Does the arrival of DoH mean browsers should be regulated?
New protocol gives browsers more power
Within the internet industry, implementation of the new DNS over HTTPS (DoH) protocol is a hot topic. In principle, DoH should give a further small security boost and help to protect user privacy. However, it may also have significant implications for the way the DNS works. For example, the adoption of DoH by the Firefox web browser will involve DNS requests being handled by Mozilla's partners in the US; users in the Netherlands will be left in the dark about what's happening, and the firms in question won't be answerable to them or governed by the GDPR. Can browser developers be relied upon to use their new powers responsibly, or is some form of regulation required?
Encryption of DNS traffic is useful
DNS over HTTPS, often abbreviated to DoH, involves the encryption of DNS traffic. Your browser uses the DNS to find out the IP addresses of websites you want to visit by 'translating' the associated domain names. The DNS protocol is therefore essential for browsing the net. The associated 'traffic' consists of queries and responses passing to and fro between various machines. Normally, your browser uses your computer or phone's 'dumb' stub resolver to send a query to a recursive resolver on your network. When you're connected to your home network or using your phone on the move, the recursive resolver that's queried will usually be one operated by your internet access provider. At work, it'll be your employer's resolver. However, if you use public Wi-Fi – say, in a restaurant or on the train – you have no way of knowing which resolver is handling your DNS queries. In situations like that, the DNS traffic isn't encrypted. Your queries are sent in a readable form and can be fairly easily intercepted by snoopers and even manipulated in transit. Encrypting the traffic on the basis of DoH resolves that problem. Your resolver decodes incoming queries, gets answers and passes them on to you in encrypted form. All in the space of milliseconds. For a more detailed explanation of how DoH works, see our previous blog post on the topic.
Your browser decides which DNS resolver to use
With DoH, your browser uses HTTPS for DNS traffic, bypassing your operating system. Consequently, your network no longer recognises the DNS traffic and doesn't therefore send it to the network's own resolver. Instead, the DNS traffic goes to the resolver that your browser is set up to use. Because resolving is divorced from your network, the arrangement implies that another player now knows which websites you're visiting. Your network provider already has that information – that's unavoidable – but now the operator of the resolver used by your browser has it as well. So, obviously, you want the resolver operator to be someone you trust. The way DoH is implemented by Firefox, DNS queries will no longer go to the resolver for the network you're currently connected to, but to a resolver that Firefox trusts. Cloudflare is currently the only resolver used by Firefox. That's probably a good thing, because some of the other resolver operators around, such as US ISPs, are in the habit of selling customers' DNS data. Use of Cloudflare is also a plus when you can't be sure how trustworthy your network's resolver is – when you're on public Wi-Fi, for example. However, the arrangement is a fundamental change from the way the DNS has traditionally worked, where you or your employer had control over who handled your query traffic, at least implicitly, through your choice of ISP. Mozilla plans to add other options to Firefox's list of trusted resolvers. However, much DNS traffic is likely to be routed via the default resolver, since few internet users know enough about infrastructure components, such as DoH or the DNS, to opt for anything different.
New protocol gives browsers more power
Until now, the network operator has typically been responsible for choosing a resolver. However, with the introduction of DoH, that role passes to browser providers. And we don't yet know how they will use their newfound power. Will they unilaterally determine where all DNS traffic will go? Or will they let users decide? If users are offered a choice, will that be a free choice, or will they have to pick from preselected options? And can the average internet user be expected to actively engage with the issue and make a considered decision? Or will most users just opt for convenience and stick with the default resolver? And what will the default resolver be? Last but not least, what are the implications for Dutch and European society's autonomous control of the local internet?
Involving the Dutch internet community
At the ECP Annual Congress, we linked up with KPN to host an NLIGF debate, addressing questions such as those set out above. The audience suggested that, in response to the developing situation, the first step should perhaps be to set up a reliable Dutch DoH resolver service that complied with the GDPR. Browsers could then offer users the option of using that resolver as a trustworthy source of DNS information. Another important conclusion was that DoH is just one example of the increasing centralisation of internet services. The dominance of players such as Google is far from new. Some participants in the NLIGF session therefore suggested regulation as an option, although not a necessity.
On top of DoH
Here at SIDN, we intend to keep a close eye on developments. Our team at SIDN Labs continuously measures the share of incoming DNS traffic accounted for by resolvers operated by the likes of Google and Cloudflare, and we maintain close contact with key stakeholders in the Netherlands with the European registry community. We believe that the introduction of DoH and other such developments warrant discussion with the wider internet community, rather than exclusively with the technical players, and we will use our influence to promote such discussion.