Reading Time: ~ 4 min.
“One of the
things about working in internet technology is nothing lasts forever… [Students]
come to me and they say, ‘I want to do something that has an impact 20, 50, or
100 years from now.’ I say well maybe you should compose music because none of
this technology stuff is going to be around that long. It all gets replaced.”
-Paul Mockapetris, co-inventor of the domain name system (DNS)
As foresighted as he may have been, the DNS inventor Paul
Mockapetris got one thing wrong in a retrospective interview
about his contribution to internet history. Namely, some aspects of technology
do have at least 20-year staying power. In this case, his own invention: the
domain name system.
But DNS, just three
years shy of its fortieth birthday, is on the cusp of a major reimagining.
One that could enhance the privacy of business and private users alike for some
time to come. According to some experts, it may even be worthy of the title
The Problem with DNS Today
While DNS has evolved significantly in the more than 35
years since originally conceived, the skeletal structure remains much the same.
is the internet’s protocol for translating the URLs humans understand into the
IP addresses machines do.
The problem is that this system never meant to consider
privacy or security. With DNS today, requests are made and resolved in
plain text, providing intrusive amounts of information to whomever may be
resolving or inspecting them. That is most likely an internet service provider
(ISP), but it may be a government entity or some other source. In authoritarian
countries, governments can use this information to prosecute individuals for
visiting sites with outlawed content. In the United States, it’s more likely to
be monetized for its advertising value.
“The problem with DNS is it exposes what you’re doing,” says
Webroot product manager and DNS expert Jonathan Barnett. “If I can log a user’s
DNS requests, I can see when they work, when they don’t, how often they use
Facebook, the Sonos Speakers and Google Nests on their network, all of that.
From a privacy perspective, it shows what on the internet is associating with
me and my network.”
This can be especially problematic in terms of home routers.
Whereas business networks tend to be relatively secure—patched, up-to-date, and
modern—”everyone’s home router tends to be set up by someone’s
brother-in-law or an inexperienced ISP technician,” warns Barnett. In this
case, malicious hackers can change DNS settings to redirect to their own
“If you bring a device onto this network and try to navigate
to one of your favorite sites, you may never wind up where you intended,” says
In the age of COVID-19, it’s becoming an even bigger problem
for employers. With a larger workforce working from home than perhaps ever
before, traditional defenses at the network perimeter no longer remain.
“To maintain resilience,” says Barnett, “companies need to
extend protection beyond the business network perimeter. One of the best ways
to do that is through DNS protection that ensures requests are resolved through
a trusted resolver and not a potentially misconfigured home network.”
DoH: The Second Coming of DNS
In response to these concerns, DNS over HTTPS (DoH) offers a
method for encrypting DNS requests. Designed by the Internet Engineering Task Force,
it leverages HTTPS privacy standard to mask these requests from those who may
seek to use the information improperly. The same encryption standards used by
banks, credit monitoring services, and other sites dealing in sensitive
information display to prove their legitimacy is also used with DoH.
It does this by effectively ‘wrapping’ DNS requests with the
HTTPS encryption protocols to ensure the server you connect with is the server
you intended to connect with and that no one is listening in those requests,
because all the traffic is encrypted.
“It makes sure no one is messing with a user by changing the
results of a request before it’s returned,” says Barnett.
In addition to improving privacy around device
usage—remember any internet-connected device needs to “phone home”
occasionally, therefore initiating a DNS request—DoH also addresses several DNS-enabled
attack methods. This includes DNS spoofing, also called DNS hijacking,
whereby cybercriminals redirect a DNS request to their own servers in order to
spy on or alter communications. By encrypting this traffic, it essentially
becomes worthless as a target.
So, while the domain name system has served the internet and
its users well for decades, the time may have come for a change.
“The creators of DNS, in their wildest dreams, imagined the
system may be able to accommodate up to 50 million domains. We’re at 330
million now. It’s amazing what they achieved,” says Barnett. “But DNS needs to
evolve. It’s been a great tool, but it wasn’t designed with privacy or security
as a priority. DoH represents the logical evolution of DNS.”
Toward A DoH-Enabled Future
Several major tech players,
like Mozilla with its Firefox browser, have already made the leap to using
DoH as its preferred method of resolving requests. Many companies, however,
would prefer to retain control of DNS and are concerned about applications
making independent rogue DNS requests. Losing this control can compromise
security as it limits the ability of a business to filter and process these
As application creators strive for better privacy for their
users and business always look improve security, a balance must be found. By
limiting whether applications can enable DoH, Webroot®
DNS Protection has designed its agent to retain control of DNS requests,
and while also running each request through Webroot’s threat intelligence
platform, both privacy and security is improved.
It’s next release, expected in the coming months, will be
fully compatible with the new DoH protocol in service to the security and
privacy of its users.