Google and Mozilla’s plans for encrypted DNS
upset big ISPs
When you visit a new website and your computer submits a
request to the domain name system (DNS) to translate the domain name to an IP
address, most of those DNS queries are unencrypted. This of course raises
privacy and security concerns. Google and Mozilla have been trying to address
these concerns by adding support in their browsers that allows for sending DNS
queries over the encrypted HTTPS protocol.
More information on Mozilla’s efforts can be found on one
of our previous blog posts from earlier this year. https://rhynonetworks.com/firefox-to-make-encrypted-dns-default/
The work that Google and Mozilla have been doing to protect
their customers sounds like a good thing, but major internet service providers
are less than pleased. So much so, in fact, that they wrote a letter to
Congress warning that Google’s support for DNS over HTTPS (DoH) “could
interfere on a mass scale with critical Internet functions, as well as raise data-competition
The House Judiciary Committee is taking these concerns
seriously and responded by sending a letter to Google for details about its DoH
plans. One of the key questions asked was whether Google plans to use data
collected via the new protocol for commercial purposes.
Google states that these concerns are groundless. While
telecom companies are insinuating that Google has plans to switch Chrome users
to its own DNS servers, Google denies that assumption.
The telecom industry letter in question is confusing
because it mashes together two different criticisms of Google’s DoH plans.
First stated is the concern that switching to encrypted DNS would prevent ISPs
and others from spying on their users. The second concern is that, in the process
of enabling DoH, Google will switch millions of users over to Google’s own DNS
servers, which the ISP companies are worried will lead to a dangerous
concentration of control over DNS.
Google has been quite transparent with their plans, which
they laid out in detail in a September 10th blog post. They state that starting
with version 78, Chrome will begin experimenting with the new DoH feature. With
the experiment, Chrome will “check if the user’s current DNS provider is among
a list of DoH-compatible providers, and upgrade to the equivalent DoH service
from the same provider.” Google further stated that, “If the DNS provider isn’t
in the list, Chrome will continue to operate as it does today.”
In this way, Google and Mozilla have very different
strategies. Mozilla is planning a more aggressive rollout of the technology.
The company is planning toward a gradual shift for all of its users to DoH –
whether or not their existing DNS provider supports it. The shift will make
Cloudflare the default DNS provider for many Firefox users, no matter what the
DNS settings of the underlying OS are.
Mozilla has more of an ability to take this stance as
Firefox isn’t a major DNS provider in its own right. This means that there’d be
little basis for antitrust scrutiny if Mozilla shifts its users over to a new
DNS provider. Of course, if Google did the same shift of its Chrome users over
to its own DNS, this could raise antitrust concerns.
One big reason that ISPs have concerns is that the lack of
DNS encryption is convenient for ISPs. With unencrypted DNS, ISPs can monitor
their customer’s Internet traffic. In some cases, ISPs will also modify
customers’ DNS queries in-flight, such as to block children from accessing
adult materials by using an ISP-level filter that rewrites DNS queries for
banned domains. Some public Wi-Fi networks also use modified DNS queries as a
way to redirect users to a network log-in page.
Of course, some ISPs also use DNS snooping for more
controversial purposes, such as ad targeting or policing their networks for
If there were widespread adoption of DoH, this would limit
an ISP’s ability to both monitor and modify customer queries. Since ISPs could
still use these techniques for customers who use the ISP’s own DNS servers,
this wouldn’t necessary eliminate this ability. However, if customers switched
to third-party DNS servers – either from Google or one of its various
competitors – then ISPs would no longer have an easy way to monitor which sites
customers were accessing.
ISPs would still be able to see which IP addresses
customers were accessing, which would give them limited information, but
multiple domains can share a single IP address and domains can change IP
addresses over time, thus reducing ISPs visibility into their customers’
In reality, it seems that encryption of DNS is the natural
next step toward a more secure Internet.
The letter from the big ISPs to Congress can be found here: https://www.ncta.com/sites/default/files/2019-09/Final%20DOH%20LETTER%209-19-19.pdf
As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648