Encrypting DNS query bad for performance?

Encrypting DNS query bad for performance?

DNS over HTTPS, Mozilla and Chrome already started experimenting with this a while back, to encrypt the last part of web traffic that isn't secure yet by default. But what really is the impact on privacy, security, as well as performance?

DNS might be the last part we think of when visiting websites, but we all use it. Why? Well, it is easier to remember the domain name, instead of the ip-address equivalent. Let the Domain Name Server do the work of translating your visited domain name into the correct computer address.

I know what you did last summer

But it has one downside. This lookup is not encrypted, and as even our Whatsapp chats are encrypted and your neighbours has https for their wood crafting or fishing website, this might look weird.

This can make users, such as yourself, susceptible to eavesdropping and tracking. In other words, some can see what websites you are visiting. Mozilla and Chromium already kicked of the battle to resolve this (and you can even opt-in for a while already within your browser). Meet DNS over HTTPS, often abbreviated to DoH.

DNS over HTTPS

Besides Internet Service Providers not always being happy with such developments, there are some genuine and unopiniated hurdles for DNS over HTTPS:

  • Single point of failure;
  • Easier to avoid malware scanners for those who wish to do harm (already happened) / harder to detect incoming malware;
  • changing ethics of (often commercial) DoH providers, starting to see more (being Google, or CloudFlare which went to stock market).

Performance impact of DoH

Enabling DNS over HTTPS might also result in webbrowser of your visitor not connecting to the closest or fasest CDN anymore. Customer DNS request will now have to travel further to receive a reply.

This will result in increased network latency, decreasing the added value of a CDN in some circumstances.

End user queries made with DoH could mean that lookups [will] return answers that are sub-optimal

Internet Engineering Task Force on CDN endpoint selection

Obviously, providers such as Google may work on this, although leading to solutions where the performance impact will possibly be solved by the use of Google Chrome and Google’s public DNS resolver. At the same time, resolving DoH performance issues between two unrelated entities may be harder, as for them it is more complex (and from commercial perspective less interesting) to develop software and hardware that is more compatible between those different entities.

Other downsides of DNS over HTTP

  • Google is strengthening its market position;
  • interest groups and human rights organizations fear the implications towards preventing terrorists, child abusers or users who whish to do harm in other ways (because of protests, DoH isn't enrolled in the United Kingdom);
  • DoH might only create false sense of security, as internet users are still able to become victim once they reached a website. This fits in the same category as https and the yellow/green lock in the address. You could still get hacked and private information could still be stolen (for example via third party scripts doing form jacking).

Alternative: DNS over TLS

The counterpart of DoH is DoT, standing for DNS over TLS.

New to HTTPS and TLS? Catch up on how https works.

DoT is a layer on top of default-dns, instead of creating a whole new battery of dns-resolvers. Packet inspection to scan for malware or unauthorized content is easier within DoT.

Mutual communication between DNS resolvers is already about to be done over DoT.

Unlike DoH going over the same port as other encrypted traffic (being port 443), DoT is going over a unique port, being 853. As a result, it is not sharing the port with other traffic and thus easier to block without breaking the web.

For example, you might want to be able to block just DoT and thus port 853, to be able to monitor what kind of traffic is taking place. It is not likely to happen within the Netherlands or Europe because of net neutrality rules, but might be different in other countries.

This is why software makers chose to use DoH instead of DoT to encrypt DNS queries.

Conclusion

Let's make it short: we might just move the issue to bigger and more commercial tech companies, and giving them more data than they had before. As a result, I'm not cheering yet.

Not done reading? I feel you, and even got you covered. Read this more in-depth paper about DoH (PDF of 1.84 MB) from Princeton University and The University of Chicago, originally published via https://www.cs.princeton.edu/~pschmitt/docs/tprc2019-doh-policy.pdf.