The end of plain DNS ?
The Domain Name System is one on the venerable Internet protocols like IP or TCP. For performance reasons, the DNS protocol is usually used on top of UDP. This enables clients to send their DNS request in a single message to which the servers reply in a single message as well. Both the request and the response are sent in plain text, which raises obvious security and privacy concerns. Many of these are documented in RFC7626. In a recent Usenix Security article, B. Liu et al. revealed that 259 of the 3,047 ASes where they could perform measurements used some form of DNS interception. The IETF has explored several solutions to secure the information exchanged between DNS clients and servers. RFC7858 and [RFC8310] have specified solutions to transport DNS over TLS and DTLS. Some public resolvers already support these extensions. Apparently, Android P also supports it. Geoff Huston published an interesting blog post that compares different DNS securisation techniques.
During the last months, discussion on securing the interactions between clients and resolvers moved to DNS over HTTPS. This specification is now stable and several interesting posts have been published recently on experiments with implementations of DNS over HTTPS.
- Mozilla has started to experiment with DoH in Firefox nightly builds. They report the results of these measurements in a blog post
- Lin Clark wrote a really nice tutorial on DoH
- Daniel Stenberg explained the Firefox implementation of DoH in a blog post