Seldom has a new IETF protocol sparked so much controversy and discussion than the DNS privacy protocol DNS-over-HTTPS (DoH).
DoH (RFC 8484) and its older brother, DNS-over-TLS (DoT, RFC 7858), have been created in the IETF to counter surveillance and censorship via Domain Name System (DNS) queries from users.
Based on initial tests that Mozilla, working with Cloudflare, did with their Firefox browsers, privacy-sensitive users fear that browsing metadata is collected and aggregated at large DoT resolvers. On the other end, Internet Service Providers (ISPs) and administrators fear the loss of control over name resolution.
Read: Opinion: The DoH dilemma
One argument I’ve got from ISPs is that users don’t want encrypted DNS, and that browser vendors push out a technology that nobody, except them, wants. If this were the case, there wouldn’t be any DoT/DoH implementations out there, would there?
To find out, I started an informal survey of DoT and DoH implementations using public open source software repositories on GitLab and GitHub.
How widely is DoT and DoH being implemented?
In July 2019, I found 55 projects using DoT and/or DoH. For this survey, I’ve only counted genuine software implementations, not composition projects such as Docker containers wrapping other DNS software to provide DoT/DoH functions. See the full list.
From the 55 projects found, 41 were implementing DoH and 23 projects were implementations of the DoT protocol, giving us ten projects that implemented both protocols.
Figure 1 — Number of DoT and DoH projects found during the survey. (View image)
Next, I looked at the year the projects were started or when DoT and/or DoH were first implemented. In 2018, the year the DoH RFC was published, 31 new projects were created, up from seven in 2017. This year (2019) has seen 13 new projects until the end of July 2019.
Figure 2 — Year that DoT/DoH projects were implemented. (View image)
Figure 3 — Program languages used for DoT and DoH.
Are these projects healthy? Or just dumped into the ever growing project graveyard of public open source repositories?
To answer this question, I looked at the activity (new code, issues being resolved or new documentation in the wiki) of these projects. If there was some activity in the last six month, the project was marked as ‘healthy’. If not, the project was deemed unhealthy and/or dead.
It was promising that from the 55 projects, 44 are still healthy and actively maintained.
Figure 4 — Activity of DoT/DoH projects. Inactivity is classed if there has been no activity in the last six months. (View image)
It is clear that DoT and DoH are in use beside web browsers. Besides the projects found on Gitlab and Github, some outside projects implement DoT or DoH on the operating system level independent from applications. Examples are ‘systemd-resolved’ on Linux and ‘unwind’ on OpenBSD.
In comparison to other novel IETF protocols, the DNS privacy protocols have motivated developers to integrate these protocols into existing products (Unbound, Knot-DNS-Server, dnscrypt) or develop new tools around these protocols. Some projects bundle ad-blocking and other privacy measures in their software — users should be able to find everything they need among the different projects.
As the survey has shown, there are many DoT and/or DoH server software options to choose from. Still, it’s clear from the recent IETF meeting (see video below), that further discussions about the DoH implementation in browsers is still required to prevent browser vendors from hijacking DoH and creating new risks to privacy through massive aggregation of metadata. What’s needed are more independent and trustworthy DoT and DoH servers, not only in the Internet, but also locally in enterprise and ISP networks.
Carsten Strotmann is a trainer in the field of DNS/DHCP/IPv6/Linux/Unix security for Linuxhotel, Men & Mice, and Internet Systems Consortium (ISC).
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.