The economics of surveillance capitalism and a world of paranoid apps will transform the domain name system (DNS), says Geoff Huston, chief scientist at APNIC Labs, part of the Asia Pacific Network Information Centre.
Knowing the domain names of the websites you visit, or servers that apps access on your behalf, is valuable intelligence. DNS traffic is especially valuable because it reflects what users are doing in real time.
“The names you asked for, and when you ask for them, say an awful lot about you,” Huston said in his presentation to the APNIC 52 conference on Wednesday.
“The network betrays you. You’re leaving big, filthy, muddy footprints on the carpet, mate. We can see where you’re going. And that’s the problem,” he said.
“Real-time data, right here, right now. Not last week, not last month. This second. You couldn’t get more valuable.”
Others with more noble motives are monitoring DNS traffic too, looking for the telltale signs of malicious activity, such as the rapidly-changing domain names used by botnets.
And as Edward Snowden revealed in 2013, the members of the Five Eyes signals intelligence agencies are also keen on sucking up all that DNS traffic.
“All kinds of folk actually spread DNS information all over the place,” Huston said.
“The problem is, it doesn’t matter what your motives are, good or bad. Sniffing is sniffing. An invasion of privacy is invasion of privacy, irrespective of the colour of the hat you’re wearing. And this is not good.”
Grafting privacy onto decades-old protocols
The core DNS protocols date back to the 1980s, and they’re based on a domain name structure that was developed in the 1970s. Everything happens out in the open, unencrypted.
“How can we stop folk crowding around the digital exhaust pipe sniffing these fumes?” asks Huston.
There are methods for preventing third parties from snooping on your DNS traffic, but they haven’t seen wide adoption.
One way to make DNS surveillance more difficult is to use a public open DNS server, such as Google’s 8.8.8.8, Cloudflare’s 1.1.1.1, OpenDNS, or Quad9 rather than your local ISP’s servers — because ISPs have been known to sell their DNS logs to advertisers.
That can be combined with using an encrypted DNS connection, such as DNS over TLS, DNS over HTTPS (DoH), or DNS over the more lightweight QUIC protocol.
If you do that, you’re doing a “tolerably good job” of hiding in the crowd, Huston said.
“But that first part of the bargain? I’ve got to trust Google. Yeah right. I’ve got to trust the very folk who are experts in assembling my profile.”
To put it another way: If we have to compromise our privacy to a third party, which third party represents the least risk to us, both now and in the future? It’s a difficult choice.
But wait. Maybe we don’t have to compromise our privacy at all.
Enter Oblivious DNS, a cryptographically private DNS name space
One innovative solution is Oblivious DNS, first written up as a draft engineering standard in 2018 and a formal paper [PDF] in 2019.
“The concept is delightfully simple,” Huston wrote in 2020, although some might argue with his use of the word “simple” once they read his explanation.
ODNS uses a chain of DNS servers interacting via a pipeline of encrypted transactions. The details will be fascinating for DNS aficionados, but the overall strategy is easy to explain.
The DNS server close to you knows who you are, so it can return the answer to you, but not what your query was because it’s encrypted.
The DNS server at the other end knows what DNS query it has to resolve, because you used that server’s public key to encrypt the transaction, but not who asked for it.
A similar approach called Oblivious DoH (ODoH), described in a draft standard in 2020, wraps the entire DNS transaction in an encrypted envelope.
The advantage of ODoH is that it doesn’t try to cram everything into the existing DNS packet format, meaning it can be slightly more elegant. The disadvantage is that it requires separate infrastructure from the existing DNS.
But why would anyone pay for all this?
Huston’s future of bloated, paranoid apps
“In terms of economics, the DNS is a wasteland,” Huston told APNIC 52.
“I don’t pay for queries, you don’t pay for queries. Who funds all this? Well, my ISP funds a lot of it. And it sort of comes out of what I pay them,” he said.
That means there’s no incentive for ISPs to improve DNS privacy.
“For ISP fees, the DNS becomes a part of Mr Cost, it’s not Mr Income, and so there’s a lot of resistance to making Mr Cost grow bigger because that’s the way you basically kill your business.”
The public servers are there, but who funds them? And how many users will change their DNS settings on their devices anyway?
“In some ways, improving the DNS is a labour of love. It’s not a labour for wealth and profit,” Huston said.
“Most folk just simply use their ISP’s resolver, because that’s the one you’re paying for, and that’s the one person who actually has an obligation to do this for you… So by and large, open DNS resolvers aren’t really going to take the DNS and run away over the hills.”
Huston thinks there’s one place where the privacy-protecting DNS protocols might take hold, though it won’t be for your benefit: inside the apps on your devices.
Facebook’s mobile app, for example, weighs in at more than 200 megabytes because it contains an entire operating system, including an entire network stack.
“Facebook is paranoid about a number of things. It’s paranoid about the platform snooping on it. It’s paranoid about other applications on the same platform snooping on the Facebook app,” Huston said.
“Facebook is incredibly valuable. It’s spent a lot of time and money understanding me, and assembling a profile of me that it can sell to advertisers. The last thing it wants to do is to give any of that information away to anyone else. It’s their data,” he said.
“Applications that divorce themselves from the DNS infrastructure as we know it is an inevitable and near-term future.”
Huston sees this progression as part of broader, historical waves of change that have “played out right now in front of our very eyes”.
The internet has gradually been transforming from network-centric services, to platform-centric services, to application-centric services.
“The DNS is being swept up with this, and almost every single part of the DNS changes as soon as the DNS becomes sucked into application space,” he said.
“Single coherent namespace? Nah, historical rubbish. Because the entire namespace then becomes application-centric, and different applications will have a different namespace to suit their needs.”