DNS and your privacy DNS over HTTPS, DNS over TLS or Query Name Minimisation?

Image: Jamie

DNS is known as the address book of the Internet: when you want to visit a website you will know its hostname, such as www.networksinthenews.com. In reality the website is hosted on a webserver which can be reached at a specific IP address. So how to find that address? Simple, you ask a DNS server!

In recent years, the use of DNS has become more and more of a privacy headache. In the old days, most of our communication over the Internet was not encrypted. That made it relatively easy for hackers to eavesdrop. These days, more and more websites support HTTPS: encrypting the traffic makes it impossible (or at least much harder) to listen in. But before we can reach that website, we’ll need to know its IP address and for that we’ll first need to perform – indeed – an unencrypted DNS query.

DNS traffic is typically still unencrypted and that’s where our troubles begin: for each website we visit, we’ll send a request over the Internet, asking DNS for the IP address for that hostname. This means that anyone monitoring our DNS traffic will get an easy listing of all the websites we’re visiting. To that end, it’s in fact much easier for a hacker to just focus on our DNS traffic, instead of trying to analyse every single bit of data we transmit. And it’s not just hackers we should worry about, but also our own Internet Service Providers keeping track of us. All of this was not lost on goverments trying to censor the Internet either: a simple way to block access to unwanted sites is to just block the DNS requests for those hostnames.

So, the solution seems simple, right? Why don’t we just start encrypting our DNS traffic? In fact, two technologies have been developed that allow us to do so. Modern browser are starting to support sending DNS over HTTPS, encrypting DNS requests. An alternative would be to send DNS messages directly over TLS, also encrypting our communication.

However, would this really improve our privacy? Right now, very few DNS servers support encryption. One DNS server you might use is the one hosted by Google, but now it’s no longer your ISP keeping track of you, but an Internet giant that already knows way too much about you… Also, while few people would complain if governments can no longer censor your Internet access, it also makes it harder for company firewalls to block access to malicious websites.

While discussion about DNS over HTTPS or TLS continues to rage, their appears to be a simpler solution that addresses at least some privacy concerns: Query Name Minimisation.

If you’re familiar with how DNS works, you may be aware that looking up a hostname typically involves a bit of a chase. When looking up www.networksinthenews.com, for exampe, you’ll first need to contact one of a handful of root DNS servers somewhere in the world. They will direct you to a top-level domain server that will know more about the .com domain and that server in turn will point you towards the DNS server at our hosting provider, that will finally tell you at what IP this blog is hosted. During all these steps, the full name of the website you want to visit is transmitted all over the Internet.

How about we just transmit the information we need? The root server doesn’t need to know what specific website we’re looking for. It would be enough to just enquire about the .com domain. Again, the TLD server doesn’t need to know whether we’re interested in www.networksinthenews.com or example.networksinthenews.com or any other submain. Just asking it about networksinthenews.com should be enough to be directed to the right place.

It’s interesting to see one of the core Internet protocols receiving such attention. If you have any predictions which alternative technology will win in the end, let us know in the comments below!


Leave a Comment

Your email address will not be published.