This February, with Venezuela rocked by economic collapse and a presidential succession crisis, an opposition party put out a call for volunteers. Juan Guaidó, a political leader with the Popular Will party, called on supporters to register at the site “Volunteers for Venezuela”. Guaidó announced that the call was successful, with over 100,000 supporters submitting their contact information to the site.
But according to researchers with Venezuela Inteligente, CrowdStrike, and Kaspersky Lab, bad actors used DNS response injection to route these visitors to a fake version of the site. The fake version of the site looked identical to the real one, but researchers believe that the information collected was sent to the attackers instead of to Guaidó’s party. On February 17th, the identities of the activists were leaked by a media outlet supporting Guaidó’s rival Nicolás Maduro, which the Atlantic Council’s Digital Forensics Research Lab believes had access to the database of phished information.
DNS is a part of the Internet infrastructure that serves as a directory to help Internet users find and connect to the servers for the domains they want to connect to, by letting the domain owners publish contact information about their services, and letting users query to receive that information. Ideally, the type of attack that took place in Venezuela should not be possible; we would hope that DNS would accurately tell users where the site they’re looking for is located, and not direct them to some other site.
Unfortunately, the DNS infrastructure was created in a more innocent era in which the Internet was often seen as comprised of trustworthy organizations and people. DNS remains highly vulnerable to monitoring, readily revealing what sites people are trying to visit (for purposes of advertising, commercial profiling, political profiling, network censorship, or espionage). It’s also vulnerable to spoofing, whether by an Internet service provider’s own resolver service (which could give deliberately false replies to users’ queries) or by someone who has compromised Internet routers (who could observe queries and then quickly inject false replies even before the genuine ones arrive), among other possibilities.
The lack of DNS encryption is a serious privacy concern for all Internet users. But in countries where residents are targeted by their government for extrajudicial killings, unencrypted DNS is a safety issue that must be fixed.
Fortunately, volunteers working through the Internet Engineering Task Force (IETF) have made tremendous progress towards encrypting DNS. Two protocols have emerged to encrypt DNS queries: DNS over TLS (DoT) and DNS over HTTPS (DoH). We think both protocols are progress over the unencrypted DNS query situation. DoT retrofits the classic DNS protocol with TLS encryption, while DoH wraps it inside web browsing so the DNS query and reply travel the Internet looking like—and protected like—a web browsing session, which should make it harder for ISPs to block DoH queries. In the Venezuela case, for example, if the attackers had the cooperation of Venezuelan ISPs, they might have tried to force users to use vulnerable resolver services within the country, even if the users wanted to use more neutral and trustworthy services elsewhere. DoH will make it harder for ISPs to abuse their position to force their users to use a DNS service that the ISPs operate or can monitor or interfere with.
Nevertheless, plans for the imminent implementation of DNS over HTTPS received a tremendous amount of criticism this year, with the Internet Services Providers’ Association (a UK-based trade group for Internet service providers) going so far as to call Mozilla a villain for the latter’s plans to implement DoH.
Internet service providers in the US also lobbied against DoH through trade groups, raising concerns with Congressional committees that Google’s Chrome browser would override the operating system’s configured resolver to use Google’s resolver instead. We agree that this would effect an alarming shift towards the centralization of DNS, but Google has never announced plans to implement DoH in the manner that the trade groups described. In Google’s plan, most users will continue using their ISP-provided resolver services, with a DoH upgrade when the ISP’s service offers it, which provides privacy benefits when the network connection is shared with others or monitored by a third party. Users who actively choose a different DNS service will also get better privacy.
Some DoH criticism focused on Mozilla’s plans to default users of its Firefox browser to Cloudflare’s public DNS services—often referred to as “22.214.171.124” after one of the IP addresses where Cloudflare makes its DNS resolver services available. Critics worried that this will inappropriately centralize some of the functionality of the DNS. We’ve encouraged Mozilla to make sure that users have an easy, straightforward choice of DNS services.
EFF worked with Congressional staff members in the House Energy and Commerce Committee to address some of the concerns around DoH. Alongside Consumer Reports and the National Consumers League, we wrote an open letter to Congress explaining the important role that DNS encryption will play in protecting privacy and freedom of expression. We also talked to Congressional Research Service researchers who have been looking into the controversy.
Despite the concerns raised by some ISPs, technology companies have made substantial progress towards implementing support for encrypted DNS protocols over the past year. Comcast is currently testing support for both DoH and DoT in production, and the company has made strong public commitments to protect the privacy of their customers’ DNS queries. Microsoft has announced plans to support DNS over HTTPS in Windows.
We applaud the work being done by these companies to protect the privacy of their users, and encourage anyone who operates a resolver to implement support for encrypted DNS.
This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2019.
Like what you're reading? Support digital freedom defense today!