Oblivious DNS over HTTPS (ODoH): an attempt to improve DNS privacy

Can it make DNS better?

by: - Last updated on: December 14th, 2020

Key Takeaways

  • DNS is a decentralized naming system for all the different websites that exist on the internet.
  • Despite being a critical element in the web infrastructure, DNS has its own share of vulnerabilities.
  • DoH tries to fix the security issues of DNS by encrypting the communication. But while DoH adds to the security, it raises privacy concerns.
  • ODoH, which is an extension to DoH, aims to address the privacy concerns of DoH to make DNS secure and private.
  • For more such explainers, check our Explained hub.

Domain Name System or DNS is a decentralized naming system for all the different websites that exist on the internet. It is one of the essential building blocks of the internet and has been around for more than three decades. Over the course of this period, the system has been subject to critique, with valid arguments, over the implementation and the privacy concerns that it brings along. And as a result, there have been a few attempts to address these concerns.

Oblivious DNS over HTTPS (ODoH)

One such bid — and a very recent one — is the introduction of the DNS over HTTPS (DoH) protocol, which promises to secure the DNS communication by transmitting it in an encrypted manner. While DoH looks promising in theory and manages to fix one of the issues with DNS, it inadvertently brings another concern into the light. To fix this, we now have another new protocol, called Oblivious DNS over HTTPS (ODoH), which has been co-developed by Cloudflare, Apple, and Fastly. Oblivious DoH is basically an extension to the DoH protocol that decouples the DNS queries from the IP addresses (of the user) to prevent the DNS resolver from knowing the sites that a user visits — kind of [more on this later].

What ODoH is meant to do is separate the information about who is making the query and what the query is,” said Nick Sullivan, Cloudflare’s head of research, in a blog.

Oblivious DNS over HTTPS (or ODoH)

Before jumping right into what ODoH is, let’s first understand what DNS, and subsequently, DNS over HTTPS is, and the limitations that the two bring forth.

DNS (Domain Name System)

Domain Name System or DNS is a decentralized system of keeping records of all the websites on the internet. You can think of it as a repository (or telephone directory) for phone numbers that holds a listing of telephone subscribers and their corresponding telephone numbers.

DNS working
IMAGE: Total Uptime

In terms of the internet, DNS is a critical player in establishing a system that enables you to access a website just by entering its domain name, without requiring you to remember its associated IP (Internet Protocol) address. Due to which, you can input techpp.com in the address field to view this site without having to remember its IP address, which might look something like [not our IP]. You see, it is the IP address that is required to establish a connection between your device and the website you are trying to access. But since an IP address is not as easy to remember as a domain name, there is a need for a DNS resolver to resolve domain names into their associated IP addresses and return the requested web page.

Problem with DNS

Although DNS simplifies internet access, it does have a few shortcomings — the biggest of which is the lack of privacy (and security), which poses a risk to the user data and leaves it exposed to be viewed by the ISP or eavesdropped on by some bad guy on the internet. The reason this is possible is due to the fact that the DNS communication (DNS request/query and response) is unencrypted, meaning it happens in plain text, and can therefore be intercepted by anyone in the middle (between the user and the ISP).

DoH (DNS over HTTPS)

As mentioned initially, the DNS over HTTPS (DoH) protocol has been introduced to address this (security) DNS concern. Basically, what the protocol does is, instead of letting the DNS communication — between the DoH client and the DoH-based resolver — occur in plain text, it uses encryption to secure the communication. By doing so, it manages to secure users’ access to the internet and reduce the risks of man-in-the-middle attacks — to some degree.

DNS over HTTPS (DoH) working

Problem with DoH

While DoH addresses the problem of unencrypted communication over DNS, it raises a privacy concern — about putting the DNS service provider in full control of your network data. For, since the DNS provider acts as a middleman between you and the website you access, it holds a record of your IP address and the DNS messages. In a way, that raises two concerns. One, it leaves a single entity with access to your network data — allowing the resolver to link all your queries with your IP address, and second, because of the first concern, it leaves the communication prone to a single point of failure (attack).

ODoH protocol and its working

The latest protocol, ODoH, co-developed by Cloudflare, Apple, and Fastly, aims to solve the centralization problem with the DoH protocol. For this, Cloudflare suggests that the new system separates the IP addresses from DNS queries so that no single entity, except the user, can view both pieces of information at the same time.

ODoH tackles this problem by implementing two changes. It adds a layer of public-key encryption and a network proxy between the client (user) and the DoH server. By doing so, it claims to guarantee that it is only the user who has access to both the DNS messages and the IP addresses at a time.

ODoH working

In a nutshell, ODoH acts like an extension to the DoH protocol that aims to achieve the following:

i. prevent the DoH resolver from knowing which client requested which domain names by channeling the requests via proxy to remove clients’ addresses,

ii. prevent the proxy from knowing the contents of the queries and responses, and keep the resolver from knowing the addresses of the clients by encrypting the connection in layers.

Message flow with ODoH

To understand the message flow with ODoH, consider the figure above, wherein a proxy server sits between the client and the target. As you can see, when the client requests a query (say example.com), the same goes to the proxy server, which then forwards it to the target. The target receives this query, decrypts it, and generates a response by sending the request to the (recursive) resolver. On its way back, the target encrypts the response and forwards it to the proxy server, which then subsequently sends it back to the client. Finally, the client decrypts the response and ends up with a response against its requested query.

In this setting, the communication — between the client and proxy and the proxy and target — takes place over HTTPS, which adds to the communication’s security. Not just that, the entire DNS communication taking place over both HTTPS connections — client-proxy and proxy-target — is end-to-end encrypted so that the proxy does not have access to the contents of the message. However, that said, while both user privacy and security are taken care of in this approach, the guarantee that everything functions as suggested comes down to an ultimate condition — the proxy and the target server do not collude. And therefore, the company suggests that “as long as there is no collusion, an attacker succeeds only if both the proxy and target are compromised.”

As per a blog from Cloudflare, here’s what the encryption and proxying guarantee:

i. The target sees only the query and the proxy’s IP address.

ii. The proxy has no visibility into the DNS messages, with no ability to identify, read, or modify either the query being sent by the client or the answer being returned by the target.

iii. Only the intended target can read the content of the query and produce a response.

ODoH availability

Oblivious DNS over HTTPS (ODoH) is just a proposed protocol as of now and needs to be approved by the IETF (Internet Engineering Task Force) before it is adopted across the web. Even though Cloudflare suggests that, so far, it has got companies like PCCW, SURF, and Equinix as its proxy partners to help with the launch of the protocol and that it has added the ability to take ODoH requests on its DNS service, the truth of the matter is that, unless web browsers natively add support for the protocol, you can not use it. For, the protocol is still in the development phase and is being tested for performance across different proxies, latency levels, and targets. As a reason, it may not be a wise move to arbitrate the fate of ODoH right away.

Based on the information and data available, the protocol does appear to be promising for the future of DNS — granted, it manages to achieve the kind of privacy it promises without compromising on the performance. Since it is very evident by now that the DNS, responsible for playing a critical role in the functioning of the internet, still suffers from privacy and security issues. And despite the recent addition of the DoH protocol that promises to add to the security aspect of DNS, the adoption still seems far off due to the privacy concerns that it raises.

But, if ODoH manages to live up to its claims in terms of privacy and performance, its combination with DoH, while working in tandem, can address both the privacy and the security concerns of the DNS. And in turn, make it way more private and secure than what it is today.

Weekly Newsletter

Sign up for a specially curated Tech Newsletter.

By submitting your email, you agree to the Terms of Use and Privacy Policy.


Leave a Reply

Your email address will not be published. Required fields are marked *