There's an interesting trend happening right now. Firefox is now defaulting to using DNS-over-https via Cloudflare for users in the United States. They say this is about privacy, but there's little evidence to support that it helps enough to be worthwhile. Let's examine the benefits and pitfalls of DNS-over-https (DoH).
First, let's address a big problem that makes it difficult to have discussions about DoH. Mozilla's marketing campaign has been successful in convincing people that Mozilla is doing it for everyone's good, and that they and Cloudflare, are doing this for purely altruistic reasons. They very well may be, but if that's the case, it belies a problem with their fundamental understanding of the issue they claim to be solving. Whatever the motivation, some fans of Mozilla and Cloudflare tend to respond emotionally without spending much time looking at the technical implications of widespread DoH use. Here I'm simply advocating for a reasoned discussion of the merits and shortcomings of DoH based on facts and real-world scenarios.
Let's look at some of the assumptions which we need to make if we want to believe DoH's claims about privacy and censorship. First, there's privacy. From whom are we gaining protection? According to Mozilla, "DoH, when enabled, ensures that your ISP cannot collect and sell personal information related to your browsing behavior".
But is this really true?
Ignoring the underlying problem of an FCC run by a pro-business lobbyist that refuses to protect citizens (after all, it should simply be illegal to monitor our traffic without permission), let's imagine ISPs of various degrees of evil and consider what options they currently have:
Good: you pay your ISP, they give you an Internet connection, and everything is fine.
A little evil: your ISP wants to make extra money by selling your browsing behavior. They log all DNS queries made to their servers and sell the data.
More evil: your ISP isn't happy with the money they get from you and the money from selling your DNS data, so they start monitoring all of your traffic and they log all of your DNS queries, in flight, regardless of which DNS server you use.
Pure evil: your ISP wants all the money, so in addition to the money you pay and they get from selling DNS data (both from their servers and from inspecting your DNS traffic), they also look at everything they can: SNI, IP addresses, frequency and size of data exchanges and so on.
So let's look at two common solutions and DoH:
One, we don't like or trust our ISP to provide DNS, so we use Quad9, Google, Cloudflare or another public DNS service instead of the ones provided by our ISP.
Two, we're a little more concerned, and/or perhaps we want to block ads, so we run our own local recursive DNS resolver, preferably with DNSSEC, simply by running BIND or Pi-Hole anywhere on our local network and we use that for DNS for our whole network.
Three, of course, is DNS-over-https (DoH).
Solution one takes care of good ISPs and those which are just a little evil, but doesn't help with more evil or pure evil ISPs.
Solution two takes care of ISPs which are good and just a little evil, and it also doesn't help with more evil or pure evil ISPs, but it does offer advantages because DNSSEC lookups can't be spoofed and ads, trackers, Trojans and spyware can't be inserted mid-stream, like has happened with pure evil ISPs like Verizon. This is a separate issue, though.
Solution three takes care of good, a little evil and more evil ISPs, but does it really take care of a pure evil ISP? Let's look at this. DoH, as it's currently implemented, doesn't do encrypted SNI, so if someone is examining data in flight to extract DNS lookups, they can easily also just look at SNI. While ESNI (encrypted SNI) will fix this, shouldn't we have waited for ESNI to be the default before pushing out DoH? Also, does DoH stop a pure evil ISP from examining all traffic and selling our browsing patterns regardless of DNS? Not meaningfully. So DoH only helps one aspect of what a pure evil ISP can do.
Also, let's ask ourselves how many ISPs are more evil and not pure evil? Is it really the truth that monitoring DNS in flight is low-hanging fruit that some ISPs will want to examine, but they're too lazy to do more? I genuinely don't know, and if anyone has any data, please share.
However, if we're privacy concerned people who genuinely don't know whether our ISP is more evil or pure evil, then is it really good enough to simply encrypt DNS? Even if we assume that DoH is already doing ESNI, we've only taken DNS out of the equation. Is this enough if our pure evil ISP is monitoring every connection, every IP, every fingerprint they can find?
So here is the real question when it comes to privacy: if we're truly concerned, is it good enough to simply protect DNS? Or should we be using VPNs if we suspect our ISP is monitoring our traffic?
The counterpoint: should we NOT be protecting our DNS? Doesn't every little bit of protection help? Well, sure. But there are downsides to HOW protecting DNS works with DoH.
Let's also consider that removing DNS from the equation may, at least a little, de-incentivize ISPs which are more evil to move to becoming just a little evil. Likewise, it may incentivize them to become pure evil. It can obviously work both ways.
Finally, just like we have evil ISPs, how do we know for certain that Cloudflare isn't evil and isn't logging our DNS lookups and selling our data? In the US, for-profit corporations lying is hardly surprising and is more often expected than not. Even if Cloudflare isn't lying, is it wise to aggregate so many lookups in one place, particularly with the NSA's history of illegal activity? How do we know that Cloudflare isn't benefitting from a relationship with the NSA? Is that a stretch to imagine? Would it really surprise anyone if that were the case?
Cloudflare's record is poor. Cloudflare expects us to dissect spam to report it to them, then ignores it and says they don't host anything, which is clearly disingenuous. They refuse to take down unambiguously fraudulent content because, according to them, they want to protect free speech. Any company that says that people can pretend to be Bank of America or can offer Trojans as Adobe Flash updaters because of free speech is clearly more concerned with money than with doing the right thing. So why should we believe them when they say they won't use our data?
Next, let's look at censorship.
An oppressive regime wants to censor content. The simplest way to do this is to create fake DNS records for the domains / host names they want to censor. How does DoH help in this scenario? It makes it easy to use DNS servers that aren't censoring content. But does this really work?
Once an oppressive regime sees that people are circumventing DNS, they can, have and will block DNS. If blocking DNS doesn't work, they'll block the network(s) that host the content they don't like.
But there's an even worse scenario. Perhaps the oppressive regime will monitor people who visit the forbidden content after circumventing DNS, which leaves open the possibility that they will be punished later. Is this really a solution?
Not at all. If people really want to circumvent censorship, they need to assume their oppressive regime is like the more evil ISP above, and they need to use VPNs. Having a half-measure is more dangerous than accepting censorship or doing something more complete like using a VPN. It's irresponsible.
Are there acceptable forms of censorship? Certainly. Parents who want to block adult content, or workplaces that want to block malware sites are good examples. While an oppressive regime will have plenty of energy to find surreptitious methods to block or track those who do not obey, parents and workplaces will have to add more work to maintaining their networks or will lose the ability to censor their own networks.
So who really benefits from DoH?
The push for DoH seems to have too much energy behind it to think that it's all for the slight benefit of protecting us from ISPs which are evil but not too evil. We should take note of those who would benefit the most. There are lots of advertisers who don't want ad blocking, for starters. The NSA could see forward towards a world where lots of DNS traffic goes to central points that they can monitor with ease. And, whether it's Google, or Mozilla, or Cloudflare, what for-profit American company doesn't want to have more powerful ways to collect as much data from us as they possibly can?
The Opera browser offers a browser-based VPN. Why is a piecemeal, partial solution with specious benefits being deployed by default across the entire United States?
Now, honestly, does this feel right? Does it make sense? Or is something else going on?