DNS over HTTPS (DoH) is a new IETF standard that modifies DNS to encrypt its queries. The stated objective of the new standard is to improve the security and confidentiality of DNS queries and reduce latency.
Ever since we did our first study on the use of PKI in routing, we have realized that security technologies do not just make the internet more or less secure. They redistribute power relationships among actors. New gatekeepers might be established, some people lose access to information, while others gain it, and so on.
And so it is with DoH. Last month, IGP initiated a study of DoH, guided by the research question: How would the adoption of DoH affect the organization of the markets for public and managed DNS, browsers, ISPs, operating systems, and network security products and services? Which actors will it potentially strengthen or weaken?
We knew this was a controversial topic within the smallish Internet technical community, but were not quite prepared for it to blossom into a front-page-of-a-national-newspaper kind of a debate. Yet there it is, on today’s Wall Street Journal: a report that the House Judiciary Committee has initiated an investigation of Google’s implementation of DoH. Note that this is not a Justice Department antitrust probe, it is initiated by a congressional committee that is known for being rather political. Any investigation of DoH should not be confined to Google, by the way. We also attended a presentation of a paper at the TPRC conference the funding for which was not disclosed, which contained almost no policy-relevant data or content yet nevertheless managed to make DoH sound like a menace to society.
We are writing this blog to counsel patience and objectivity in the debate over DoH. It’s clear that DoH reconfigures the relationship among key stakeholders. It pits Internet service providers (ISPs) against the browser software manufacturers. The ISPs claim that they do not use the DNS query information that would be encrypted and rendered invisible to them by the use of DoH, but at the same time they are complaining bitterly about the appropriation of that information by the likes of Cloudflare, Google and Mozilla. DoH also infuriated Internet censors in the UK, as it threatens to bypass that country’s filtering methods. As we noted before, security technologies redistribute power relations among actors in the ecosystem. But we need to analyze these changes impartially, and based on real data, not by spreading FUD.
Various stakeholders have made projections about the technical, privacy, legal, regulatory and competitive impacts of DoH adoption. These claims, however, are not grounded in any systematic analysis of the standard’s impact on a complex business-technical ecosystem. While the people expressing concerns are usually technically informed, their concerns address issues of industrial organization and market structure without using the proper analytical tools and without any empirical data.
Our research project is designed to fill the gap between alarmist projections about the impact of the new standards and real-world data. It proposes to examine the competition between DoH and DoT, and how different adoption outcomes would affect the industrial organization of the Web/DNS ecosystem. The proposed research will help to identify various possible equilibrium outcomes and highlight the opportunities and challenges they might pose for Internet governance and industry. The research is not funded by any interested stakeholder. Wait for it.
One often overlooked consequence of DoH is that it discourages the deployment of local services that are only resolvable in the local domain. I have this problem when I want to access a local resource on my home server but I have 1.1.1.1 turned on.
The impact of this is that it will tend to favor the cloud service providers over local private networks and encourage solutions where traffic is always routed through the cloud even when I want to access a home automation device on the same network, increasing our dependence on centralized infrastructure.