Privacy protection: Encrypted domain requests

Domain Privacy protection

The resolution of domain names to IP addresses is still largely unencrypted. In this way, it enables undesirable private or government snoopers to easily log websites that access Internet users. But the worldwide distributed Domain Name System (DNS), which resolves human-readable domain names to machine-readable IP addresses, can also be queried encrypted.

You can use the proprietary protocol DNSCrypt for this purpose for a long time or more recently also DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). In the c’t article "Information Sealed - How DNS Communication Protects Your Privacy" we play through the setup of suitable clients for Linux, macOS and Windows.

Not a great success

DNSCrypt has not been a great success. However, the proliferation of the two more recent protocols specified by the Internet Engineering Task Force (IETF) has recently increased markedly. This was reported by Lu Chaoyi from Tshinghua University at the meeting of the Internet Research Task Force (IRTF), the IETF’s research sister. In a large-scale study, the researchers documented the increase in encrypted connections. As expected, the resolution of domain names to IP addresses takes a few milliseconds more with encrypted communication. At first glance, however, it was unexpectedly found that fewer error messages occur in encrypted requests.

DoT already standardized the IETF in 2016 (RFC 8094). In 2018, Mozilla followed suit with the standardization of the DoH already used by Google (RFC 8484). Since then, the two methods compete with each other and experts drive the development of both techniques intensively. The research group around Lu has measured how DoT and DoH have spread on the Internet in the past two years.

More than 1000 DoT providers

Thus, DoT requests rank far behind unencrypted DNS communication. The plaintext portion of DNS traffic is currently "several hundred to 1000" higher, but the DoT curve shows upwards. The study registered a first jump for DoT in May 2018, when, for example, 104 DNS requests per month were received via DoT for Cloudflare. Not surprisingly, according to statistics, large providers such as Cloudflare attract most DoT-encrypted requests.

The increasing interest in DoT among service providers and providers is also shown by the growing number of DNS resolvers that communicate with DoT in encrypted form. Between May 2019 and July 2020, their number increased from around 2000 to 7800. These numbers can be easily recognized in Internet traffic, because DoT usually uses its own TCP port 853, while plain text DNS mainly uses UDP port 53.

DoH more concentrated at few providers

However, the DoH protocol uses the HTTPS port 443, so that the associated traffic cannot be easily distinguished from web traffic. Therefore, the DNS cartographers used tricks: They examined large, purchased HTTPS records for keywords in the package headers, for example "dnsquery". These figures show that the majority of DoH requests in turn clash with the large resolver operators Google and Cloudflare.

Lu and his colleagues recorded 107 monthly DNS requests for Google’s Open DNS. For Mozilla, whose Firefox browser already accesses Cloudflare resolvers by default for US users, 105 requests were recorded. But also the Californian CleanBrowsing, which is aimed at safety-conscious parents, reaches 103 DNS queries per month. Overall, there are significantly fewer providers of DoH resolvers than of DoT resolvers. DoH offer only a little over 50 providers worldwide, compared to only 17 in 2019.

Childhood diseases and benefits

In many smaller DoT resolvers, which together account for a market share of 28 percent, the researchers diagnosed various misconfigurations. 70 percent of these are due to self-signed TLS certificates. In general, you can also set up the usual TLS tunnels with self-signed certificates. However, the use has two disadvantages: Users must generally approve their use by an exception rule, otherwise the connection fails. It is more serious that users with self-signed certificates have difficulty checking whether their client is actually communicating with the server they have configured. On the other hand, a certificate signed by a Certificate Authority can be authenticated automatically, and the CA also has the means to verify that a certificate issued actually belongs to the specified domain and the server accessible above it. About innitiatives like Let’s Encrypt one can procure such certificates today easily free of charge.

Only a small part of the analyzed certificates had expired and thus invalidated. Nevertheless, the researchers give the encrypted DNA good grades in terms of the resolver’s availability and response speed. Compared to the UDP-based technology, it takes longer, as expected, for a resolver to answer a domain request, but the latency only increases by a few milliseconds.
At first glance, however, it is surprising that DoT and DoH perform better in terms of reliability than unencrypted DNS requests. In Cloudflare’s resolvers, researchers recorded only 1.2 percent of failed DNS requests via DoT, compared to 16.5 percent in classical DNS. Without a specific problem of Cloudflare’s resolver network, the error rate of encrypted connections could be even lower, Lu said. Cloudflare resolvers are addressed worldwide under the IPv4 address 1.1.1.1. However, this address is still used by various other companies without authorization, so that not every request actually penetrates to the resolvers.

The significantly higher error rate with unencrypted DNS traffic, on the other hand, is probably due to the delay-free, but also receipt-free UDP transport: With conventional, UDP-based transport, the clients send their DNS requests without error correction. If one or the other backbone router is overloaded on the route to the resolver, it discards excess packets without comment, so that they never arrive at the destination. The DoT-based DNS requests, on the other hand, rely on the error-correcting TCP. Once a TLS connection has been established, the underlying TCP ensures that packets are sent again immediately in the event of transmission errors. It will take a bit longer, but the DNS response finally arrives at the requesting client.

Another advantage of the encrypted transmissions is that redirections by third parties are far more complex - but attackers must bring the domain of the encrypting resolver under their control. This applies to both DoT and DoH.

Block

Most states allow providers of encrypting DNS resolvers so that users can use such services at will. For some states, however, unencrypted DNS communication is a cornerstone of their Internet control. Accordingly, their large firewalls block encrypted DNS traffic, such as requests to Google’s open DoH resolver. This reverses the relationship between encrypted and unencrypted DNS requests. DoH requests to Google’s resolver, which can normally be reached under the IPv4 address 8.8.8.8, fail 99 percent in China. On the other hand, Chinese censors mostly let through plain-text DNS requests via Google.

The researchers conclude that DNS developers and users are in principle on the right path to greater confidentiality. They are optimistic about the future: weak points, such as in the configuration of resolvers and technical teething problems, can be remedied.