Domain Name Services Over Encrypted Technologies Raise Concerns
Technologies for making domain name system transactions confidential are gaining traction but could pose problems for ICANN, said panelists Tuesday at its meeting in Marrakech, Morocco, and in interviews. Domain name system (DNS) over Hypertext Transfer Protocol Secure (HTTPS) (DoH) and DNS over transport-layer security (TLS) (DoT) are throwing up complex issues, they said. ICANN's primary interest is to ensure the continuance of the single, unified namespace, Chief Technology Officer David Conrad said in an interview Monday.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
In the traditional DNS, when a user seeks an internet address, applications on a browser speak to a local operating system to find out where the destination name is on the internet, VeriSign Chief Security Officer Danny McPherson said at the meeting. The request is forwarded to a "recursive resolver" such as an ISP or the cloud, and that nameserver then goes to the authoritative name structure (a top-level domain in the root), which sends the answer to the browser. That process is publicly visible.
DoH uses the HTTPS protocol for DNS queries and responses, McPherson said. All traffic is encrypted between the application and the recursive resolver, bypassing operating systems, with applications directly querying the relevant ISP or cloud provider. DoT is akin to the original DNS model in which communications take place between a browser and look-up server operated by an ISP, except DoT transactions are encrypted, Conrad said.
Standards for deploying DoH and DoT are in development, said Peter Koch, policy advisor to country code top level domain registry DENIC (Germany). Potential deployment concerns include the lack of a standard way for an application to figure out which resolvers support DoH and can, therefore, be used; and whether web browsers enabled for DoH will override an operating system's configured resolvers, possibly interfering with how some network managers deploy DNS security, he said. Network managers might be unable to block DoH traffic without decrypting all HTTPS traffic, which could run into regulatory problems in some jurisdictions. Many governments mandate the blocking of certain sites, much of which is handled through the DNS, Conrad said. Trusted resolvers probably won't abide by those requests.
There's a question of whether DNS name resolution could become concentrated as users are channeled to resolution services of a particular provider, said Koch. Other development questions: How to select DoH resolvers, how to hold them accountable and who determines what policies are acceptable, he said.
ICANN is concerned trusted resolvers could consolidate the resolver market, potentially allowing them to play around with and fragment the DNS namespace, said Conrad. This is an issue for TLD registries, he said. Various browsers have been working with DoH but are handling it differently. ICANN's goal is to ensure a unified namespace remains, but the organization's interest hasn't yet been defined because stakeholders are yet to say what they think the answer should be, he said: ICANN is "in watching mode."
ICANN's mission could be affected if public identifiers are no longer public, said Blacknight Solutions CEO Michele Neylon. Users, most not "hard-core geeks," will struggle to figure out how to choose which nameserver to use for the privacy and security they want, he said. People are concerned, which is why Dot/DoH is under discussion. The DNS is too public but the path to fixing the issues opens up new problems, Neylon said
After the DoH protocol was adopted in October, some browser companies saw an opportunity to gain more control over their users' traffic, the Council of European National Top-Level Domain Registries (CENTR) said in a June 17 paper. They can choose in which jurisdiction they will send the billions of queries per day from users around the world. Browser vendors could boost their control over the quality of the browsing experience, protect users better and choose who resolves the address questions.
DoH will let users choose a more secure browsing experience or a more uncensored one, said CENTR. It could affect domain name registries on a policy level. TLD registries can now enforce policies that govern how resolvers must behave when querying their zone, If, after DoH is implemented, some resolvers serve 95 percent of internet users, that could affect how TLD registries enforce their policies, CENTR wrote.
Promoting a fundamental architectural change away from the distributed network architecture of the current ISP model "gives edge providers that control web browsers and mobile operating systems the ability to see all of the traffic and behavior of individual users -- not to mention all the lookups for sites of their competitors or potential competitors, blogged American Enterprise Institute Visiting Fellow Shane Tews. This will "enrich large platform companies" already in the business of collecting and monetizing data about user behavior, she said Tuesday.