[GTALUG] DNS-over-HTTPS - what's the use?

D. Hugh Redelmeier hugh at mimosa.com
Mon Dec 23 17:43:01 EST 2019 

| From: Giles Orr via talk <talk at gtalug.org>

| Firefox now makes available DNS-over-HTTPS.  I'm a big fan of security
| and privacy, but I'm struggling to see the gains here: we stop some
| hypothetical observer from finding out what domain name we're querying
| ... and then immediately turn around and ask that domain for a web
| page.  You hid the destination in your first query ... only to
| immediately expose it with your next query.

I've not thought much about this so I probably have missed some
issues.

It is horrible that we haven't transitioned to DNSsec.  DNS is the
single worst technical weakness with no excuse.  It's been 20 years of
almost no adoption.

Without DNSsec, active man-in-the-middle (MITM) attacks are easy and
undetected.  By "active", I mean: modify the query or query results,
not just observe them.

ISPs do active MITM attacks.  Routers do them.  Corporations do them
for their employees.  Governments do them.  Invisibly.

I'd rather trust Mozilla than everyone on my query's route.

My network does not use outside recursive nameservers.  I use my own
in-house (literally) recursive nameserver.  I could switch it to use
HTTPS to talk to Mozilla's recursive nameserver if I chose to (it
would involve a small matter of programming because the off-the-shelf
programs don't currently support this).

The fact that Mozilla put the resolver in the browser is a little ugly
but understandable.

- they control the browser

- they have to modify one piece of software, not try to push a new
  feature on unwilling maintainers of perhaps a dozen pieces of
  software, the most important of which are closed source.

  This does not preclude those dozen pieces of software each adopting
  the new protocol.


(I've been annoyed that so much of a resolver is embedded in glibc.)

================

Conceptually, I don't like Mozilla being a single point of attack.
This solution really must be replaced by something better.  But will
it?

There is a chance that a make-do solution like this will de-motivate
possible adoption of DHSsec.  That would be bad.

================

HTTPS has more setup time than UDP or TCP.  But a single HTTPS pipe
between your browser and Mozilla can carry many queries and responses
(I assume that the DHS-over-HTTPS has been designed to support this).

================

My tentative conclusion is that this is a hack but it is a quick and
simple way to somewhat better security.  The slow but better ways are
not working.

More information about the talk mailing list