That centralization of DNS requests worries detractors. Unlike end-to-end encrypted messaging, in which only you and the person you’re talking to can read the messages on each of your devices, encrypted DNS doesn’t quite succeed at boxing everyone out. It cuts telecoms and governments out of the equation in one way, but introduces new tech giants and third parties in another.
“I would love it if there were 100 other encrypted DNS providers that customers could choose from,” says Cloudflare CEO Matthew Prince. “We think that would be great. I get that there being a limited set of choices doesn’t feel good. But there’s nothing proprietary about this. You can download open source software and run this today.”
The pro-privacy Electronic Frontier Foundation has acknowledged the concerns about consolidating DNS with so few resolvers, but recently suggested that the potential privacy benefits are worth the downside so long as more entities get into the space. Specifically, EFF called on internet service providers to start acting as encrypted DNS resolvers themselves. Ideally, this would involve getting ISPs to sign on to strict privacy protections like those Cloudflare has promised to adhere to as part of the process of adding support for DoH.
That may not happen anytime soon, though. And even if it did, you can see how it would be difficult in practice to get entities already making money off of mining DNS data to really change their ways. A consortium of telecommunications trade associations wrote a letter to Congress in September opposing encrypted DNS and calling Google anti-competitive for starting to support it in Chrome. This argument seems specious at best, given that Chrome will be able to use a number of resolvers, not just Google’s. The overall effort, though, reflects how invested ISPs are in protecting their access to DNS data, seemingly so they can mine it to fuel targeted advertising. ISPs do also use insight into DNS requests to offer services like content filtering for children. House of Representatives investigators are currently assessing the letter’s claims.
The ranks of DoH opponents aren’t filled only with self-interested corporations. Cybersecurity professionals argue that encrypting DNS requests will make it harder to spot intrusions and malware on their networks, without truly giving web users a more private experience. Meanwhile, encrypted DNS advocates say that these concerns are overblown, especially for large companies that can just set up their own encrypted DNS resolver to access local traffic as before—although those measures aren’t necessarily feasible for the majority of organizations.
“There are real operational and security implications of both DoH and DoT,” says Roland Dobbins, a principal engineer at Netscout Arbor. “Everyone needs to consider that things like identifying compromised devices and defending DNS infrastructure from DDoS attacks could become much more complex and costly.”
DDoS attacks on DNS servers can have very real consequences. For example, a massive 2016 assault on the DNS provider Dyn caused widespread connectivity outages on the East Coast of the United States and around the country.
Researchers have already spotted malware built to evade detection by connecting to command and control servers using encrypted DNS requests. And another major concern is that if hackers were to compromise a trusted DNS resolver, they would be able to pull off devastating DNS hijacking attacks that wouldn’t be detectable to the outside world. A similar issue already exists when hackers compromise the “certificate authorities” that underpin general HTTPS web encryption.
Firefox and Chrome are still in the experimental phases of testing encrypted DNS, so most of your connections likely won’t take advantage of it for now anyway, and there are still ways to opt out of using it at all. But as with the push to get websites to adopt HTTPS encryption, encrypted DNS will likely move forward now if Chrome and Firefox find that the change doesn’t have too much of an impact on speed or reliability for users.