DoH or Don't - Carsten Strotmann
camp19 - Security - 8/21/2019
Seldom have DNS protocol changes sparked such fierce debate as happen in the case of DNS-over-HTTPs (Doh) and it's little cousin, DNS-over-TLS (DoT). While for many people it is a matter of black and white, the reality out there is various shades of grey ;)
This talk will discuss the technical and political aspects of these DNS privacy protocols, where they come from, who is implementing DoH/DoT (both in the browser space and otherwise) and why it is a [good|bad] idea to support these protocol implementations.
Since the Snowden revelations, the DPRIVE (DNS Privacy Exchange) working group inside the IETF has been working on ways to make DNS, the Domain Name System, leaking less privacy related information (aka metadata).
Two new protocols from this working group are DNS-over-TLS RFC 7858 (DoT) and DNS-over-HTTPS RFC 8484 (DoH). Both protocols secure DNS queries between client systems and DNS resolver using encryption and authentication. DoT runs on a dedicated port 853, while DoH piggybacks on HTTPS (port 443).
While DoT was initially mostly ignored by OS vendors, ISPs and users alike, DoH was adopted by browser vendors (Mozilla/Firefox and Google/Chrome) and created heated discussions among security and privacy experts. Even to the point that governments discussing way to outlaw DoH.