Google and Mozilla’s plans for encrypted DNS upset big ISPs

When you visit a new website and your computer submits a request to the domain name system (DNS) to translate the domain name to an IP address, most of those DNS queries are unencrypted. This of course raises privacy and security concerns. Google and Mozilla have been trying to address these concerns by adding support in their browsers that allows for sending DNS queries over the encrypted HTTPS protocol.

More information on Mozilla’s efforts can be found on one of our previous blog posts from earlier this year. https://rhynonetworks.com/firefox-to-make-encrypted-dns-default/

The work that Google and Mozilla have been doing to protect their customers sounds like a good thing, but major internet service providers are less than pleased. So much so, in fact, that they wrote a letter to Congress warning that Google’s support for DNS over HTTPS (DoH) “could interfere on a mass scale with critical Internet functions, as well as raise data-competition issues.”

The House Judiciary Committee is taking these concerns seriously and responded by sending a letter to Google for details about its DoH plans. One of the key questions asked was whether Google plans to use data collected via the new protocol for commercial purposes.

Google states that these concerns are groundless. While telecom companies are insinuating that Google has plans to switch Chrome users to its own DNS servers, Google denies that assumption.

The telecom industry letter in question is confusing because it mashes together two different criticisms of Google’s DoH plans. First stated is the concern that switching to encrypted DNS would prevent ISPs and others from spying on their users. The second concern is that, in the process of enabling DoH, Google will switch millions of users over to Google’s own DNS servers, which the ISP companies are worried will lead to a dangerous concentration of control over DNS.

Google has been quite transparent with their plans, which they laid out in detail in a September 10th blog post. They state that starting with version 78, Chrome will begin experimenting with the new DoH feature. With the experiment, Chrome will “check if the user’s current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider.” Google further stated that, “If the DNS provider isn’t in the list, Chrome will continue to operate as it does today.”

In this way, Google and Mozilla have very different strategies. Mozilla is planning a more aggressive rollout of the technology. The company is planning toward a gradual shift for all of its users to DoH – whether or not their existing DNS provider supports it. The shift will make Cloudflare the default DNS provider for many Firefox users, no matter what the DNS settings of the underlying OS are.

Mozilla has more of an ability to take this stance as Firefox isn’t a major DNS provider in its own right. This means that there’d be little basis for antitrust scrutiny if Mozilla shifts its users over to a new DNS provider. Of course, if Google did the same shift of its Chrome users over to its own DNS, this could raise antitrust concerns.

One big reason that ISPs have concerns is that the lack of DNS encryption is convenient for ISPs. With unencrypted DNS, ISPs can monitor their customer’s Internet traffic. In some cases, ISPs will also modify customers’ DNS queries in-flight, such as to block children from accessing adult materials by using an ISP-level filter that rewrites DNS queries for banned domains. Some public Wi-Fi networks also use modified DNS queries as a way to redirect users to a network log-in page.

Of course, some ISPs also use DNS snooping for more controversial purposes, such as ad targeting or policing their networks for copyright infringement.

If there were widespread adoption of DoH, this would limit an ISP’s ability to both monitor and modify customer queries. Since ISPs could still use these techniques for customers who use the ISP’s own DNS servers, this wouldn’t necessary eliminate this ability. However, if customers switched to third-party DNS servers – either from Google or one of its various competitors – then ISPs would no longer have an easy way to monitor which sites customers were accessing.

ISPs would still be able to see which IP addresses customers were accessing, which would give them limited information, but multiple domains can share a single IP address and domains can change IP addresses over time, thus reducing ISPs visibility into their customers’ browsing habits.

In reality, it seems that encryption of DNS is the natural next step toward a more secure Internet.

The letter from the big ISPs to Congress can be found here: https://www.ncta.com/sites/default/files/2019-09/Final%20DOH%20LETTER%209-19-19.pdf

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648