Cloudflare has just launched a new public Domain Name System (DNS) resolver with support for DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH), two new standards that aim to protect users’ queries from man-in-the-middle interference. The DNS service is aimed at consumers, but it highlights the network traffic visibility problems that enterprises will face as more core protocols add encryption capabilities.
It’s well-known that DNS is a leaky protocol that can tell a lot about a computer’s network activity, even when accessing encrypted websites. ISPs, Wi-Fi hotspots and even governments can use the data in privacy-invading ways that range from ad targeting to surveillance and censorship.
Attackers who compromise internet gateway devices such as routers can hijack DNS requests and redirect users to rogue websites that serve malware or attempt to steal private information. Coupled with HTTPS stripping, DNS hijacking can be a very powerful technique that has been used in large-scale attacks in the past.
It’s therefore understandable that the internet community is keen on solving these problems by adding privacy and security features to what is essentially a core protocol for the internet infrastructure. DoT, which was standardized in 2016, and DoH, which is still being developed, are the two most popular solutions.
DoH, in particular, is showing a lot of promise because it allows any application to make its own secure DNS queries independent of the OS or local DNS servers. It can also make use of other modern technologies such as QUIC and HTTP/2 Server Push, and allows applications to receive DNS responses that were digitally signed by the authoritative name servers of the queried domains even if the computer doesn’t have DNSSEC enabled.
Google already provides a DoH API for its public DNS service and Mozilla is preparing to test the new protocol in the nightly versions of Firefox. Now Cloudflare is hoping to expand its adoption through its new 220.127.116.11 DNS service.
“We think DNS-over-HTTPS is particularly promising—fast, easier to parse and encrypted,” Cloudflare CEO Matthew Prince, said in a blog post about the new service, which launched April 1. “To date, Google was the only scale provider supporting DNS-over-HTTPS. For obvious reasons, however, non-Chrome browsers and non-Android operating systems have been reluctant to build a service that sends data to a competitor. We’re hoping that with an independent DNS-over-HTTPS service now available, we’ll see more experiments from browsers, operating systems, routers, and apps to support the protocol.”
Cloudflare’s public DNS service uses the 18.104.22.168 and 22.214.171.124 IP addresses that were donated by APNIC, the regional internet registry for the Asia-Pacific region. It also works over IPv6 using the 2606:4700:4700::1111 and 2606:4700:4007::1001 addresses.
According to independent tests, Cloudflare’s new service is faster than both Google’s Public DNS and Cisco’s Umbrella (OpenDNS). It’s available as a traditional non-encrypted DNS resolver that anyone can add in their network configuration, but also has DoT and DoH endpoints.
While increased DNS privacy is great news for consumers, it might pose some visibility problems for companies that monitor such traffic on their networks to troubleshoot problems, detect threats and enforce web access policies.
DNS has been used as a stealthy command-and-control channel for malware in the past, including for leaking information. If malicious applications start using DoH, their DNS traffic will simply look like HTTPS traffic, which will also become difficult to monitor with the increasing adoption of TLS 1.3.
The latest version of the TLS protocol, which recently was standardized, only uses only elliptic curve encryption and ephemeral keys instead of static RSA keys. This will make network-level TLS traffic inspection much more difficult and many companies rely on this technique to detect malware or prevent data leaks.