Avatar von vbertola
  • vbertola

1 Beitrag seit 28.10.2018

A response by Open-Xchange

[sorry it's in English]

Dear Jürgen,

Open-Xchange is a major free software company in the email and DNS space - DNS is one of our daily focuses. This is why, when we read your article on DNS-over-HTTPS, we were a bit surprised: we do not know how you gathered your facts, but you seem to have an incomplete view of the issues at play (as pointed out by many even in the comments).

You seem very concerned that the DNS connection is not encrypted while HTTP(S) is. While we agree that encrypting DNS connections doesn't harm and could provide an extra bit of security and privacy, however the two protocols act at very different layers and on very different topologies. HTTP is a "long range" protocol that traverses the entire Internet to bring you content; the connection goes through lots of "foreign" networks that could track you or attack your communication. DNS, on the other hand, is usually a local protocol: the communication only goes from your computer to a server supplied by your ISP in the immediate proximity of your Internet access point, and only goes through a few routers controlled by your ISP. It only gives you a short piece of information which, thanks to DNSSEC, is secure and cannot be altered even on an unencrypted channel between the resolver and the authoritative. So, as long as you use your "local" name server supplied by your ISP, it is unclear what the strong benefit of encrypting this connection would be, though this could be different if you wanted to use a remote server supplied by an OTT on the other side of the globe.

On the other hand, DNS-over-HTTPS creates so many problems that it is hard to know where to start. It breaks all the network security measures that your ISP has put in place: many ISPs use the DNS to block requests for malware infected websites, botnet command and control centres and the likes, and to detect infected computers on their own networks. This is particularly troublesome in the emerging IoT space, where devices are "stupid" and cannot run antiviruses etc. The DNS is used by administrators as a tool to shape and secure networks in many ways, for example with the so-called "split horizon" configurations, and with "passive DNS" instruments. The DNS is used by content delivery networks to give you access to a copy of the content located on the server topologically nearest to you, something that cannot be done so easily if you are using a far over-the-top name server, especially if run by a competing CDN. The DNS is also used to provide parental control to families, and to implement national laws that, depending on each country's customs and values, prevent access to hate speech, child pornography, counterfeit medicines, and much more; and we note that if the resolution is moved to a company in a different country, like Cloudflare in the U.S., that kind of filters will not go away, but it will simply be another country's government to set the rules on what Germans and Europeans can see on the Internet.

Finally, the biggest problem of all: turning DNS into an application-layer service, in which every application decides which DNS server to use, and in fact centralizing it into very few hands. If all the browsers did what Mozilla has announced, i.e. redirecting by default all the DNS queries to their own server, most of the DNS resolutions of the planet would be done only by those four browser makers (Mozilla, Google, Apple and Microsoft), all from a single country, that cover over 90% of the market. These companies would gather an immense amount of data on the browsing histories of all Internet users, economically very valuable, and - also given the current stress on data-based business models - it is hard to think that these data will not be monetized in any way. This seems to us as a huge privacy risk, much bigger than any gain in privacy obtained by encrypting the connection.

You seem to minimize this problem, even saying that Mozilla just "advises" to use Cloudflare (no they don't: they show you a popup message saying more or less "We like privacy and we'd like to provide you secure DNS thanks to Cloudflare, are you ok?", and of course everyone says ok). But this is a huge change in the Internet's architecture, and it could lead to many bad consequences: it could lead to fragmentation, as each browser implements a separate namespace, and it would deprive the user of the control on who runs their DNS resolutions: now you can set it once for all in your operating system, but in this future scenario you would have to change each application's default, one by one.

Finally, please let me say that having to hear this repeated bashing of the DNS community and of European ISPs by the Web industry of the U.S. West Coast, the one that gave us surveillance capitalism, walled gardens and real-time online auctions of user information for advertising, is offensive and ridiculous.

We hope to have provided you an explanation of the negative sides of this idea, which in our opinion greatly overcome the positive sides, which could also be obtained through other means anyway (e.g. using TLS to encrypt DNS connections) without the need for the browser to hijack the user's DNS queries. We would be happy to discuss this with you and answer any further questions you may have.

- +