Is DNS encryption harmful?

There was an article on RIPE Labs Is It Possible for Encryption to Harm Cybersecurity? | RIPE Labs about DNS encryption. I could have written comments to it but I told myself it is a good opportunity to exercise the new forum. So, the problems I see with this article (besides the obvious issue that this article reuses traditional and often debunked arguments against encryption):

  • The biggest problem is that it suggests that using the existing DNS resolvers, but with added encryption (“SPAU”), could be an alternative to an external resolver. I don’t see the point: encrypting the query/response to a resolver you don’t trust adds almost no security.
  • It claims that “Some options, including DoH, allow the software to make DNS queries directly” as if it was not a possibility from the beginning (any application can send queries to port 53)
  • Also, some technical errors like “[the DNS is] converting URLs into IP addresses” or “[the DNS] is the directory of the World Wide Web”
2 Likes

I also wanted to comment on that blog, Stéphane so thanks for raising this. The beginning of the blog proposes that the DNS data has been used by network operators to provide control, and restrict access to content. It seems that it implies network operators cannot do that with encrypted DNS. Which is wrong. Various DoH providers (and now ISPs are trying to provide DoH too…- https://corporate.comcast.com/stories/update-on-comcasts-encrypted-dns-plans) allow for parental control and other security features to be accessible.

Going beyond what is possible and what is not possible by DoH providers, I think the dominant narrative that network operators used to control access to content and that was a good thing, is one sided. A lot of such power was abused by States (regardless of being a democratic utopia or an autocratic dystopia). Also parental control softwares are not necessarily good mechanism to keep the children safe. Children need privacy too and snooping on them and censoring them puts them at risk instead of protecting them.

4 Likes

Well, Encrypting DNS makes it much harder for snoopers to look into your DNS messages, or to corrupt them in transit. Just as the web moved from unencrypted HTTP to encrypted HTTPS, there are now upgrades to the DNS protocol that encrypt DNS itself. Encrypting the web has made it possible for private and secure communications and commerce to flourish. Encrypting DNS will further enhance user privacy.

Two standardized mechanisms exist to secure the DNS transport between you and the resolver, DNS over TLS (2016)] and DNS Queries over HTTPS (2018). Both are based on Transport Layer Security (TLS) which is also used to secure communication between you and a website using HTTPS. In TLS, the server (be it a web server or DNS resolver) authenticates itself to the client (your device) using a certificate. This ensures that no other party can impersonate the server (the resolver).

With DNS over TLS (DoT), the original DNS message is directly embedded into the secure TLS channel. From the outside, one can neither learn the name that was being queried nor modify it. Hope so you will be satisfied about DNS Encryption.