The Tech Policy Greenhouse is an online symposium where experts tackle the most difficult policy challenges facing innovation and technology today. These are problems that don't have easy solutions, where every decision involves tradeoffs and unintended consequences, so we've gathered a wide variety of voices to help dissect existing policy proposals and better inform new ones.

It's Long Past Time To Encrypt The Entire DNS

from the privacy-and-encryption dept

With work, school and healthcare moving online, data privacy and security has never been more important. Who can see what we’re doing online? What are corporations and government agencies doing with this information? How can our online activity be better protected? One answer is: encryption. Strong encryption has always been an important part of protecting and promoting our digital rights.

The majority of your web traffic is already encrypted. That’s the padlock in your URL bar; the the S –for “secure”– in HTTPS. This baseline of encryption is the result of decades of dedicated work by privacy-concerned technologists aiming to safeguard users’ personal information and address pressing demands for data and transaction safety. Web traffic encryption allows us to feel confident when we buy or bank online, access our medical records, and communicate on social media.

Unfortunately, there’s a geyser of internet traffic that remains unencrypted, leaving our personal information still vulnerable to exploitation. Every day through a seamless process, our computers and phones make thousands of lookups through the Domain Name System (DNS). DNS is the way computers and phones find the IP address for any internet resource you want to access, whether it’s a website and all the content it contains, or an online messaging service, or the background connections made through mobile apps.

Thanks to the DNS, you can type in a memorable URL ( instead of having to remember a long string of numbers (like, one of CNN’s IP addresses) to visit a website.

But while most of your web traffic is encrypted, your DNS lookups probably aren’t. The architects of the DNS system designed it in the 1980s, long before it became apparent that some would exploit this design for their own gain—or that repressive regimes would use it to censor and stifle dissidents.

The privacy concerns are easy to understand. Many of the domains you visit might be descriptive enough to give away what you’re doing on a particular web site or service—whether they are partisan political websites (“this person is a Republican!”), mortgage lenders (“this person wants to refinance!”), health websites (“this person seems to have a medical condition we can monetize!”), or certain websites you'd rather keep private. In other words, someone in the network sitting between you and a certain website might not know what you’re doing on a website—but they know you’re doing it on that website!

This enables the daily commercial exploitation of consumer data. As we speak, corporations can exploit the DNS to track and monetize your online activity. Thanks to the loosening of U.S. federal broadband privacy laws in 2017, Internet service providers (ISPs) like Verizon, ComcastXfinity and CharterSpectrum are allowed to bundle and sell this lookup data to data brokers so they can build better personal and behavioral profiles—which are then rented out to companies that want to target you with personalized ads and appeals. For vulnerable communities, however, this infringement on privacy can lead to deeper erosion of other rights when, for example, analysis of someone’s online history profiles them as being “under-banked”, “financially vulnerable” or as targets for predatory loan offers. It’s a bit like a librarian selling your reading history to a psychologist.

Moreover, while DNS is an essential point of control for network administrators and service providers, that control can be problematic. On one hand: the DNS enables the implementation of important mechanisms from malware identification, to enforcement of corporate and local policies, to monitoring and testing of different network tools. On the other hand, if you as a user are trying to access some information during a period of social unrest, a government wanting to prevent you from accessing that information could force ISPs to block that content or tamper with the DNS responses your computer gets. Because DNS lookups also expose your IP address and MAC address (the hardware address of your device), they could also gain insight on your device’s location.  

On top of all that, the vulnerability of the DNS system is also a security issue: A 2016 Infoblox Security Assessment Report found that 66% of DNS traffic was subject to suspicious exploits and security threats, from protocol anomalies (48%) to distributed denial of service (DDoS) attacks (14%). The study also showed that the biggest concerns for ISPs were downtime and loss of sensitive data, which translates into users not being able to access the online resources they need, or sensitive data of users’ lookups being leaked or stolen.

Thankfully, new technical protocols for encrypted DNS that directly address these issues are on the rise;. Encrypted DNS protects access to resources and the data integrity of DNS queries by preventing DNS packet inspection and actions trying to tamper with the DNS responses your computer gets. It shields against leaks of user data like IP/MAC addresses and domains, keeping users from being tracked and monitored, and makes it difficult for censoring bodies to be able to intercept and block the content you can access.

Some technology companies and ISPs are already ahead of the curve and working on protecting their users. In 2019, Mozilla published its Resolver Policy for listing DNS-over-HTTPS (DoH) providers in Firefox’s settings options, followed by Comcast launching their Encrypted DNS Deployment Initiative (EDDI), and by Google defining the requirements to list DoH providers in Chrome’s settings.

These are not the only companies starting to take action in protecting users' online data, but many more need to step up. And for DoH there’s no time like the present: the currently low number of devices using DoH eases the adoption curve for ISPs testing and deploying encrypted DNS services, making the implementation of updates and maintenance easier for early adopters, while, on the other hand, as the number of devices using these services goes up, more edge cases will be discovered and the same functions will become increasingly more difficult.

ISPs that prioritize data privacy can distinguish themselves with customers, partners and civil society. By taking steps to safely deploy secure and encrypted DNS communications to protect their users, ISPs like Comcast have taken the lead and increased goodwill with activists, technologists and vendors. ISPs that don’t adopt privacy-preserving measures will remain subject to increasing public scrutiny and critique. ISPs implementing their own encrypted DNS services will also avoid reliance on third-party implementations and increase DNS decentralization, to everyone's benefit.

Our global reality has been forever altered in the wake of this pandemic. Many of us are living most of our lives online. Inequities and exploitation that had been ignored have come into sharp focus, and the needs of a society in civil unrest add to the many reasons why the privacy and security of individuals is a right that needs to be enhanced and protected.

More than ever, customers are paying close attention to the companies that respect them, their families and their rights. DNS providers and ISPs must work together on the implementation and deployment of measures that will strengthen DNS. Choosing short-term profit over people is a losing business proposition, and the first movers will reap even larger rewards in consumer trust.

Joey Salazar is a software engineer, open source developer and Senior Programme Officer at Article 19, where she leads the IETF engagement program focusing on policies, standards, and protocol implementations.

Benjamin Moskowitz is the Director of Consumer Reports' Digital Lab, which conducts rigorous research and testing of connected products and advocates for consumers' rights online (

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dns, encrypted dns, encryption, privacy

Reader Comments

Subscribe: RSS

View by: Thread

  1. identicon
    K England, 23 Jun 2020 @ 8:16am

    DOH has a big problem

    Just wanted to mention that DOH causes every web browser to create a long-lived HTTPS connection to the DNS server. Web servers are designed for short-lived TCP connections. The creation of millions of long-lived TCP connections will cause DOH servers to fall over, as has recently happened with Mozilla's DOH roll-out.
    Experts are recommending DNS-over-TLS and complaining about many features of DOH. For these reasons, it is likely to fail even with Mozilla and Google behind it.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt

The Tech Policy Greenhouse
is a special project by Techdirt,
with support from:

Essential Reading
Techdirt Insider Chat

Warning: include(/home/beta6/deploy/itasca_20201215-3691-c395/includes/right_column/ failed to open stream: No such file or directory in /home/beta6/deploy/itasca_20201215-3691-c395/includes/right_column/ on line 8

Warning: include(): Failed opening '/home/beta6/deploy/itasca_20201215-3691-c395/includes/right_column/' for inclusion (include_path='.:/usr/share/pear:/home/beta6/deploy/itasca_20201215-3691-c395:/home/beta6/deploy/itasca_20201215-3691-c395/..') in /home/beta6/deploy/itasca_20201215-3691-c395/includes/right_column/ on line 8

Warning: include(/home/beta6/deploy/itasca_20201215-3691-c395/includes/right_column/ failed to open stream: No such file or directory in /home/beta6/deploy/itasca_20201215-3691-c395/includes/right_column/ on line 8

Warning: include(): Failed opening '/home/beta6/deploy/itasca_20201215-3691-c395/includes/right_column/' for inclusion (include_path='.:/usr/share/pear:/home/beta6/deploy/itasca_20201215-3691-c395:/home/beta6/deploy/itasca_20201215-3691-c395/..') in /home/beta6/deploy/itasca_20201215-3691-c395/includes/right_column/ on line 8
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.