This is the first document for a new project called DoHoT DNS, which I
hope will grow to help people recoup some privacy in places where they
have previously not considered it lacking.
What I seek with this project is to explain, to encourage, and to simplify adoption of DNS over HTTPS over Tor.
APNIC Blog: DoHoT: better security, privacy, and integrity via load-balanced DNS over HTTPS over Tor
Presented at SDNS 2021: Celebrating 10 years of Encrypted DNS
A Year and a Half of DNS over HTTPS over Tor
Presented at NDSS21 DNS Privacy Workshop
A Year of DNS over HTTPS over Tor
- Likely none of this is new.
- I probably describe nothing that is novel.
- Other people will have done this before, and are probably doing it now, although arguably from a base of less experience than myself regarding Tor and performance tuning.
- None of the software I describe has been written by me, but instead has been written by people cleverer and more dedicated than I.
- DNS experts will almost certainly describe the latency figures that I publish here as "excessively slow", "impractical", or "unusable". I firmly disagree, at least for the domestic or individual user, and I present several months' worth of both numbers and "24x7 lived experience" to back up my perspective.
The DNS protocol is more than 40 years old, was never designed for privacy, and is broadly instrumented - i.e.: logged, sold, spied-upon, and interfered-with - by:
- Cafes, Hotels, Aircraft, and other "captive portals"
- Internet Service Providers (ISPs)
- The upstream peers and bearer-providers for ISPs
- Partner-companies to the above, which monetise the ability to control, manipulate and track DNS results
- Nation-state Governments which want to exert control upon people's access to information
As I have written
elsewhere
the launch of the DoH protocol presents a marvellous opportunity;
the protocol itself has been represented as rather
contentious
but a careful reading of some of the more
critical
coverage
suggests that the criticisms tend to come from people or organisations
in categories 2 through 5 above, perhaps concerned that
increased DNS privacy may impact their business models, revenue,
income, or their quiet "obligations" to nation-state security
services. as if people being enabled with privacy would somehow be
"their fault".
Some critics ignore the "first mile" transport-security benefits of
DoH and instead frame the concerns
by complaining about problems that DoH doesn't actually address; for
instance:
The response to DoH's anointment as a major privacy-preserving solution has been downright acid, in some cases. Critics have taken a jab at the protocol on different plains, which we'll try to organize and categorize below:
- DoH doesn't actually prevent ISPs user tracking
- DoH creates havoc in the enterprise sector
- DoH weakens cyber-security
- DoH helps criminals
- DoH shouldn't be recommended to dissidents
- DoH centralizes DNS traffic at a few DoH resolvers
The cited criticisms are not reasonable because the concerns that are
raised are generally not for DoH to fix:
DoH was never meant as a wholesale "cure" for ISP user-tracking;
it's meant to reduce DNS observation, tampering, and interference.
I have worked in the "enterprise sector" since 1992; I am sorry to be glib but this equally glib claim is nonsense.
Again this is a vague concern - DoH weakens what aspects of security, how, for whom, and to what compensating benefits, to whom? - but also it should be noted that the prime weaknesses in cybersecurity are "users" and "software" yet we are somehow content to have more of both of those?
Helps criminals? So does "the internet" in general - it would not be able to have cybercrime without computers.
So far as I am aware, nobody is recommending DoH for "dissidents";
DoH is being recommended more broadly to people who want more privacy.
Aha! This latter concern has some substance, and it is worth consideration; generally there are three aspects to this concern:
- "DNS is a 'distributed' protocol, and
DoHis antithetical to 'distribution'!".
- I deal with this matter extensively in a separate blogpost
- "There are not enough
DoHproviders and users may be deanonymised via analysis of huge data sets!"
- Mozilla has sought to address this concern with their
Trusted Recursive Resolver program;
but simplistically it seems logical that the proper solution to "too
few"
DoHproviders is to encourage more of them, not fewer.
- "A small number of Big Data Companies will get all the tracking information, instead of us!"
- This is an actionable concern, and one where we can make an improvement well beyond
DoHlet aloneDo53.
The fear that "Big Data Companies" will mine DoH request data for
profit is valid and is one which the likes of (e.g.) Mozilla are
already working on
(see point 2, here) -
but it's one where the internet is also already equipped with a well-tested solution:
Tor.
One of the goals of the Tor project is to provide anonymity of clients from servers; there are other benefits to Tor and Tor "Onion Networking", but this is the most popular rationale for Tor's use.
It's also a rationale which meshes insanely well, with DoH.
Tor does not support UDP and therefore cannot provide anonymity for
Do53 traffic, but because DoH is normal HTTPS it can be carried
efficiently over Tor connections.
Therefore:
- if the individual provides and controls a local
Do53resolver, not least for normal, "legacy" use - being offered by DHCP, etc. - and that resolver is configured to resolve upstream, using
DoH - and that resolver is configured to strip linkable identifiers from
DoHrequests - and that resolver connects to various major
DoHproviders over Tor - then the provider will not know who is making the request, nor from where it came, nor will be able to "link" requests
This architecture follows Tor's
"anonymity loves company"
model for privacy, and offers far better privacy, integrity,
unblockability and untrackability than anything offered by Do53,
DoT (DNS over TLS on port 853), raw DoH or indeed any other DNS
lookup-service.
And the technology already exists, is free, and my data and experience is that it works really well for home users, perhaps more.
See here; this project is evolving and I will be updating it.
There are a few patterns or weird experiences that I have noted:
My WiFi router dashboard perpetually complains about "High DNS Latency", which only goes to show that expectations of "low latency" in modern DNS are lower than what humans are actually okay with.
Approximately every 20 seconds my Chromecast attempts to send a request to 8.8.8.8, which my firewall drops and logs. I find this interesting, but it's not really a DoHoT problem so much as a matter of my choice to block any non-DoHoT DNS requests.
The Chromecast - including upgrades - still works fine, so I am ignoring this matter.
Every so often I visit somewhere that causes me to temporarily hardcode my laptop or phone DNS server to 1.1.1.1 or 8.8.8.8; then I come home and the device stops working until I remember to reset the DNS to be the automatic DHCP default.
Again I consider this to be due to my choice to block any non-DoHoT DNS requests, but it's probably also good discipline from a privacy perspective. I actually used to believe that my privacy self-discipline was better than this, but I was wrong.
This situation is interesting to compare to criticism from DoH critics who argue that it is they - your service provider, your ISP - rather than you, who should be limiting access to alternative sources of DNS resolution.
DoT / DNS-over-TLS on port 853 is touted by DNS experts as the "proper" solution
for DNS privacy and security, but I have not yet seen any devices or
applications actually using it.