A Brief History of Everything Wireless

How Invisible Waves Have Changed the World


Earlier entries Show latest

Author's Blog

Another security hole is about to be blocked...

2019-10-10 [Petri]

...but not everyone is happy. Why?

DNS stands for Domain Name System. It is the invisible glue that is applied behind the scenes every time you refer to an address on the Internet by name. As the Internet does not work with names but uses numbers for addressing the servers, somebody has to convert these names into numbers in order to perform any interaction on the Internet. This is where the DNS steps in.

DNS resolution relies on name servers that are scattered around the web, starting from top level domains like .com and .net and then resolving downwards the existing tree-like structure, until the given name is fully resolved.

The example in the adjoining picture shows the DNS resolution for this web site that you are accessing right now. The reference to "non-authoritative" simply means that the answer to the name resolution was found from the cache of the referred name server, which in this case was the DNS server at Google.

But this name resolution is easy to tamper with, in which case one layer of trust is lost, and the user might be redirected to another site that pretends to be the right one. To counteract this possibility, the additional verification measures built into the Hypertext transfer protocol secure (HTTPS) step in, as described in my book, but the end user is already one step closer to being tricked to do something that she did not intend to do.

To patch this potential security hole with DNS, both Google and Mozilla, the makers of the web browsers Chrome and Firefox, are planning a move to DNS over HTTPS (DoH). This approach does not use the standard, unencrypted DNS resolution method, but instead accesses DNS servers that are deemed to be secure by encrypting the requests via the standard HTTPS protocol.

Although this approach is sound and clearly kills the potential of spoofing DNS addresses, some ISPs are crying foul. By having the traditional DNS path blocked, one major tool for tracking what the users are doing on the Internet will be rendered useless. If you control the DNS that is supporting a client, you will see every reference to the web sites that they make. The ISPs also have full control over the name resolution process and can use redirection to whatever increasingly sinister reasons they deem useful for themselves. DoH removes this possibility.

In theory, this kind of tracking can have good side effects as well: for example, if the client starts accessing known malware sites, the ISP can detect these DNS calls and warn the user that the client device may have been infected with malware. Also, some public Wi-Fi installations use DNS redirection as the means to force the new user to visit the login page, making the initial hookup procedure easier.

Having Google behind this move to DoH brings in the potential of Google now redirecting all DNS traffic to their own DNS servers, and thus becoming the control point of all name resolution. They would also see what every user is doing, is the claim. But by using Chrome, you already give the keys to your Internet kingdom to Google. They do not need this extra step: they own your networked life already. Game over.

Hence it is easy for Google to promise that the end user still has a choice of selecting the DNS servers she wants to use.

All in all, switching to DoH is a good thing. Despite the occasional restructuring that it forces to some of the public Wi-Fi sites, the basic approach is crystal clear: it will considerably improve the overall safety of the Internet.

Permalink: https://bhoew.com/blog/en/101

Show latest Earlier entries

Behind every textual Internet address is a number


You can purchase A Brief History of Everything Wireless: How Invisible Waves Have Changed the World from Springer or from Amazon US, CA, UK, BR, DE, ES, FR, IT, AU, IN, JP. For a more complete list of verified on-line bookstores by country, please click here.



Earlier entries:
















More


You can purchase A Brief History of Everything Wireless: How Invisible Waves Have Changed the World from Springer or from Amazon US, CA, UK, BR, DE, ES, FR, IT, AU, IN, JP. For a more complete list of verified on-line bookstores by country, please click here.


PRIVACY STATEMENT AND CONTACT INFORMATION: we don't collect anything about your visits to this website: we think that your online history belongs to you alone. However, our blog comment section is managed by Disqus. Please read their privacy statement via this link. To contact the author directly, please costruct an email address from his first name and the name of this website. All product names, logos and brands are property of their respective owners and are used on this website for identification purposes only. © 2018 Petri Launiainen.