Openness has been a defining feature of the Internet since its start, and much of the traffic remains unencrypted.
Most requests for HTML pages and associated content are not encrypted and responses are returned the same way,
even though HTTPS has been around since 1994.
But sometimes for security and/or privacy. While encryption of Internet traffic is prevalent in banking and online shopping,
The data protection aspect of many Internet protocols is prevalent.
In particular, when looking up a website’s IP address by hostname, the DNS query will almost always be sent in clear text to all computers and ISPs to decide which website you have visited, even though you are using HTTPS, once logged in.
The idea of also encrypting DNS queries is not entirely new, as the first attempts were made in the early 2000s in the form of DNSCrypt, DNS over TLS (DoT), Mozilla,
Google and a few other large ones. Internet companies offer a new method to encrypt DNS queries: DNS over HTTPS (DoH).
DoH not only encrypts the DNS query but also sends it to a “normal” website. HTTP is a standard protocol. It is a double-edged sword. While it protects the DNS query itself, just like DNSCrypt or DoT, it also prevents security officials in large organizations from monitoring DNS spoofing and transfers responsibility for a critical network function to the operating system. to application.
It also doesn’t hide the IP address of the website you are looking for; after all, you will visit it again. In addition, when compared to the DoT,
The DoH centralized your browsing information with certain companies. Right now, Cloudflare,
which says your data will be deleted in 24 hours, and Google, which seems determined to keep and monetize every detail of everything and privacy is an important topic, so let’s dive into the details here.
Trusted Names and Servers The concept of a domain name system dates back to the ARPANET era when a single text file on each ARPANET node is called “HOSTS.”
TXT contained the allocation of system names within ARPANET to their digital addresses. If you wrote this file yourself, it was easy to make sure it was correct.
As the network grew, it became unrealistic to keep centralized and local copies of this file. The first DNS (Berkeley Internet Name Domain Server, or BIND) name server was written in 1984 by a group of UC Berkeley students based on RFC 882 and RFC 883.
The DNS standard has been revised several times until 1 resulting in RFC 1034 and RFC 1035, which has remained largely unchanged since then. The essential structure of DNS is that of a tree-like configuration with its nodes and leaves divided into zones.
The DNS root zone is the top-level zone, made up of thirteen root server clusters that form the authoritative DNS root servers.
Each newly configured DNS server (such as, at an ISP or a company) obtains its DNS records from at least one of these servers. Furthermore, each extra DNS zone adds a domain to the naming system.
Each country manages its own domains with special domains (such as .org, .com) which are not linked to a specific country, managed by a separate entity. When resolving a domain name with DNS, it means that you start with the domain name (p.com), then the name (such as ‘google’), and finally all the subdomains.
This may need a trip through DNS zones if the requested data has not yet been cached. ,
It is important to make sure that the DNS server we are speaking with is trustworthy. This need became clear in the 1990s and resulted in the first DNS Security Extensions (DNSSEC) standard (RFC 2353) and the revision of RFC 4033 (Domain Name System Security Extensions).
An Internet card in 2006. (Opte Project, CC BY 2.5) DNSSEC works by signing DNS lookup entries with public-key encryption. In this way, the authenticity of a DNS entry can be verified using the public keys of the DNS root zone, the trusted third party in this scenario.
Domain owners generate their own keys which are signed by the zone operator and added to DNS.
While DNSSEC can be relatively certain that responses received from the DNS resolver are genuine, DNSSEC must be enabled on the operating system. It does not actually confirm DNS responses.
This has the questionable advantage of not distinguishing between DNS queries at all, which means that network operators (at the private level and the enterprise level) have the ability to secure their networks, as noted by one of the architects behind the DNS, Paul Vixie.
The second big difference is that while DoT just sends DNS queries over a TLS connection, DoH is essentially DNS over HTTP over TLS.
This adds its own type of application/mime DNS messages and much-added complexity. Each DNS query and response goes through an HTTPS stack. It’s a nightmare scenario for in-vehicle applications but it’s also incompatible with almost any existing security hardware component. The DoT has the other advantage of being already in place and use.
DoT has been supported for longer than DoH, with many parties including Cloudflare, Google, some domestic ISPs, and standard DNS server software like BIND supporting DoT outside of Android Pie (version 9 for those who follow things) and more recently, DNS over TLS, which is used by default if the selected DNS resolver supports DoT.
Why switch to DoH only when DoT is finally gaining ground? Applications like Firefox bypass the system’s DoT-based DNS and instead use their own DNS resolution through DoH, creating a very opaque security situation. Shifting DNS resolution to each app, as we see, seems like a big step backwards.
Do you know what DNS resolution each application is using? If this is confused with TCP port 443 traffic, how would you know? Not surprisingly,
They completely omit to mention DNSSEC (although it is called “critical” in RFC 8484), instead offering something called “Trusted Recursive Resolver” (TRR), which basically seems to mean “reliable DNS”.
“Utilize the resolver.” Which stands for “Cloudflare” for Mozilla. Not related to DoH, they mention a standard called” GNOME Minimization “(RFC 7816) which aims to cut the amount of non-critical information that DNS resolver sends to DNS
As in this one, Version explains the blog post.
As I said, this standard is unrelated to DoH and would work fine even without DNS encryption. Like DNSSEC, this is an evolution of the DNS standard which improves its security and privacy aspects. As experts have repeatedly pointed out,
DNS encryption does not prevent tracking. Any subsequent requests to the IP address that were secretly resolved would still be clearly visible as a beacon.
Everyone will know that you are visiting Facebook.com or that risky website. No amount of DNS and Internet traffic encryption will obscure the information. which is essential for the functioning of a network such as the Internet.
Is the Internet of the Future a Single Point of Failure?
Basically, Mozilla’s answer to the IP tracking problem is that there is no problem with the cloud.
Cloudflare, Azure, AWS, and so on).
The importance of this single IP is becoming less and less important. You just have to trust the service in the cloud that you don’t choose to fly with. That year,
On June 24, there was a massive downtime when a misconfiguration in Verizon made Cloudflare, Amazon, Linode, and many more were unavailable for much of the day.
For the second year in a row, Cloudflare dropped for about half an hour in total, leading many websites to trust its services.
Coincidentally, Microsoft’s cloud-hosted Office 365 also experienced an outage lasting several hours the same day, leaving many users stranded and unable to use the service. Obviously,
Some issues need to be addressed with this “Internet centralization is good” message.
There is no mention of Virtual Private Networks (VPNs), which solve the problems of encrypting data and DNS queries,
Hide your IP address and much more simply by moving your PC or other internet-connected devices to the internet.
In authoritarian regimes, VPNs have been used extensively for decades to avoid internet censorship and, along with specialized forms like the Tor network, are a staple of social media. Freedom If a big business like Cloudflare can trust a system like DoH,
Then it should be just as easy to find a reputable VPN provider that doesn’t store or sell your data.