Expired

Firefox and DoH - What you need to understand

Expired
doh1

About the author

Michael Spalter

Michael Spalter


Michael Spalter has been a networking technician for over 30 years and has been the CEO of DrayTek in the UK since the company’s formation in 1997. He has written and lectured extensively on networking topics. If you’ve an idea for a blog or a topic you’d like explored, please get in touch with us.

If you're an IT technician, a SysAdmin or generally interested in such things, you may already know about DoH (DNS over HTTPS), but for everyone else - regular users of the Internet, with some browsers in some regions - they've just had a fundamental part of their web's inner working changed. They won't notice, but the change is fundamental and has impact beyond the claimed benefits that those responsible are making.  One's Internet access - what you use the Internet for and where you go is innately personal, and even if you're not a criminal, a spy or someone who wants to protect your online penchants, you can still feel violated by losing control of your privacy, especially if you haven't been explicitly told what's going on.  Furthermore, if you're being told that a new feature improves your security, that ought to be true, according to reasonable definitions.

DoH itself can be beneficial when used appropriately, with consent and where the user understands what is does and doesn't do.  As always, if you have a comment, please make them below as I'm always interested in readers' points of view, as well as suggestions for new topics to write about.


What's wrong with the current DNS system?

Most commonly, your DNS server (your Domain Name Server - the server which converts an Internet URL such as a web address into a routable IP address) is provided by your own ISP. Many users, however, opt for 3rd party DNS services such as Google's (8.8.8.8) or Cloudflare's (1.1.1.1).
 
The reason some people prefer 3rd party DNS providers is that these providers may offer enhanced service, such as faster resolution or content filtering (including blocking known malware or compromised sites). Another reason is to reduce the 'data' your own ISP collects about you (though not by much, and you're just giving that data to another commercial entity instead).  Some software and hardware (particularly IoT devices) are hardcoded to use 3rd party DNS services as a way of ensuring 'known' DNS availability.
 
Standard DNS lookups travel from the user to the DNS server in plaintext - that is, unencrypted so anyone (or device) in the path can see your request.  If you're using your own ISP's DNS server, it'll be a relatively short path, so the opportunity of interception is limited. If you use a more remote or 3rd party DNS server, the possibility of a MiTM (Man in the Middle) attack increases, however unless you're on the same network (with Wi-Fi being the most likely), getting into the logical path is difficult.  Furthermore, the use of HTTPS as standard on most web sites today means that there is a secondary check of a site's provenance.  Even if someone spoofed your DNS reply, the certificate would fail (which is why you should never ignore certificate warnings in your browser).
 
Another risk with DNS is known as 'DNS Cache Poisoning'.  A hacker will set up a rogue authoritative server and send 'answers' to DNS queries.  Although queries would always have a query ID, that ID was relatively easy to guess because the server increments them so if you saw that a query had ID 4000 you could guess that the server would be using 4001 next and therefore accept a spoofed reply with ID 4001. If the rogue answer reaches the DNS server before the answer from the legitimate authoritative server, as is common because authoritative servers are relatively slow, the DNS server will accept that first answer and adds the false information to its cache, ignoring any further answers until the expiry of the TTL (time to live) which could be days.  In that way, someone trying to reach www.something.com will be directed to a fake server, impersonating that web site.
 
Modern DNS services have mostly mitigated against DNS Poisoning attacks using random (i.e. statistically unpredictable) query IDs and source ports. Further, if the attacker's ISP or parties in their path are applying source address validation and they have spoofed their source IP address, the packets would be dropped (though there is no need to spoof the source IP address if the DNS server isn't validating it, though it should).

What is DNSSec?

DNSSec (DNS Security Extensions - yes, the acronym doesn't work!) is different to DoH and serves a different purpose.  DNSSec is a security extension to DNS. Its purpose is to authenticate the answers that an authoritative or root DNS server provides to DNS resolvers. It ensures that the IP address you receive matches that URL that you submitted by checking a certificate, therefore preventing DNS cache poisoning (see earlier).  DNSSec doesn't provide any encryption or privacy. It can be used in conjunction with DoH - i.e. a DoH provider can use DNSSec to authenticate the replies it provides.

What is DoH?

DoH (DNS over HTTPS), as the name implies, it combines DNS (to looks up the numeric IP address of a URL) and HTTPS (an encrypted secure communication HTTP channel). This ensures that your DNS lookups are private. DoH is different to DoT (see later) but serves roughly the same purpose.  DoH is used for the communication between the client and the nameserver (DNS server)

DoH claims to provide the following features or benefits:

  • The headline benefit: A DoH server provides the DNS resolution in encrypted form (it looks like regular HTTPS) traffic) so that your own ISP cannot block web sites or track your activity. This really isn't true - see 'SNI' later.

  • "You can bypass censorship". We all believe in freedom and censorship is bad, right?  No, of course not. Blocking access to democracy sites within a dictatorship might be 'bad censorship' but blocking children from pornography in a school or employees from malware sites is 'good censorship'.  'Censorship' is a fluid, subjective concept so 'preventing censorship' cannot simply be considered universally 'good' (or bad!).

  • DoH (and DoT, below) use TCP connections. Plain DNS uses UDP. There is a DoS (Denial of Service) hack known as a DNS amplification attack which relies on the stateless property of regular DNS lookups (they use the UDP protocol).  TCP packets are stateful (the connection is acknowledged back to source) so you cannot spoof a source IP address, a vital part of a DNS amplification attack.  That said, most endpoints and DNS servers now have protection against these types of attack.

  • Using a fixed DoH server means that if you're mobile, connecting to different networks throughout the day, you can't fall victim to a rogue DNS server on a compromised network, say in a web cafe or your university.  That is true, but it's also true of regular DNS if you hard-code your preferred DNS server into your laptop or other mobile device.   If you are a fixed network (your own office/home) as most people are, if you use your ISPs own DNS server, it would be exceptionally difficult and unlikely that that could be intercepted, probably impossible, unless your ISP was compromised, in which case you have bigger problems!

  • Whilst Google (Chrome) and Mozilla (Firefox) have opted for DoH (DNS over HTTPS, RFC 8484), DoT (DNS over TLS, RFC 7858) is also supported by some devices and browsers, notably Android. The method of operation is very similar to DoH so the issues raised here in relation to web companies redirecting your DNS lookups and collecting your data are the same.

Moving Web Users to DoH

Your own ISP may already offer all of the benefits I've mentioned - DNSSec, DoH, reputational or categoric web filtering etc. however, it is inconsistent - many ISPs do not.   As most web users are not technical experts, we can't rely on them to make informed choices about how to set up their DNS or demand that their ISP improves their DNS service.  Therefore, Mozilla is making that choice for us. They claim that we all benefit if everyone moves onto these more secure systems.

Recent versions of most browsers support DoH and Mozilla have enabled DoH by default on Firefox. This bypasses your ISPs DNS server and ignore any configuration you may have deliberately set on your PC or router (potentially bypassing your own policy enforcement). The DoH lookups within your browser go directly to the DNS server that the browser has pre-set.  It will come as no surprise that Google Chrome has selected Google's own DNS service which means that with the dominance of Google Chrome on desktop devices, they would now have access to up to 70% of all DNS query data plus any mobile devices using Google browsers.  As of August, 2020, this change has only been rolled out to selected regions to 'test' it before potential wider roll-out.

For their default DoH service, Mozilla partnered with Cloudflare, a large content filtering and server protection company who will similarly derive great value from the billions of data points they will collect.  Cloudflare do have a privacy policy, but as one might expect they confirm that they will retain and share your lookups with law enforcement as required but one imagines that to protect their service and maintain efficiency, they may need to log/keep other data if it was necessary to diagnose issues or locate someone abusing the service or causing operational issues. That's not unreasonable - diagnostic tools and logs are a vital tool for a sysadmin, but it's why there will always be exceptions to logging policies (see my previous article on VPN Service providers where it may matter even more).

In all of these browsers, you can turn off their DoH provider (if you can find the setting - it's four menu steps and then scroll right to the bottom in Firefox) and move back to a DNS service of your own choice or a 3rd party DoH service, but non-technical users aren't going to do that because, to them, the Internet still works just fine.  You can also select an alternative DoH browser from the same menu.

Google (who make the Chrome Browser) have claimed that they have included DoH only for security and have said:  "[we have] no plans to centralize or change people's DNS providers to Google by default. Any claim that we are trying to become the centralized encrypted DNS provider is inaccurate.". At the time of writing (August 2020) Google have not turned on DoH by default or pointed queries at their own servers.  There are already many of people who have opted to use Google's DNS servers anyway (with or without DoH) over their own ISP's servers so Google already have a lot of DNS data.

My Take on Mozilla Firefox

Personally (i.e. this isn't an official company view), I am disappointed with Mozilla. I have been a fan of their browser, partly because of its performance and simplicity but mostly its independence from commercial 3rd parties (Microsoft, Google etc.).  They could have continued to allow DoH servers to be specified if wanted, offered to turn it on with a clear explanation but enabling it by default, automatically sending all of my browsing lookups to Cloudflare is poor.  I also think that their explanation over-promises the benefits, perhaps even giving a false sense of security to those most at risk.

When you update to the latest versions of Firefox, there is a one-time notice about the 'improved security' but it's brief and few people will realise the implication especially as the option is to 'Disable Protection' instead of having 'More security'. The wording is deliberately intended to cause one outcome. That assumes that people do read it; when most people load their browser, they want to get online ASAP and will rush past any popup 'notice'. Do you like security?  Yeah, sure...now get me to Reddit!

firefox doh default

One might expect this from Google - they want to slurp as much data and telemetry as they can, that is their own business model but that's much of the reason I used Firefox - they're supposed to be on 'our side'.    Mozilla have stated that their tie-up with Cloudflare involves "no exchange of money" which is a curiously sparse statement. No money? Okay, so what does it involve?  Data sharing?  Other non-monetary benefits?

DoH itself makes sense, just as encrypting any web data does, except that it's not very secure. My main objection is the lack of informed consent and monopolies.  Moving people by default onto using 3rd party services which they may not fully understand is the issue.  Whether you care that all of your web visits will now be logged by Google, Cloudflare or others will depend partly on your attitude to privacy, cross-border transfer of data and data sharing with governments or authorities within your own country or others.

As a non-profit, people are more sympathetic (less suspicious) towards Mozilla vs. other tech companies and trust them absolute. For balance, their own explanation  may help you understand their point of view.  Taking their overview, the headline and first claim they make, and perhaps the only one that people will read is: "DoH improves privacy by hiding domain name lookups from someone lurking on public WiFi, your ISP, or anyone else on your local network. DoH, when enabled, ensures that your ISP cannot collect and sell personal information related to your browsing behavior." - but that's simply not true, according to a reasonable interpretation of the claim, as I'll explain.

Downsides to DoH

Beyond the privacy or data collection issues I've covered above there are other 'objections' to DoH or concerns with the defaulting-on, or potential monopolies. Many of these which came from ISPs but some came from security or privacy advocates. These aren't necessarily 'downsides'; no protocol is perfect and has to interoperate with many others, which can create issues:

  • DNS servers are often used as the primary method for ISPs to apply content filtering - blocking web sites which contain unlawful content, malware or content which is unsuitable for specific audiences. Schools and companies will commonly use content filtering but if browsers use DoH and bypass the local DNS service, the content filtering may also be bypassed.  In the enterprise, the company DNS server will often be used to resolve internal/private URLs for Intranets and other resources. Using an external DoH server breaks that.

  • The UK (and other) governments regularly propose new obligations on ISPs and service providers for content filtering or withdrawal of material (for example the Online Harms White Paper). Often, the industry has to correct technical misunderstandings which make proposals unreasonable or unworkable and they go back to the drawing board for a while but ISPs have expressed concern that DoH may bypass their filtering, leaving them responsible for content which they ought to be blocking.

  • DoH will also bypass other content filtering or monitoring appliances.  In all of these cases, you might argue that DoH is 'optional' but with the prevalence of BYoD and remote working growth since 2020, the number of endpoints has become so much larger and therefore harder to manage and enforce policies onto.

  • Another concern of ISPs is that bypassing their own DNS servers would impact the use of CDN (Content Delivery Network) applications. A CDN improves access to high volume web service providers (including web sites and streaming services). A CDN will load balance customers across multiple servers and also cache data.  This improves the experience for users and saves bandwidth costs for the ISPs (which keeps your prices down).  CDNs often rely on DNS resolution on the home-ISP network, so the use of 3rd party DoH servers bypasses this.

  • DoH may interfere with AdBlockers and 3rd party cookie blockers. This is good or bad depending on who you are and your views.

  • ISPs also often use their DNS server as a way to provide easy links to their services or devices, such as http://router being an easy way to get to your router's web admin/GUI without knowing its IP address, or http://isp might take you to your ISP's control panel. 

  • Wi-Fi networks (particularly guest Wi-Fi) use DNS redirect to take users to a captive portal (that page where you log in or agree to the T&Cs). DoH breaks many of the current mechanisms and users will just get a browser error instead of the portal login.  This problem may be solved by the browsers intelligently detecting these portals, where possible.

  • DoH doesn't really stop your ISP 'spying' on you in the way implied by promoters. The DNS lookup is just one part of a communications chronology. The SNI (see below) is still exchanged and provides the ISP and anyone else in the path with your destination URL, as well as any OSCP data. The destination IP address will always be visible to your ISP and often that IP address matches a specific identifiable domain.

  • If you use a 3rd party DoH server instead of your own local ISP's server, you may be served results which send you to geographically distant servers which could affect performance greatly and generate much unnecessary cross-Internet traffic.

  • If DoH hides legitimate DNS lookups, it can also hide rogue lookups. PsiXBot and GodLua are examples of malware which use Google's DoH service to resolve and collect C&C (Command and Control) server IP addresses.  As they use DoH, appliances or anti-malware systems which might have been otherwise aware of the malware would not be able to detect them from passive DNS monitoring. This is not an argument against DoH, merely a potential balanced downside.

  • An objection I saw against DoH, from a software engineer, was that it unnecessarily uses (adds) HTTPS, which is a more cumbersome method compared to just DoT so less efficient and also requires the inclusion of a full HTTPS code stack (library).  I'm not terribly sympathetic to this complaint unless you're developing a very low power, low resource IoT device where a tiny overhead may a material impact and, even then, if it's your own design so no-one's forcing you to use DoH (yet).

  • When you use regular DNS, your lookups are mixed in with every other user on your network (office, home, cafe, airport etc.). That gives you a certain level of camouflage. With DoH, you make a direct and individual session to the DoH server for every application (not just every device) so queries are now specific to you. It has been further suggested that the TLS resumption method that DoH uses can be used as a 'cookie' for tracking you.

  • The IETF issued a document covering some of the challenges that network operators may face. It's not critical, merely intending to highlight the challenges, various of which are also mentioned above.


What is an SNI or OSCP Leak?

All of the claims about DoH providing privacy are countered once you understand the technology.

After your "secure" DoH lookup, your browser will visit the requested web site. Assuming it's a secure web site, that will use HTTPS (TLS) encryption however, the first part of a TLS handshake is unencrypted - it can't be encrypted because a certificate can't be a applied until the requested domain is known and you can't have asymmetric encryption without a certificate. Therefore, having gone to all of that trouble to encrypt your DNS lookup against prying eyes in your path, the HTTPS request that follows, and the certificate request is not (SNI and OSCP protocols respectively) - those are two further vectors for identifying your traffic.

This makes DoH somewhat less useful than is claimed.  There is an upcoming standard for encrypted SNI, but that's not here yet.  It's not actually 'leaking' your SNI, as in, there is no fault or flaw, it's just how the protocols work - it's the same as the post office being able to see your name and address on an envelope they're handling.  Even then, it has been shown that 95% of web sites can be uniquely identified just by their IP address, and that's always visible to your ISP (unless you are tunnelling).


When browser's plans were first revealed, the mainstream press took the 'removal of child protection' angle, whereby content filtering applied by organisations, parents or ISPs would be bypassed.   To address some of these concerns, browser makers put in tests to try to identify whether content filtering is in use and to disable DoH where it is detected.  One of the methods used by Firefox to automatically disable DoH, requires the customer or content filtering provider to set up and resolve a canary domain.  A canary domain is one which resolves (responds) differently to internal clients and thus indicates to the browser that some content filtering or other DNS server is in use. It is unknown how reliable this will be particularly as it may require manual intervention or additional support from the filtering entity.


The ISPA Villain of the Year 2019 Award

Members of the UK's Internet Service Provider Association (ISPA) nominated Mozilla for its un-coveted 'Villain of the Year' award. The other nominees were Donald Trump and the "Article 13 Copyright Directive".  It's intended as a light-hearted award but it their nomination did indicate concern over what many ISPs saw as a 'land grab' and the potential technical problems it might introduce (see earlier).   Mozilla defended their motives and ultimately the whole award was withdrawn (so Donald Trump and 'Article 13' were also, no doubt, relieved).  The ISPA cited a wish not to unnecessarily demonise Mozilla but also not to trivialise an important issue so they issued a quite reasonable statement with various proposals, some of which have already been implemented.

In the USA, congressional anti-trust boards are examining complaints that Google are seeking to become too dominant in the 'DNS business'.  ISP trade bodies in the US made complaints to congress. I think Google will have seen such objections coming so, whilst I'm sure they'd like to, they probably won't enable or overtly promote their own DoH (or plain DNS) service in their own  browser.

In June 2020, Apple, who have a significant share of the browser market, are supporting both DoT (see next section) and DoH to their operating systems and browsers. App/software developers for MacOS and iOS can apply granularity, applying DoH or DoT to specific applications or networks only and making it context aware. If DoH/DoT is being blocked, the user is notified. That sounds great but it's unclear thus far if these controls will be available to the end user and whether app makers can force DoH and a specific server (which would then be bad!).

DoH vs. DoT

DoT (DNS over TLS)  is an alternative protocol but with a very similar method and purpose. Whist both protocols have their advocates, and many providers support both, DoH does have potential advantages over DoT:

  1. DoT uses a fixed TCP port so that, with the right network access (that which enables in-route interception), DoT could be blocked by a bad actor as it is easily recognised by its use of a fixed (known) TCP port (853). DoH, on the other hand, uses regular HTTPS packets (on port 443) so it's harder to block DoH without also impacting regular web traffic, which would raise suspicions.  That said, if Chrome and Firefox push the whole world into using one or two DNS servers, DoH lookups become even easier to spot - just look for 1.1.1.1 or 8.8.8.8 in the destination.

  2. DoH allows responses to not only include the answer requested, but answers to the next anticipated DNS lookups. If you consider a typical web page from a larger service, say amazon.co.uk, your PC will initially send a DNS lookup for 'amazon.co.uk' but once that page is loaded, it loads content from many other domains (mostly trackers, social links and other advertising tools). A quick test shows at least 20 other domains are used by amazon.co.uk's front page - I don't mean links, I mean that content is collected from all of these domains just by visiting their front page:

    mookie1.com, advertising.com, zeotap.com, casalemedia.com, spotxchange.com, rubiconproject.com, openx.net, krxd.net, facebook.com, bidswitch.net, unagi.amazon.co.uk, media-amazon.com, stickyadstv.com, twitter.com, doubleclick.net, demdex.net, tremorhub.com,serving-sys.com, exelator.com, adform.net etc.

    The DoH server can (depending on configuration) know those domains in advance and that a client lookup for amazon.co.uk will be rapidly followed by the 20+ other lookups so as well as providing the client PC with the answer requested, it can push those other 20 domain/IP address pairs in the same reply, thus saving time and processing overhead at both ends that those 20+ domain lookups would normally take.  Side note: Amazon, seriously, how many different sites and trackers do you need?

DoH is only used for queries between the client (your browser) and the first recursive resolver (your chosen DoH provider's server). The recursive resolver in turn queries root and then authoritative servers to get the IP address for the complete address but those queries do not use DoH - there is no identifying data relating to the originating user (you); it's just a query from a public server so as non-sensitive data, cleartext is usually fine and adding encryption would carry an additional processing and time overhead. The final result is then passed back to your browser using DoH again. If there are entries in a cache at any part of the chain, there is no need for a complete lookup. 

There are other methods including DNS over DTLS (DNS over Datagram TLS, also known as DoD), DNSCrypt and DNSCurve but none are widely supported currently.

If every ISP provides DoT or DoH with DNSSec and Encrypted SNI you solve all of the current problems which most parties agree need improving, but with greater choice and more data pools.

Cloudflare

Lest anyone thinks I'm criticising Cloudflare, other than their somewhat ambiguous privacy policy, I'm really not. No-one is suggesting that they're offering this free service to the world as a gesture of altruistic generosity. Just as Google is 'free', there's a quid-pro-quo and surrendering our browsing history is the price we pay. "If you're not paying for it, you are the product" the saying goes. Cloudflare appear to be a good company providing useful services (paid and free) and whilst they will, no doubt, make good use of the huge volume of data they collect and they're collating a vast data set for government to commandeer, I don't think their motives are sinister. Also, though somewhat of an aside, Cloudflare's learning resources  https://www.cloudflare.com/learning/ on related topics are quite excellent (though understandably on-message from a corporate point of view) and I'm a big fan of vendor education.

Conclusion

Methods for increasing one's security and privacy are a good thing but DoH in isolation isn't much of an improvement, and in some instances maybe none at all.  Mozilla defaulting to on with a single provider also isn't a good thing and nor is over-promising the benefits and security, whilst omitting facts which contradict the claims.  No browser should push you to a specific DNS server or bypass your network/OS settings just as no browser should force you to a specific search engine and the benefits of DoH should not be exaggerated. All ISPs and DNS providers should provide DNSSec and DoH.

Tags

Internet Service Providers (ISPs)
ISP
DNSCrypt
DNSCurve
DNS
DoD
DNS over HTTPS
DNS over TLS
DoT
DNS over DTLS
Recursive Server
Authoritative Server
Domain Name
Domain Name Server
DNSSec
Cloudflare
Mozilla
Firefox
Chrome

Comments

From: Ray Ford
28/08/2020

A good article. It seems that, yet again, technical solutions are being employed to combat issues of trust and, yet again, they are failing.


From: Archiemac
28/08/2020

Just a small correction to the Mozilla DoH part of the article: Firefox does not limit users to DoH via Cloudflare; the settings also offer NextDNS, or the option of adding a server of your choice. Or you can turn off DoH.
(See Firefox > Preferences > General > Network Settings)


From: Ryebank
28/08/2020

A useful article, poorly written. There is no excuse for using so many "unannounced" acronyms including DoH itself. But things like "DoT (see later)" are really not useful. "CDN (Content Delivery Network) " is the way to do it and the article would be a lot clearer if that accepted pattern of acronym introduction was used throughout. I'm not quite sure how you came to the conclusion that your audience would need CDN expanded but the newer terms of DoH, DoT etc. not.