabling us to help our customers become compliant to the demands from Chrome and Android to continue using your nameservers.

Practical implementation

Enabling such encrypted and validating DNS requires a hardware refresh which these days also likely means a migration to virtualized nameservers.

In addition, as with all kinds of encryption, such services need to be monitored carefully for signature expiry and CPU overload - privacy does not entirely come for free. It should be noted that recent Android phones will already attempt to setup DNS over TLS connections to your servers, so enabling that today will immediately cause traffic.

PowerDNS is ready to enable a safe and smooth provision of DNS over HTTPs and DNS over TLS service - even when not (yet) using PowerDNS software.

More information

For more information please contact us directly. To read more about DNS over HTTPs and how browser vendors are pondering taking over DNS lookups, please head to our blog posts On Firefox moving DNS to a third party and The big DNS Privacy Debate.

If you speak Dutch, a good radio interview with Bert Hubert is available here.