Firefox is enabling DoH (DNS over HTTPS) by default for US users, and likely in other countries blog.mozilla.org/futurereleases… There are similar plans for Chrome. This is a game-changer for all of us: know the details, and judge by yourself.

Short thread ahead.

Let's start with the basics. For many years, every device connected to Internet had at least one IP address of the form 192.34.32.33 (a four-byte number). Those are IPv4 addresses en.wikipedia.org/wiki/IPv4#Addr… They were (are) used to route traffic.

About 20 years ago a new addressing schema, part of IPv6, introduced 16-byte addresses, such as 2001:db8::ff00:42:8329 en.wikipedia.org/wiki/IPv6#Addr… IPv6 has been (very) slowly substituting IPv4 even since.

But we humans (and most applications) don't use those addresses, but names such as twitter.com or wikipedia.org (domain names). The translation between these names and IP addresses is done by the DNS (Domain Name System) en.wikipedia.org/wiki/Domain_Na…

Side note: In the beginning there was no DNS. Each computer maintained their own hosts.txt file with the mapping from names to addresses en.wikipedia.org/wiki/Hosts_(fi… This file still exists in modern devices, and is checked before querying DNS

DNS was born in 1983, as RFC 822 tools.ietf.org/html/rfc882 It is based on a system of name servers that can be queried by any application needing to translate names to addresses. That is, almost any Internet application.

The basic schema of DNS is simple: when an application needs to exchange data with some host, known by its domain name (eg. amazon.com), it queries a server, getting the corresponding IP address. With it, data exchange can start cloudacademy.com/blog/how-dns-w…

Each device has a configuration with its own set of DNS servers. In Linux it is usually in /etc/resolv.conf, and can be updated when we connect to new WiFi networks, for example (each network has its own list of preferred DNS servers) en.wikipedia.org/wiki/Resolv.co…

But applications may use this configuration, or they may query the DNS servers they may prefer instead, directly.

Because it is each application (not the operating system) who queries DNS.

Stay with me in this, because it will be important later.

These DNS servers may be "recursive resolvers", in which case they will query other servers, if needed, until they learn the IP address our application is asking for cloudflare.com/learning/dns/d…

There are many public recursive resolvers that anyone can use. For example, Cloudflare's is 1.1.1.1, and Google's is 8.8.8.8 en.wikipedia.org/wiki/Public_re…

DNS, as it was born, didn't care about our queries being eavesdropped or tampered with, or DNS servers being spoofed, etc. This became a major problem, because it started to happen already during the 1990s compsec101.antibozo.net/papers/dnssec/…

New protocols, and new additions to DNS have been deployed over time to overcome these problems. The most notable of them is the DNSSEC Security Extensions (DNSSEC) icann.org/resources/page… It provides cryptography keys to ensure authenticity of the information produced by DNS

One of the key scenarios is an application querying a recursive resolver, since it a common case, and also because it is in the "last mile", which means it affects how we users connect to the infrastructure. And here is where DNS over HTTPS (DoH) kicks in en.wikipedia.org/wiki/DNS_over_…

In "plain DNS", the connection from applications to DNS servers uses plain text (unencrypted UDP or TCP packages), and does not authenticate the identity of the server. Those two issues are addressed by DoH

Plain DNS uses by default port 53. Some networks may block this port, preventing my use of DNS servers except the ones they provide. Which maybe are DNS server I don't trust. DoH also deals with this issue.

DNS over HTTPS uses HTTPS connections instead of plain UDP or TCP connections. That means encrypted connection to the DNS sever, with proof of identity, through a port usually not filtered en.wikipedia.org/wiki/DNS_over_…

There is a nice cartoon collection, by @linclark, explaining the whole scenario, the threats, and how they are addressed by DoH hacks.mozilla.org/2018/05/a-cart…

@linclark DoH is specified in RFC 8484, "DNS Queries over HTTPS (DoH)" tools.ietf.org/html/rfc8484

@linclark Some of the basis for DoH were started by Google, by providing a JSON API over HTTPS for its public DNS service, offered (in part) since 2016, including DNSSEC records (remember, trustful data to validate the results of the query) developers.google.com/speed/public-d…

@linclark In fact, Google provide two different DoH APIs:

- dns.google/dns-query – RFC 8484 (GET and POST)

- dns.google/resolve? – JSON API (GET)

Details in developers.google.com/speed/public-d…

@linclark You can even try DoH yourself, getting a JSON document as result, directly in your browser. Clicking this url will cause your browser to issue a HTTPS GET request returning the IP address of wikipedia.org

dns.google/resolve?name=w…

@linclark Now, remember that applications usually query directly the DNS. This means that they can use DoH if they want, with no control by the operating system. This is what Firefox and Chrome can do intego.com/mac-security-b…

@linclark So, DoH is providing us with some goodies with respect to how some of our most sensible data (the list of hosts we visit) travels the Internet. That data is no longer exposed in the path from our device to the server, and we're sure that the server is our trusted server.

@linclark However, even though DoH addresses important problems, it also adds their own. That's why there is criticism about its roll out by browsers en.wikipedia.org/wiki/DNS_over_…

@linclark The main problems of DoH are: interference with techniques to filter servers (such as parental control or corporate networks policing), and privacy issues with the data we send to the DNS server theregister.co.uk/2019/09/09/moz…

@linclark The main problem of DoH with parental control, and in general, filtering of websites, is that it is almost indistinguishable from censorship. But censorship-resistance is one of the key advantages of DoH: only the server you use can censor DNS, and you can use the server you want

@linclark Firefox is dealing with this issue by improving detection of managed networks (where some domain names cannot be resolved), and letting users decide blog.mozilla.org/futurereleases…

@linclark The problem with the privacy of the data we send to the DoH DNS server is simple: we send perfectly secured data to a server that can read it all, and potentially store it and share it with others.

@linclark DoH providers are dealing with this by defining privacy commitments, such as Cloudflare's commitment for Firefox developers.cloudflare.com/1.1.1.1/commit…

@linclark Bonus track: if you read this thread up to here, you deserve some goodies ;-) Please, follow on...

@linclark There are websites that allow you to query the DNS. For example

- to get DNS information about wikipedia.org: dnsquery.org/dnsquery/wikip…

- to get only the IP address: dnsquery.org/dnsquery/wikip…

Many other queries: dnsquery.org

@linclark There are other proposals alternative to DNS over HTTPS, such as DNS over TLS en.wikipedia.org/wiki/DNS_over_… provided by several public servers

@linclark If you want to learn more about the attacks to the DNS, and why securing it is rather important:

- securitytrails.com/blog/most-popu…

- cloudflare.com/learning/dns/d…

- krebsonsecurity.com/2019/02/a-deep…

@linclark Likely, DoH will be on top of HTTP/3 and/or QUIC, at some time in the future. If you want to learn a bit about them, check this other thread:

https://twitter.com/jgbarah/status/1177480451193131009

@linclark And this is the end, my friend (of this thread):

- How to configure DoH in Firefox: support.mozilla.org/en-US/kb/firef…

- How to enable DoH in Chrome: zdnet.com/article/how-to…

- Check if your browser is using Cloudfare's DoH: https://1.1.1.1/help