Why Every Privacy Activist Should Embrace* DNS-over-HTTPS

*even if it means initially using Google or Cloudflare for DNS for a while

A friend posted to a maillist:

The amount of dns fuckery in the UK already is high enough that neverssl.com is now the top suggestion on my chrome browser homepage, as I have to load it every time I get on a train to get their middle-boxes out of my way. Is DoH going to make this even more cumbersome?

It’s a fair question, but taking a step back — and having seen a lot of slightly fearmongering posts about DNS-over-HTTPS (DoH) of late, I responded thusly:

The fact that a local-network “terms-and-conditions” gateway requires a DNS-hijack in order to operate, is evil; that bootstrapping a basic function (gaining connectivity) sometimes uses a breach of a trust model (fake DNS mapping) should never have been invented. It’s a hack. It’s a kludge. It’s wrong.

But I can’t get on board with my peers who believe that it’s a good idea to throw vitriol at DoH just because it might complicate “legacy” crap like the above, or that disintermediating DNS is somehow bad for security controls.

I believe the converse; this is a “risk” we’ve always faced, that people would stop using “name resolution” and start doing stuff like:

  • hardcoding IP addresses
  • hardcoding Onion addresses
  • using transports like VPNs (with hardcoded IP addresses) to create a private IP namespace with private name resolution, invisible to filters

Using DNS as a single (or: one of several?) point of control for choking-down who-can-talk-to-whom, has always been a bad idea; I can totally see why people on this maillist are looking at DoH and are seeing it as “ARGH! CENTRALISATION!” but I have a completely different take on it:

I see DoH as part-of, and pursuant-to, restoration of the “End-To-End Principle”.

If you are having a genuine private conversation with someone over [some messenger system] then it is the participants who define what is exchanged, without opportunity for some third party to intervene with the content.

So when you interact with a website, why is it suddenly a good thing for a random third party MIDDLEMAN (eg: anyone in your DNS name-resolution food-chain) to be able to tamper with your name resolution? Yes, it means choosing to use {Google, Cloudflare} — who are the “800lb gorillas” in this space — for a while, but handled properly and temperately with consumer choice and without identifiers[1] there is a much reduced opportunity for the “fuckery” which you fear.

Yes, DoH may be a hassle if you personally rely upon your own local tampering with DNS in order to provide endpoint user-experience controls that your browser/apps otherwise lack; but to some extent those challenges are failings[2] in your endpoints; anyone who makes arguments like “WhatsApp should ‘Give The User More Control’ over the content which are sent/they receive over that end-to-end-encrypted messenger” — should understand this perspective.

So I see:

  • personal, local DNS tampering as a crutch to provide control over inadequately controllable apps; and I aver that we should ditch the “crutch” by fixing the apps
  • upstream DNS tampering as man-in-the-middlery, and censorship.

…and thus I welcome DoH.

Further: if we take the concept of “a browser with unfilterable communication and embedded name resolution which [means of name resolution, as well as transport] is unblockable and does not rely upon third parties who might be coerced” to its logical conclusion, we simply reinvent Tor Onion Networking, of which I am deeply in favour.

Disintermediated communication; it’s what speech used to be.

[1] both things that we should collectively lobby for.
[2] things that we should collectively lobby to address