The new DNS-over-HTTPS and DNS-over-TLS protocols have become a real bone of contention in the IT community. DNS request encryption is being introduced into an increasing number of browsers, but there are also experts among the experts who criticize this approach. They believe that new protocols do not have a positive impact on security and are “useless” at best.
Let’s take a look at a few of the most popular arguments on this issue.
DoH and DoT protocols encrypt requests and responses to a DNS server. In theory, this approach should reliably hide the hostnames that the user is accessing from the ISP and attackers. However, in practice, a number of nuances arise with this.
This year, experts from the analytical company SANS Institute published a study on the analysis of DNS traffic in corporate networks. They ran a series of tests and concluded that logging, proxying and cryptanalysis tools provide an accurate picture of the content of encrypted DNS requests (p. 21).
At the same time, PowerDNS founder Bert Hubert He speaksthat DoH encrypts data that can be easily retrieved in cleartext from other sources. For example, internet providers can determine sites visited by the client via the protocol OCSP (RFC 6960). It serves to obtain the revocation status of a digital certificate. X.509 (describes the procedures for distributing public keys). OCSP responses contain the serial number of the TLS certificate on the site, and it is easy to identify the resource name from it.
There are vulnerabilities
Information security specialist and one of the developers of the open source distribution Whonix notesthat there are other ways to get information about the sites you visit. One option is analysis Server Name Indication (SNI). This is an extension of the TLS protocol, and through it, clients themselves provide the name of the host to which they want to connect.
The information is broadcasted in the clear, and if desired, it can be intercepted. It is fair to say that has already tools to encrypt SNI – like a project Encrypted Client Hello (ECH). It hides the metadata transmitted during the handshake, but the tool and its counterparts have not yet become widespread.
Even if you encrypt DNS requests and use other precautions, there remains an obvious, but significant point related to the IP address of the resource to which the client connects. According to the experts of the regional Internet registrar APNIC, it is sufficient for accurate identification more than 95% of sites… The remaining 5% includes IP addresses associated with multiple resources. But this problem, if desired, can be circumvented.
Back in 2019, cyber security specialists from Netlab discovered malicious Godlua… The program abuses the features of DNS-over-HTTPS to carry out DDoS attacks. Using the protocol, the malware masks the exchange of data with the command and control servers.
As a result, the antivirus software cannot detect it.
Experts fearedthat Godlua will be followed by other malware invisible to passive anti-virus monitoring systems. And so it happened – at the end of 2020 at Huntress Labs discovered new virus. Using DoH, it obtains the IP addresses of the hosts that are part of the malicious infrastructure. Hopefully, tools will soon emerge to help identify malicious activity in encrypted corporate network traffic and alert administrators to potential risks.
It can be concluded that in order to increase privacy, it is necessary to use a complex set of tools, including a VPN. DNS encryption alone is not enough to completely hide the “browsing history”. However, DNS-over-HTTPS and DNS-over-TLS technologies can be seen as another important step towards a secure Internet.
What else to read on the topic: