DNS Privacy Vs.
Authors: Mallory Knodel, Shivan Sahib
Label: This paper is a preliminary work in progress and open for discussion and comment on GitHub.
Abstract: This short paper attempts to catalogue and briefly treat the predominant emerging tensions that impact the public interest, introduced by DNS privacy measures. Making DNS lookup more private for the user affects internet measurements, consolidates service provision, makes abuse mitigation harder and risks internet shutdown for some users. DNS data has aided researchers in measurement of the network, adoption of protocols and behaviours, as well as security research and cybersecurity mitigation, therefore DNS privacy may curtail this work. The roll out of new protocols, including private DNS, often happens in a way that consolidates network traffic into a few early implementers, which is a negative trend for the internet in general in both the short and long term. DNS data can be leveraged to detect and mitigate abusive behaviour on networks, some of the techniques for which may be impossible or simply more difficult with DNS privacy enhancements. Lastly and perhaps most significantly the provision of user-centric DNS privacy services has already been met with at-scale censorship, or internet shutdowns, in the form of blocking and filtering these protocols. And yet it is in the public interest and the interest of the internet protocol standards community to properly research these emerging tensions with data, informed as much as possible by the effects on end users. This paper points toward additional research in order to better mitigate the possible negative effects of DNS privacy on the public interest.
[[TOC]]
Privacy is a fundamental human right. It is also difficult to define but is nonetheless important for network engineers to understand and consider. RFC 6973 reflexively states, "privacy is the sum of what is contained in this document." (NOTE: https://trac.tools.ietf.org/html/rfc6973 )
Furthermore RFC 8280 exposes the ways in which protocol designs' impacts on human rights like the right to privacy and freedom of expression might be better documented to understand how they are often traded off for one another:
In such cases, the different affected rights need to be balanced. To do this, it is crucial that the impacts on rights are clearly documented in order to mitigate potential harm. (NOTE: https://trac.tools.ietf.org/html/rfc8280 )
For additional consideration the right to privacy, as a human centred framework, goes beyond simply user data on the network, commonly referred to as "personally identifiable information," and future work might consider how a wider frame for online privacy requires additional considerations for DNS privacy beyond current discussions.
Indeed there is a rather established field of research on technology and privacy, a compendium of which is easily scanned from the PETs Symposium website. (NOTE: https://petsymposium.org/cfp21.php ) Within this larger field, this paper is concerned first with how internet protocols impact privacy, and we start with the emerging protocols supporting better user privacy by obscuring DNS lookup data.
Metadata is a hard problem in any private communications architecture. DNS privacy is essentially an attempt to solve one piece of the metadata problem for the internet. The recent gains for user privacy at the protocol level are many, including DNS-over-HTTP (DoH) (NOTE: https://tools.ietf.org/html/rfc8484 ) and DNS-over-TLS (DoT) (NOTE: https://tools.ietf.org/html/rfc7858 ) as well as ongoing work on emerging protocols such as DNS-over-QUIC and Oblivious DoH that are already seeing deployment. (NOTE: Improving DNS Privacy with Oblivious DoH in 1.1.1.1, https://blog.cloudflare.com/oblivious-dns) (NOTE: AdGuard becomes the world's first public DNS-over-QUIC resolver! https://adguard.com/en/blog/dns-over-quic.html)
Indeed more work continues to protect user privacy through metadata such as through implementer practices like padding timing and size of requests. (NOTE: RFC 8467, https://tools.ietf.org/html/rfc8467) For the purpose of documenting tensions with the public interest, this paper doesn’t need to get into the specifics of these protocols and practices. Instead it sets out some general thoughts about four inherent tensions that arise when solving the one problem (NOTE: Shulman, H. (2014). Pretty Bad Privacy: Pitfalls of DNS Encryption. Proceedings of the 13th Workshop on Privacy in the Electronic Society, 191–200. https://doi.org/10.1145/2665943.2665959) of user privacy in the DNS. These tensions do have negative impacts that concern the public interest, in the areas of research, provider consolidation, security and censorship-at-scale.
Hiding the metadata generated by user DNS queries presents a problem for internet researchers who use DNS measurements to understand how the network operates, even in the interest of the users, such as shutdowns and censorship. Making this data ubiquitously private might have a negative impact on the ability to perform these measurements, but it might also prove beneficial to experiments to have trusted DNS resolution.
Nearly every sector is concerned about the increasing consolidation of internet service provision, and those anxieties are fully brought to bear on the case of DNS privacy. Early implementers have leveraged their positions as powerful intermediaries to reach a vast user base, but at a cost that exacerbates inequalities in access and in the market. These effects may prove temporary as the DNS privacy becomes ubiquitous, and also there may be strategic use for network centralisation in the long term.
DNS privacy presents a problem for mitigating abusive behaviour and legitimate restrictions at the content layer. More research is needed to develop and understand new tactics, while at the same time perhaps existing abuse mitigation tools simply need to enable DNS privacy features in order to be compatible with the new landscape.
In DNS privacy, authoritarian censorship faces two foes: user privacy and loss of censorship techniques. This leads the most dedicated regimes to effectively shutdown volumes of traffic based on protocols, rather than content or user data, thus casting a much wider net on populations in China, Russia and elsewhere. Public interest advocates, nor DNS privacy engineers, haven’t yet planned in advance their next move in this cat-mouse game.
It is the hope of this paper that we can begin to release these tensions by addressing them head-on. Future work might build upon the basic literature review and analysis by gathering end-user evidence of the problem, which in turn might present best practice considerations to implementers and the technical community.
Internet research through measurement is important to the public interest because knowledge of network performance and operation are critical for empowering users as consumers, (NOTE: Need citation for Measurement Lab about text as to why their project exists.) but also in the monitoring of behaviours that might impact human rights, such as freedom of expression.
In addition, in an unencrypted world, researchers can analyse data collected by internet providers and do studies on whether they are living up to their privacy policies (NOTE: Lessons from Privacy Measurement, https://datatracker.ietf.org/meeting/105/materials/slides-105-ietf-sesse-lessons-from-privacy-measurement-arvind-narayanan-00.pdf). It can be argued that web privacy measurement studies has played an important role in highlighting privacy abuses on the internet (NOTE: OpenWPM, a web privacy measurement framework and PageGraph, an instrumented browser for more in-depth website behavior measurements).
However there are two ways in which the right to privacy and internet research through measurement are at odds. The first is directly stated by Iain Learmonth, "measurements can give insight into the functioning and usage of the Internet, they can come at the cost of user privacy." (NOTE: Learmonth, I. (2019). Guidelines for Performing Safe Measurement on the Internet (work in progress). IETF. https://tools.ietf.org/html/draft-learmonth-pearg-safe-internet-measurement-02) Furthermore measurement plays a fundamentally democratic role in performance monitoring, yet there are known privacy concerns. (NOTE: https://tools.ietf.org/html/draft-ietf-tsvwg-transport-encrypt-18#section-2.2)
The second clash is essentially the converse, and an observation of what happens as user privacy is considered in protocol design: that internet measurement becomes more difficult when user data is more private.
For example, DoH makes harder the important research on DNS-based censorship using a method for measuring DNS manipulation. (NOTE: Arce, P. P., Jones, B., Weaver, N., & Paxson, V. (2017). Global-Scale Measurement of DNS Manipulation. ;login:, 42(4), 8. https://censoredplanet.org/assets/login_w17_globalscale_dns.pdf ) However presumably the subjects’ traffic in such a study wouldn’t be subjected to censorship if they were using DoH, which is a win overall.
Indeed another positive for internet research is that DoH/DoT provision might actually be an improvement given how OONI used DoH as a trusted, unimpeachable source with which to compare DNS poisoning techniques used for censorship. (NOTE: https://ooni.org/post/2020-tls-blocking-india/)
There exist already some client side measurement tools that simply incorporate DoH/DoT DNS resolution like NetBlocks’ hackathon experiment, which preserves the measurement utility and keeps user DNS lookup data private. (NOTE: https://github.com/ntblk/dns-doh)
At the time of this writing, DoH/DoT aren’t in wide use but if they were to someday be ubiquitous this might pose a loss to the internet research community when measurements rely on DNS data. Overall that is a loss in the public interest, unless future research might better investigate how researchers are measuring the network now that DoH, DoT, encrypted DNS, ECH, private DNS makes that harder?
When DNS privacy enters the public debate often the major concern is around consolidation of internet service provision. (NOTE: Newman, L. H. (2019, October 9). A Controversial Plan to Encrypt More of the Internet. Wired. https://www.wired.com/story/dns-over-https-encrypted-web/.) Needless to say, it is not in the public interest for internet traffic to be consolidated on only a few network operators. (NOTE: Internet Society. (2019). Consolidation in the Internet Economy [Global Report]. Internet Society. https://future.internetsociety.org/2019/ at page 29.)
Many applications and services that run on the internet are increasingly consolidated. (NOTE: https://future.internetsociety.org/2019/consolidation-in-the-internet-economy/) This includes browsers, (NOTE: https://en.wikipedia.org/wiki/Usage_share_of_web_browsers#Summary_tables) which, aside from a device’s operating system, is the software most users rely on to use the internet. This is an issue of special importance for DNS privacy measures because an overwhelming majority of internet users access content on the internet by first querying domain information through their browsers. Browser-based DNS privacy, eg DoH, leverages this universal behaviour but it shifts protocol preferences into applications and at the risk of resolver traffic diversity. (NOTE: Consolidation in the DNS resolver market – how much, how fast, how dangerous? https://www.tandfonline.com/doi/full/10.1080/23738871.2020.1722191 )
The primary concerns with centralised DNS are data mining, law enforcement and intelligence agencies gaining access to information, conflicts in jurisdictional privacy laws, and creating single points of failure and targets. "The move from an indirectly regulated market to an unregulated one is likely to reinforce the trends of continuous data collection and power concentration in the hands of a few companies." (NOTE: Radu, R., & Hausding, M. (2020). Consolidation in the DNS resolver market – how much, how fast, how dangerous? Journal of Cyber Policy, 5(1), 46–64. https://doi.org/10.1080/23738871.2020.1722191) Oblivious DNS and Adaptive DNS might be potential approaches that improve privacy while avoiding consolidation issues, but at risk of performance. (NOTE: Arkko, J. (2020). The influence of internet architecture on centralised versus distributed internet services. Journal of Cyber Policy, 5(1), 30–45. https://doi.org/10.1080/23738871.2020.1740753) However is this tension between privacy and resolver diversity fundamental to the technology itself?
For example Oblivious DNS is designed for proxying DNS queries and entrenches a central role, potentially leveraging the "too big to block" tactic. Whereas DoH/DoT with enough implementations is a non-issue for consolidation as the technology matures.
Civil society has wrestled with the tension between DNS privacy and decentralisation directly. Both reports by Open Rights Group (NOTE: Open Rights Group. (2019). DNS Security – Getting it Right. Open Rights Group. https://www.openrightsgroup.org/publications/dns-security-getting-it-right/) and the Electronic Frontier Foundation (NOTE: Hunter, M. (2019, September 12). Encrypted DNS Could Help Close the Biggest Privacy Gap on the Internet. Why Are Some Groups Fighting Against It? Electronic Frontier Foundation. https://www.eff.org/deeplinks/2019/09/encrypted-dns-could-help-close-biggest-privacy-ga-internet-why-are-some-groups) detail the ways in which implementation of DoH/DoT trade off the public interest in a decentralised internet as the cost of user privacy, and yet still come out in favour of the use of these DNS privacy tools. ORG recommends "developers creating applications and devices which rely on third-party encrypted DNS servers should avoid becoming complicit in the increasing centralisation of power among a handful of large cloud providers" and “developers and application providers should offer users a choice of provider if their product enables encrypted DNS by default."
Ideally, we would want the user to decide whom they trust for resolving DNS. But it is argued that users do not have the ability to consent to any of this because most of them do not have the technical expertise to make an informed decision. Which leads us to the importance of default settings and meaningful user agency in user agents like browsers and other applications. How do we empower users to change that default and help them make a meaningful decision respecting their own privacy threat model?
Governments and corporate competitors have all cited centralisation as a primary concern with DNS privacy measures. In a letter from CTIA, NCTA, and US Telecom to US Congress Google’s use of DoH for Chrome and Android was criticised, citing concerns of consolidation of the internet. (NOTE: CTIA, NCTA, & US Telecom. (2019, September 19). Final DOH LETTER 9-19-19.pdf. https://www.ncta.com/sites/default/files/2019-09/Final%20DOH%20LETTER%209-19-19.pdf) Corporate ISP competitors discuss anti-competitive consolidation potential especially through the bundling of services and that using DoH as a default might deepen the digital divide because of performance differences between DoH and "regular DNS". (NOTE: Borgolte, K., Chattopadhyay, T., Feamster, N., Kshirsagar, M., Holland, J., Hounsel, A., & Schmitt, P. (2019). How DNS over HTTPS is Reshaping Privacy, Performance, and Policy in the Internet Ecosystem. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3427563) More work by researchers and civil society advocates for the public interest might consider the motives behind governments and competitor ISPs (NOTE: Discusses some backlash from ISPs against DoH in the US and UK and conclude that "we might reasonably infer that ISP opposition to encrypted DNS stems from their inability to monitor and change user queries (for example, in the case of parental controls) as well as the obstacles encrypted DNS poses to DNS data monetization plans." Gurbani, V., Hood, C., Nikolich, A., Schulzrinne, H., & State, R. (2020). When DNS Goes Dark: Understanding Privacy and Shaping Policy of an Evolving Protocol. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3749764) in making these assertions.
Yet perhaps there are roles for consolidators when centralisation provides useful functions. One such function is easily deploying privacy enhancements via software to as many end users as possible in all corners of the globe, such as DoH provision in major browsers and DoT provision in dominant operating systems. More research might make a case for one approach over another in the public interest.
Another case of tactical centralisation is creating services that are "too big to block" such as domain fronting. Domain fronting worked so well for user privacy. (NOTE: Fifield, D., Lan, C., Hynes, R., Wegmann, P., & Paxson, V. (2015). Blocking-resistant communication through domain fronting. Proceedings on Privacy Enhancing Technologies, 2015(2), 46–64. https://doi.org/10.1515/popets-2015-0009) Domain fronting worked so well for censorship. (NOTE: steph. (2018, May 4). Domain Fronting Is Critical to the Open Web. The Tor Project Blog. https://blog.torproject.org/domain-fronting-critical-open-web) In many ways domain fronting was a hidden gem of TLS 1.3 that seemed perfectly designed for dissidents, journalists and human rights advocates under repressive regimes. And yet between 2015-2018 against much protest (NOTE: https://www.accessnow.org/google-ends-domain-fronting-a-crucial-way-for-tools-to-evade-censors/ ) (NOTE: http://www.documentcloud.org/documents/4609286-Wyden-Rubio-Letter-to-Amazon-Alphabet-Re-Domain.html ) (NOTE: https://signal.org/blog/looking-back-on-the-front/ ) the decision makers behind those central points of control stopped forwarding the requests that made domain fronting work so well for both privacy and censorship, perhaps making a case for the opposition that we shouldn’t trust operators of centralised service provision.
Furthermore in some contexts the market may be served best by strategic centralisation e.g. Nadia Eghbal argues that GitHub being the one true way to host code is best for open source. Are there other examples from which DNS privacy might adapt centralisation strategically?
Handling abuse on the network is important for the health of the network and in the public interest. Privacy enhancing technologies can have the unintended consequence of making abuse mitigation harder. DNS privacy presents these issues, as per an ACM paper published earlier this year:
Under a full DoH/DoT and ESNI deployment, this visibility will be lost, and systems based on domain reputation and similar technologies will be severely impacted. While many malicious domains often hide themselves by sharing hosting addresses with other innocuous and unpopular websites, it will be challenging to detect and block them. A possible solution would be to rely solely on TLS proxying using custom provisioned certificates, in order to gain back the visibility lost by ESNI and DoH/DoT, which is already a common practice used by transparent SSL/TLS proxies. Although this will defeat any privacy benefits of these technologies, this may be an acceptable trade off for corporate networks and other similar environments. (NOTE: Hoang, N. P., Akhavan Niaki, A., Borisov, N., Gill, P., & Polychronakis, M. (2020). Assessing the Privacy Benefits of Domain Name Encryption. Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, 290–304. https://doi.org/10.1145/3320269.3384728)
Losing the ability to mitigate abuse on a network is a loss in the public interest. This has knock on effects through other layers as well, such as when dealing with moderation of abusive content, not just abusive network behaviour, DNS cannot be used to block or filter the content.
Another consideration in this section on abuse is the ways in which an overly complicated and interdependent grouping of private DNS protocols might lead an operator or implementer to make mistakes. To that end we note that Google published best privacy practices for DoH, (NOTE: DNS-over-HTTPS (DoH) | Public DNS. (n.d.). Google Developers. https://developers.google.com/speed/public-dns/docs/doh ) in addition to a similar document from the IETF on the same. (NOTE: https://tools.ietf.org/html/rfc8932)
Similar to concerns with internet research and measurement using DNS, tools to mitigate abusive behaviour and placing legitimate limits even at the content layer may require those tools to implement and server DNS in a privacy preserving way that is compatible with user choice to use DoH/DoT/etc. More work should be done to scope DNS privacy compatible abuse mitigation.
For the purposes of this paper, internet shutdown can be defined as an intentional disruption of access to and usability of the internet at-scale for an entire region. Internet shutdowns violate the rights to free expression, access to information, and assembly. Internet shutdowns, either temporary or longer-term, can negatively impact the economy and other social and cultural life. (NOTE: https://www.accessnow.org/keepiton-faq/)
Shutdowns, or censorship at-scale, are very bad for the public interest and they relate to DNS privacy because regimes that would fully control information flows as well as their citizenry have blocked the use of DNS privacy.
The threat of ubiquitous DNS privacy raises the stakes significantly for users residing in regions under censorship regimes. Whereas before some content might be blocked or filtered for some users, now protocol-based shutdowns drastically affect vastly more people and more information. The Internet Society has released short statements condemning Russia’s proposed encryption block (NOTE: Internet Society: Russia’s Proposal Would Weaken the Internet, Make It Less Secure. (2020, September 23). Internet Society. https://www.internetsociety.org/news/statements/2020/internet-society-russias-proposal-would-weaken-the-internet-make-it-less-secure/) and China’s TLS 1.3 ESNI extension block. (NOTE: Internet Society: Blocking TLS 1.3 in China Makes the Internet Less Secure. (2020, August 14). Internet Society. https://www.internetsociety.org/news/statements/2020/internet-society-blocking-tls-1-3-in-china-makes-the-internet-less-secure) They emphasise that the blockages will create a less global internet where users have more/less security in their internet usage based on where they live.
The trend is only expanding both in techniques (NOTE: Raman, R. S., Shenoy, P., Kohls, K., & Ensafi, R. (2020). Censored Planet: An Internet-wide, Longitudinal Censorship Observatory. 18. https://dl.acm.org/doi/pdf/10.1145/3372297.3417883 ) and geographically to nearby regions such as in Iran (NOTE: Basso, S. (2020, June 24). DNS over TLS blocked in Iran. OONI. https://ooni.org/post/2020-iran-dot) and even India. (NOTE: https://ooni.org/post/2020-tls-blocking-india ) While ESNI and DoH/DoT are current targets, the threat of Oblivious DNS triggering similar actions has been analysed. (NOTE: Schmitt, P., Edmundson, A., Mankin, A., & Feamster, N. (2019). Oblivious DNS: Practical Privacy for DNS Queries. Proceedings on Privacy Enhancing Technologies, 2019(2), 228–244. https://doi.org/10.2478/popets-2019-0028)
The question for researchers and civil society advocates alike is what happens when DNS is no longer the easiest way to censor content and spy on users, and rather taking those easy capabilities away means that authoritarians will now resort to blanket shutdown based on privacy respecting protocols, wholesale, whether or not end-users have even chosen to use them?
Should users be aware of what the DNS settings are for each app they use on their phone? DNS has traditionally been a concern of the operating system -- it was one of many opaque services required to allow a user to access the internet. Applications typically relied on the system for DNS lookups. Microsoft (NOTE: https://techcommunity.microsoft.com/t5/networking-blog/windows-insiders-can-now-test-dns-over-https/ba-p/1381282) and Apple (NOTE: https://developer.apple.com/videos/play/wwdc2020/10047/) recently announced that their operating systems will ship with encrypted DNS APIs. App developers on these platforms can now enable encrypted DNS for app-specific lookups even if the system resolver doesn’t use encrypted DNS or uses a different resolver. Browsers (Chrome, Firefox) offer users a way to change the DoH resolver being used. The question then arises -- how comfortable are users faced with this choice? As discussed in the Consolidation section, there is an issue of all the DNS traffic now going to the preconfigured DNS resolver in a browser. The counter-argument is that this setting is exposed to the user so they could change their resolver. But is this true user consent, if the user does not understand the role of DNS and the complicated threat model around it? (NOTE: https://getdnsapi.net/slides/9_Dickinson_NDSS_Usability_Challenges.pdf)
In case of an internet shutdown that relies on DNS as the blocking mechanism, it is fairly easy to ask users to switch their DNS in the system setting -- it is a one-time action that is done in a centralised place. But if every app uses its own DNS settings, this act becomes very complicated. Major browsers currently expose the encrypted DNS resolver option to users -- what if other apps don’t? The counter-argument is that most users never understood DNS anyway and won’t be able to change the system DNS settings either. For savvy users, nothing changes (other than the difficulty of having to troubleshoot every app’s DNS lookups).
We have established through a basic literature review and analysis that there are four main tensions faced by advocates for DNS privacy.
For measurement and abuse it’s harder to conduct internet research and mitigation, respectively, when metadata such as DNS is made more privacy preserving. But there are net gains when trusted, highly available and reliable DNS privacy provision becomes ubiquitous. More research is needed into measurement methodologies that embrace DNS privacy. Ubiquity also solves the problem of consolidation on its surface, although more research is needed to understand the more hidden and knock-on effects of early leadership by a small number of DNS privacy providers.
At minimum what is needed is a set of best practices for implementers. This will aid in a secondary and very important aim to grow a robust ecosystem of DNS privacy provision that balances these important concerns. There is a need for a document that is a bit more normative than those that already exist: an Internet draft sketching out recommendations for DNS operators and application developers giving clear guidance on set up options. (NOTE: See Section 5.1.3. Protocol recommendations for a concise summary of privacy threats/mitigations for DoT, DoH, DNSSEC. See Section 6 for recommendation for what operators' privacy statements should include and what this means in real time. Overeinder, B., Dickinson, S., Rijswijk-Deij, R. van, & Mankin, A. (2019). Recommendations for DNS Privacy Service Operators (work in progress). IETF. https://tools.ietf.org/html/draft-ietf-dprive-bcp-op-06)
DNS Privacy everywhere seems to solve many problems faced by internet researchers in their measurements, users who care about internet consolidation, and network security tools. If it’s everywhere then it in effect should create a too big to block situation for at-scale censorship through network shutdowns as well.
The authors open a call for research that considers more deeply these four trade offs as well as asks if there are other tensions not considered.