Over the past few months, DoH or DNS over https, has been the reason for many raised eyebrows in the sector covering registries, ISPs and alike.
So, what is DoH, in brief?
DoH is an internet protocol that encrypts queries from end users between the application or operation system they use and the caching resolver, who stores the results of previous queries to be able to re-use them rapidly. The DNS traffic is not only encrypted but is also sent via the standard https port (443). In that way the DNS traffic is not visible for a.o. company networks and local ISPs. DoH is offered as a free (resolving) service by providers such as Google and Cloudflare. This basically means that, apart from the data they already saw from their own DNS services, the Googles and Cloudflares of this world now also collect the data that has previously only been seen by local ISPs.
The big questions
Do end users – i.e. the people who go online – know about this? What happens to the data collected by these internet giants? Will the end user have the choice of using the regular local resolver where the DNS queries are not sent to another jurisdiction or outside the realm of the local enterprise network? What is the added value for the end user of having DNS queries encrypted and what’s the difference with using VPN as a security measure? Finally, how does the availability of this service affect the work of police in their investigations and so is it a threat to national security or the general security of citizens?
The reasoning behind the development of DoH is that in the USA, for example, local ISPs collect this DNS data from their customers and use it for commercial gain, such as for ads targeted at customers.
So, as an end user and a customer of these ISPs, if you no longer want this to happen, you could use a DoH service from Google so that your local ISP no longer has access to this data.
Another reason for this service is to protect the privacy of end users in countries where human rights are not always top-of-mind for local politicians and authorities. For instance, in certain countries you might prefer not to out yourself as a member of the LGBT community, or as an activist against the ruling regime, etc. This means it might be safer to hide your DNS queries so that you are not discovered. This said, one might also question whether these DoH service providers will be able to offer their services in these countries and whether more authoritarian regimes will allow it to happen.
Freedom of choice
For people living in EU, where privacy is protected by the GDPR and where local privacy authorities are alert to abuses, we do not see an immediate advantage of using DoH, except if you trust Google and Cloudflare more than your local ISP operating under local and European laws. But, given the key European principle of freedom of choice, it should also be possible to make a personal choice in full awareness of the facts.
In reality, though, we may see the DoH service being made obligatory as part of the browser (Mozilla launched its cooperation in the Firefox browser with Cloudflare’s DoH service and Google is looking at doing the same in its Chrome browser) and so the end user could simply be unaware, let alone having a choice.
Giving a choice, means informing the end user, explaining the differences in an honest and objective way, and offering an easy solution for confirming and changing your mind.
As a side note we would like to add that today these same internet giants are offering non-encrypted resolving services to end users. One might also wonder what happens with this data. The mere fact of the queries being encrypted or not, does not change the possible issues of privacy or market concentration.
Last, but not least, the simple fact that this easy but crucial internet service is being centralised with just a few parties goes against the whole idea of the internet, where the basic premise is decentralisation in order to make the internet and its services as resilient and redundant as possible. Do we really want 5 or 10 parties to have this power over what goes on online, plus the stability of the internet placed in their hands? What if this data becomes compromised or is abused and used for targeted ad campaigns, etc. with political content? It could suddenly get easier – or certainly worth the effort – to try and misuse that data and target large audiences with specific political (fake) content in times of elections.
Today this DoH development, or at least the way it is offered and bundled, raises many questions. The so-called advantages for (European) end users are not very obvious. The claims – more privacy and ‘faster’ internet – are both very doubtful, while the possible disadvantages seem a whole lot clearer.
To summarise
Do we want the task of our police and law-enforcement authorities made harder by the use of the DoH service? Do we want to hand over even more end user data to the known internet giants who have never shown much respect for the information they already collect?
All of these valid questions and the absence of solid, credible answers from the major DoH providers should make our policymakers at a local and European level think twice before just letting this thing pass under the radar. We believe that DoH, the way it is currently used and provided, is not an obvious, positive development for the European end user. It doesn’t offer a clear added value for the local internet community and it even could jeopardise our national security.
A thorough investigation of the possible impact of DoH in its current form by those with political responsibility is certainly to be recommended.