The Tech Policy Greenhouse is an online symposium where experts tackle the most difficult policy challenges facing innovation and technology today. These are problems that don't have easy solutions, where every decision involves tradeoffs and unintended consequences, so we've gathered a wide variety of voices to help dissect existing policy proposals and better inform new ones.

It's Long Past Time To Encrypt The Entire DNS

from the privacy-and-encryption dept

With work, school and healthcare moving online, data privacy and security has never been more important. Who can see what we’re doing online? What are corporations and government agencies doing with this information? How can our online activity be better protected? One answer is: encryption. Strong encryption has always been an important part of protecting and promoting our digital rights.

The majority of your web traffic is already encrypted. That’s the padlock in your URL bar; the the S –for “secure”– in HTTPS. This baseline of encryption is the result of decades of dedicated work by privacy-concerned technologists aiming to safeguard users’ personal information and address pressing demands for data and transaction safety. Web traffic encryption allows us to feel confident when we buy or bank online, access our medical records, and communicate on social media.

Unfortunately, there’s a geyser of internet traffic that remains unencrypted, leaving our personal information still vulnerable to exploitation. Every day through a seamless process, our computers and phones make thousands of lookups through the Domain Name System (DNS). DNS is the way computers and phones find the IP address for any internet resource you want to access, whether it’s a website and all the content it contains, or an online messaging service, or the background connections made through mobile apps.

Thanks to the DNS, you can type in a memorable URL ( instead of having to remember a long string of numbers (like, one of CNN’s IP addresses) to visit a website.

But while most of your web traffic is encrypted, your DNS lookups probably aren’t. The architects of the DNS system designed it in the 1980s, long before it became apparent that some would exploit this design for their own gain—or that repressive regimes would use it to censor and stifle dissidents.

The privacy concerns are easy to understand. Many of the domains you visit might be descriptive enough to give away what you’re doing on a particular web site or service—whether they are partisan political websites (“this person is a Republican!”), mortgage lenders (“this person wants to refinance!”), health websites (“this person seems to have a medical condition we can monetize!”), or certain websites you'd rather keep private. In other words, someone in the network sitting between you and a certain website might not know what you’re doing on a website—but they know you’re doing it on that website!

This enables the daily commercial exploitation of consumer data. As we speak, corporations can exploit the DNS to track and monetize your online activity. Thanks to the loosening of U.S. federal broadband privacy laws in 2017, Internet service providers (ISPs) like Verizon, ComcastXfinity and CharterSpectrum are allowed to bundle and sell this lookup data to data brokers so they can build better personal and behavioral profiles—which are then rented out to companies that want to target you with personalized ads and appeals. For vulnerable communities, however, this infringement on privacy can lead to deeper erosion of other rights when, for example, analysis of someone’s online history profiles them as being “under-banked”, “financially vulnerable” or as targets for predatory loan offers. It’s a bit like a librarian selling your reading history to a psychologist.

Moreover, while DNS is an essential point of control for network administrators and service providers, that control can be problematic. On one hand: the DNS enables the implementation of important mechanisms from malware identification, to enforcement of corporate and local policies, to monitoring and testing of different network tools. On the other hand, if you as a user are trying to access some information during a period of social unrest, a government wanting to prevent you from accessing that information could force ISPs to block that content or tamper with the DNS responses your computer gets. Because DNS lookups also expose your IP address and MAC address (the hardware address of your device), they could also gain insight on your device’s location.  

On top of all that, the vulnerability of the DNS system is also a security issue: A 2016 Infoblox Security Assessment Report found that 66% of DNS traffic was subject to suspicious exploits and security threats, from protocol anomalies (48%) to distributed denial of service (DDoS) attacks (14%). The study also showed that the biggest concerns for ISPs were downtime and loss of sensitive data, which translates into users not being able to access the online resources they need, or sensitive data of users’ lookups being leaked or stolen.

Thankfully, new technical protocols for encrypted DNS that directly address these issues are on the rise;. Encrypted DNS protects access to resources and the data integrity of DNS queries by preventing DNS packet inspection and actions trying to tamper with the DNS responses your computer gets. It shields against leaks of user data like IP/MAC addresses and domains, keeping users from being tracked and monitored, and makes it difficult for censoring bodies to be able to intercept and block the content you can access.

Some technology companies and ISPs are already ahead of the curve and working on protecting their users. In 2019, Mozilla published its Resolver Policy for listing DNS-over-HTTPS (DoH) providers in Firefox’s settings options, followed by Comcast launching their Encrypted DNS Deployment Initiative (EDDI), and by Google defining the requirements to list DoH providers in Chrome’s settings.

These are not the only companies starting to take action in protecting users' online data, but many more need to step up. And for DoH there’s no time like the present: the currently low number of devices using DoH eases the adoption curve for ISPs testing and deploying encrypted DNS services, making the implementation of updates and maintenance easier for early adopters, while, on the other hand, as the number of devices using these services goes up, more edge cases will be discovered and the same functions will become increasingly more difficult.

ISPs that prioritize data privacy can distinguish themselves with customers, partners and civil society. By taking steps to safely deploy secure and encrypted DNS communications to protect their users, ISPs like Comcast have taken the lead and increased goodwill with activists, technologists and vendors. ISPs that don’t adopt privacy-preserving measures will remain subject to increasing public scrutiny and critique. ISPs implementing their own encrypted DNS services will also avoid reliance on third-party implementations and increase DNS decentralization, to everyone's benefit.

Our global reality has been forever altered in the wake of this pandemic. Many of us are living most of our lives online. Inequities and exploitation that had been ignored have come into sharp focus, and the needs of a society in civil unrest add to the many reasons why the privacy and security of individuals is a right that needs to be enhanced and protected.

More than ever, customers are paying close attention to the companies that respect them, their families and their rights. DNS providers and ISPs must work together on the implementation and deployment of measures that will strengthen DNS. Choosing short-term profit over people is a losing business proposition, and the first movers will reap even larger rewards in consumer trust.

Joey Salazar is a software engineer, open source developer and Senior Programme Officer at Article 19, where she leads the IETF engagement program focusing on policies, standards, and protocol implementations.

Benjamin Moskowitz is the Director of Consumer Reports' Digital Lab, which conducts rigorous research and testing of connected products and advocates for consumers' rights online (

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dns, encrypted dns, encryption, privacy

Reader Comments

Subscribe: RSS

View by: Thread

  1. identicon
    Anonymous Coward, 22 Jun 2020 @ 5:52pm

    IMC papers

    All major browsers have adopted HTTP/2, which allows for keepalive-style communications with HTTP/2-compliant servers, even over TLS/SSL. Anyone implementing DoH will do do with an HTTP/2-compliant server (otherwise, they are morons). In that case, the setup and teardown steps that you cite should be no more than once per page, not once per individual domain name.

    That's right. You pay the TCP and TLS setup overhead once, and then that cost is amortized over many queries. There were a couple of papers on this topic in last year's Internet Measurement Conference, with empirical measurements. There is additional overhead in terms of bytes and packets, but the effect on query latency and page load times is small.

    An Empirical Study of the Cost of DNS-over-HTTPS

    When comparing UDP-based DNS with DoH, we see that the UDP transport systematically leads to fewer bytes and fewer packets exchanged, with the median DNS exchange consuming only 182 bytes bytes and 2 packets. A single DoH resolution in the median case on the other hand requires 5737 bytes and 27 packets to be sent for Cloudflare and 6941 bytes and 31 packets for Google. A single DoH exchange thus consumes more than 30 times as many bytes and roughly 15 times as many packets than in the UDP case. Persistent connections allow to amortize one-off overheads over many requests sent. In this case, the median Cloudflare resolution consumes 864 bytes in 8 packets, the median Google resolution 1203 bytes in 11 packets. While this is significantly smaller compared to the case of a non-persistent connection, DoH resolution still consumes roughly more than four times as many bytes and packets than UDP-based DNS does.

    Even though these results show that changing to DNS resolution via DoH leads to longer DNS resolution times, this does not necessarily translate into longer page load times. ... There is however little difference between page load time via legacy DNS or DNS-over-HTTPS: both resolution mechanisms achieve similar page load times.

    An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?

    The reuse of connections has a great impact on the performance of DNS-over-Encryption. To amortize query latency, it is required that clients and servers should reuse connections when resources are sufficient. In current implementations, connection reuse is the default setting of popular client-side software and servers, with connection lifetime of tens of seconds. Under this lifetime, a study shows from passive traffic that connection reuse can be frequent (over 90% connection hit fraction). Therefore, we consider that connection reuse is the major scenario of DNS-over-Encryption queries, and take it as the main focus of our performance test.

    Finding 3.1: On average, query latency of encrypted DNS with reused connection is several milliseconds longer than traditional lookups. Connection reuse is required by the standard documents whenever possible. Our discussion in Section 4.1 also shows that connection reuse can be frequent for DNS-over-Encryption in practice. As shown in Figure 9, when connection is reused, encrypting DNS transactions brings a tolerable performance overhead on query time. Comparing the query latency of Cloudflare’s clear-text DNS, DoT and DoH, we are getting average/median performance overhead of 5ms/9ms (for DoT) and 8ms/6ms (for DoH) from our global clients.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt

The Tech Policy Greenhouse
is a special project by Techdirt,
with support from:

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.