My two cents over: DNS over HTTP (DOH)
Updated: Jan 8
This post is an expression of my opinion over DNS over HTTP in short DOH.
DOH is currently being pushed by Cloudflare and Mozilla.
- Managers read the Tl;dr + Management note and don't hesitate to contact me!
- Geeks read everything and challenge me through various ways of contact.
- Americans can choose where they want to put their data and with that their privacy.
- Freedom warriors in places with limited Internet due to governmental limitions.
- Non-competent maintainers of DNS systems.
- Innovation on a very old protocol.
- Europeans aren't in any form or format protected by any privacy protection. - Will be a pushed standard as the backing from Cloudflare while also being hold by Google (even if it's Alphabet - sorry didn't look up the shareholders but it has been mentioned by others whom are good in the DNS field).
- Competent maintainers of DNS systems.
- Your data goes to a cloud or a broker, 3rd party outside your network your ISP normally isn't the bad guy - this is a fictional fact your feed by big evil trolls whom will do way more bad with your data, please remember I've worked for ISPs for years and they're generally not as bad as they've been made too look.
- CDNs will break as DNS based load-sharing will not function.
- Split-Horizon DNS used by many parties for VPN connectivity will also no longer work and as a result Active Directory will not work anymore for example.
So a little bit more insights....
DNS queries normally to resolve www.something.local look this up on your local resolver (either ISP or your own) and this will return either a A or AAAA record in the end (even through a CNAME this isn't the point currently).
The protocol for DNS has been using UDP port 53 for like a very very very longtime 1983 was the year of birth of Domain Name System in short DNS through RFC882 and RFC883 while it was written with just performance in mind. Wow a protocol that's 3 years older then me!
Anyways what does the market try by pushing DoH gather more big data into the US and this is obviously evil.
What can a provider these days do to start securing his local networks, not only providers but also Enterprises should:
- Secure the DNS recursor it should allow TLS also known as DNS over TLS (short: DoT) as Android nativity supports secured DNS requests these days and it's just a mather of time where Android will offer the end-user a "Do you want Secure Internet?" checkbox which would then force DOH as the local system would miss DOT and an Android phone can notice this. This checkbox will come sooner or later so it's a good idea to improve security for your end-devices by this improvement.
- If feasible for the environment provide DOH however these are complex but for some environments this is a better alternative then not having it - Remember there's no auto-detection mechanism for DOH so by default you shall need to provide this information to your users.
- Be less dependent of the root-servers by hosting their zones locally, these don't change that much and are provided GPG signed here.
Sorry for the rant, It's however there to provide more insights on why i find DoH or hosted DoH a bad alternative to DoT.
I'm not even going to leave DNScurve unmentioned, It's a feasible security solution everybody ignored in 2009. Solely because people don't like Daniel J. Bernstein. Daniel even has a good alternative for BIND which is djbdns.
In this post I'm trying to prevent myself from suggesting target architectures or target software, as this is where i would like to challenge my audience and depending on the feedback on this post i might do a follow-up on it where I'll create various target architectures.
Management note: Perhaps it's time for our systems or internal systems to be serving better purpose by offering more secure infrastructure and greater user experience.
This does require expertise on the DNS field and unluckily with a protocol which it 37 years of age we can't expect a freshly grad to be active and passionate about DNS even through it's the base of all our Computer / Infrastructural communications. We management think about new stuff like Cloud and tend to forget about our own critical infrastructure or the essence of a need for robust and durability in something as simple but also as complex as DNS.
So DNS super enthusiastic about however a lot of bad architecture has been put into place over the years from SMB enterprises to large enterprises and even SP this wouldn't be noticed until now. The year 2021 and time to act or your BYOD will start with HIOL (Having It's Own Life).