Gikii 2019 Paper
DoH; A Section 31 approach to the use of the Domain Name System.
Derek McAuley and Richard Mortier
DNS over HTTPS (DoH) is a recent initiative of the IETF and various stakeholders to try to solve a number of perceived problems with the current default DNS arrangements. Currently by default your devices are automatically configured to use any router to which they connect, in turn configured to use the associated Internet Service Provider’s name resolver service (which then invokes the DNS mechanisms), to take those friendly dot names (e.g. ipco.org.uk) and translate them into the IP addresses of the relevant servers.
So, what are the perceived problems? A core concern of many in the USA is that the record of name lookups is yet another piece of traded personal data to by monetized by the service providers – while there has been bad behaviour by some in the EU in the past (BT have “Phorm” on this), this is a primarily a USA concern right now, although worldwide there is a concern of “evil” government using DNS activity to track dissenters. Also of concern is interference with DNS lookups, although this interference ranges from ISPs engaging in nefarious business practices by redirection, to man in the middle attacks by thieves and ne’er-do-wells, to “evil” governments doing it for censorship, and “caring” governments doing it for child protection (note that family friendly filtering is mostly implemented this way). At a random WiFi hotspot, who knows who is messing with your DNS. And doubly so in China.
In part it is also a response to lack of implementation of existing (better) solutions like DNSSEC (which ensures the integrity of the DNS to IP lookup, i.e. that an untampered answer came from an authoritative server) and DNSCrypt (which hides the communications to DNS resolvers). However, there has been a lack of progress by both device providers and ISPs in deployment of these technologies. Thus, DoH is being pushed now by browser makers and is a classic end run – ignoring the operating system, the home routers, and the existing internet service provider infrastructure, Google and Mozilla have suggested embedding this functionality in the browser and having it provide a list of “Trusted” DoH Providers that they select; probably Google for Google and Cloudflare for Mozilla as preferred suppliers.
The result is a hand crafted response to the original perceived threat, as permitted under Starfleet Charter: Article 14, Section 31 “…extraordinary measures to be taken in times of extreme threat.”.
But maybe the cure is worse than the disease:
- DoH authenticates the DOH server, not the DNS response, so DNS can still be faked;
- DOH Server operator can track instead of ISP (so no concern with Google doing that then…);
- All subsequent HTTPS connections send the name in plain text anyway, so if you are a political dissident in an oppressive regime Tor is still your go to solution; hiding only your DNS lookups does not help.
Besides the heat and smoke from some government departments on some regulatory issues (i.e. this is yet another way to nullify adult content blocks), what’s the legal point? DNS Resolution is currently part of your ISP supplied package, DNS lookup data is defined as personal, and the current lawful basis for processing it is Article 6 1.(b) “contract” – look forward to be moved to 1.(a) “consent” to some random service, coming to a browser near you in the future, and shortly after that to every app. I’m sure that will work well for the vast majority of the population. (Can I hear someone already shouting, “Stop empowering me!”?)
But hang on! Was not Section 31 anathema to the values of the Federation itself. Indeed. So, some would hold, is this DoH centralization play an attack on the values of the original Internet architecture that all services should be federated. Of course, Section 31 also became the primary attack vector for the AI trying to take over the universe in Start Trek Discovery; you have been warned.