Is DNS encryption harmful?

There was an article on RIPE Labs Is It Possible for Encryption to Harm Cybersecurity? | RIPE Labs about DNS encryption. I could have written comments to it but I told myself it is a good opportunity to exercise the new forum. So, the problems I see with this article (besides the obvious issue that this article reuses traditional and often debunked arguments against encryption):

  • The biggest problem is that it suggests that using the existing DNS resolvers, but with added encryption (“SPAU”), could be an alternative to an external resolver. I don’t see the point: encrypting the query/response to a resolver you don’t trust adds almost no security.
  • It claims that “Some options, including DoH, allow the software to make DNS queries directly” as if it was not a possibility from the beginning (any application can send queries to port 53)
  • Also, some technical errors like “[the DNS is] converting URLs into IP addresses” or “[the DNS] is the directory of the World Wide Web”
3 Likes

I also wanted to comment on that blog, Stéphane so thanks for raising this. The beginning of the blog proposes that the DNS data has been used by network operators to provide control, and restrict access to content. It seems that it implies network operators cannot do that with encrypted DNS. Which is wrong. Various DoH providers (and now ISPs are trying to provide DoH too…- https://corporate.comcast.com/stories/update-on-comcasts-encrypted-dns-plans) allow for parental control and other security features to be accessible.

Going beyond what is possible and what is not possible by DoH providers, I think the dominant narrative that network operators used to control access to content and that was a good thing, is one sided. A lot of such power was abused by States (regardless of being a democratic utopia or an autocratic dystopia). Also parental control softwares are not necessarily good mechanism to keep the children safe. Children need privacy too and snooping on them and censoring them puts them at risk instead of protecting them.

5 Likes