Learn why ISPs and Countries hate DNS over HTTPS and what all the fuss is all about!
Episode #10-13 released on November 3, 2019
Before I begin to talk about DNS over HTTPS and why ISPs hate it, I need to talk about how the Internet actually works. Most of you might not be aware of the importance of DNS, also known as Domain Name Servers. They are so important to the proper functioning of the entire Internet, that without DNS, domain names like Google.com would not work. If every DNS server online failed at the same time, you would only be able to access web-sites that your computer, or other device, had previously connected to and still retained server details for.
The reason why DNS is so important is because it is the phone book for the entire Internet. When you try to connect to a web-site for the first time, your computer makes a DNS request. To over simply the process because it is not something people can easily read, it returns and IP address and other related information such as location at the IP address. If you used a DNS lookup tool for a given IP address like TQAWeekly.com, you'd be returned the IP address and other relative information. The web-site's Host A value is where you will be brought when accessing the web-site via a browser going over HTTP or HTTPS.
There is a real security issue with DNS as we use it today that has existed since the inception of DNS and this is related to a MITM (Man in the middle) issue. The pathway from you to a given web-site may actually be free from interference, the issue is that you can be subjected to issues you wouldn't encounter normally through DNS Hijacking and DNS Poisoning. These are not theoretical issues, there are malicious groups and Internet Service Providers that actively exploit the man in the middle vulnerability of conventional DNS queries.
Some of the possible issues which lead to a modification of the end user experience include the addition of code to the query that can cause cross site scripting issues that can potentially be used to infect a user's computer, blocking of web-sites, display of advertisements that benefit the ISP or malicious group, redirection to malicious web-sites masquerading as legitimate ones, etc.
It is therefore evident that we need to secure the last major security vulnerability. However, there is another reason why ISPs, and even other groups, do not want a secured DNS query, and it has to do with information. Information about your behavior online is very valuable to companies. It is possible to determine a lot about an individual just by being able to see where they travel on the Internet, and it is possible to link multiple online data collection profiles to a single person with scary precision.
If we consider the already high prices for Internet access, especially since the majority of that is profit, it seems only fair that we take back something from the ISPs, our privacy, which shouldn't be for sale to advertising and research companies. And, the only way is to avoid using their DNS servers and avoid using unsecured DNS servers.
Yes, you may be using a service by Cloudflare, Google, etc. but your DNS query can be intercepted and modified by anyone, including your own ISP who won't ask permission, and worse, is fighting to continue to have the ability to edit those queries dynamically.
What does this mean for you?
The only way you can access a web-site is to have access to DNS or know the IP address, and in some cases, know the folder related to the web-site. You aren't likely to know the IP address, and that can change, too. This means, we are currently living in a world where you can be using your ISP's DNS server, have your accessed blocked to a web-site. You can change your DNS server, and still remain blocked because your ISP has decided to overwrite the reply from the new DNS server with information from their own. This, also, means that a rogue employee from any ISP can quietly hijack the DNS server of their employer and send you to fraudulent version of a web-site you are interested in visiting. Why is that dangerous? It is dangerous because you won't be able to protect yourself from those kinds of phishing attempts and worse, you can be exposed to malicious code and viruses in the process. That is ignoring the very obvious identity theft and fraud issues that you should be concerned with by now.
Why is DoH (DNS over HTTPS) an important step in the right direction?
DNS over HTTPS is not perfect, and there are other secure variants, but it addresses a very important set of criteria to be better than conventional DNS.
DNS over HTTPS is more secure and less vulnerable to DNS hijacking and poisoning, provided the DNS servers are secured properly. It is immune to modification by any server that routes the related packets. How? DNS over HTTPS encrypts the packets related to the DNS query. This means that it is impossible to read or modify the information on the fly. This makes it a lot safer and resistant to man in the middle attacks, especially those by your ISP, who would now become unable to block web-sites, modify them, expose you to potential cross site scripting attempts, etc. It would suddenly become impossible to serve advertisements instead of the actual web-site.
How does DNS of HTTPS work?
When you query a new web-site, your browser or software sends a request to the DNS server, it checks its own DNS lookup table, verifies the information is accurate for web-sites that support DNSSEC, then sends all the information back to your browser or application along a secured HTTPS tunnel. This means every packet is encrypted and any modification will corrupt the packet and it will be thus be ignored. In that case your browser or application will make a new request if the packet returned is corrupted.
Do you know what else you get as a result of using DNS over HTTPS?
You get your privacy back, especially if you are using a VPN. At least, your ISP becomes unable to see what you are trying to access on the Internet. The only way your ISP would be able to continue to track what you access, even behind a VPN, is if you continued to use their DNS service. If you use a DoH certified DNS instead, the packets would be encrypted and wouldn't pass through your ISP anymore.
Just be warned, the only thing a VPN really does, is to move the privacy issues to a different location, away from your ISP. Access web-sites, whenever possible, over HTTPS to mitigate a whole other list of issues that we will get into next time on TQA Weekly.
Now, I want you to spread the word on DoH and understand the misinformation of your ISPs, understand they are lying to you, benefiting from you and robbing your privacy from you, without a care in the world, WITHOUT YOUR EXPLICIT CONSENT. In any other context, that would be a crime. Think about that for a moment.
Host : Steve Smith | Music : | Editor : Steve Smith | Producer : Zed Axis Dot Net