On Firefox moving DNS to a third party
DNS lookups occur for every website visited. The processor of DNS requests gets a complete picture of what a household or phone is doing on the internet. In addition, DNS can be used to block sites or to discover if devices are accessing malware or are part of a botnet.
(for the tl;dr, please skip right to the summary at the end)
Recently, we’ve seen Cloudflare (rumoured to be heading to IPO soon) get interested in improving your DNS privacy. Through a collaboration with Mozilla, Cloudflare is offering to move Firefox DNS lookups from the subscriber’s service provider straight onto its own systems. From a variety of blog posts it appears that Mozilla is aiming to make this the new default, although we also hear the decision has not yet been taken and that other organizations beyond Cloudflare may be involved. This new DNS service will be encrypted, using a protocol called DNS over HTTPS.
We are currently living in strange times where companies are willing to offer us services for “free” in return for access to our data. This data can then be used for profiling purposes (targeted advertising) or competitive analysis (market intelligence, for example what kinds of people visit what sites etc). In this way, if you are getting something for free, you frequently aren’t the customer, you are the product.
In addition, once our data flows through a third party, it is possible for that third party to influence what we see or how well things work: Gmail moving your school newsletter to the never opened ‘Promotional’ tab, Facebook suddenly no longer displaying your updates to users unless you pay up, Outlook.com deciding that most independent email providers should end up in the spam folder.
At Open-Xchange and PowerDNS, we think further centralization of the internet is a bad thing in and of itself, so we are not happy about the idea of moving DNS to a large, central, third party. Centralization means permissionless innovation becomes harder, when it was this very permissionless innovation that gave us the internet as we know it today.
We do of course applaud giving users a choice of encrypted DNS providers. Our worry is about the mulled plan to switch users over by default, or asking users to make an uninformed choice to switch to “better, more private DNS”, without making sure consumers know what is going on. Because that ‘OK, Got It’ button will frequently just get clicked.
Beyond our worries about centralization however there are concrete reasons to think twice before changing the DNS trust model & moving queries to a third party by default.
What will change?
When a user wants to visit ‘www.wikipedia.org’, the browser first looks up the IP address for this site. As it stands, by default, the service provider nameserver is consulted for this purpose. The setting for this is hidden in the Cable/DSL/FTTH-modem or phone. In the newly proposed world, the browser would ask Cloudflare for the IP address of ‘www.wikipedia.org’. Cloudflare says it takes your privacy more seriously than telecommunication service providers do because this DNS query will be encrypted, unlike regular DNS. They also promise not to sell your data or engage in user profiling.
Interestingly, this claim cannot be true in Europe.The EU GDPR and telecom regulations greatly limit what ISPs could do with the data. Selling it on is absolutely forbidden. Service providers would be risking 4% revenue fines because doing this secretly would be in stark violation of the GDPR, Europe’s privacy regulation.
In other countries, service providers do indeed study and use their user’s traffic patterns for marketing purposes.
So given this, under what circumstances would it be ok for Cloudflare (or any other third party) to take over our DNS by default?
Cloudflare is a Content Delivery Network (CDN). CDNs serve website content & videos from servers across the globe, so that content is closer to the end-user. As it stands, large scale CDNs like Akamai, Fastly, Google, Level3 and Cloudflare cooperate and coordinate intimately with service providers, to the point of co-locating caches within ISP networks to guarantee rapid delivery of content. When connecting to ‘www.whitehouse.gov’ for example, it is entirely possible to end up on an Akamai server hosted within your own service provider in the city you live in. Only two companies were then involved in delivering that page to you: your ISP and Akamai. Neither your request, nor the response ever left your own country.
In the proposed future where Cloudflare does our DNS, all queries go through their networks first before we reach content hosted by them, or their competitors. We can legitimately wonder if Cloudflare will diligently work to protect the interests of its competitors and deliver the best service it can.
Interestingly enough, as of today, at least for KPN (a national service provider in The Netherlands) and www.whitehouse.gov this is not true: the IP address we mostly get from the KPN servers is 20% closer in terms of latency, and is reached through Internet peering. The IP address we get via Cloudflare is slower and additionally reached through IP transit, which is more expensive for both KPN and Akamai. Cloudflare is therefore slowing down access to an Akamai hosted website, at higher cost for everyone involved. Cloudflare, incidentally, explains that this is because of privacy reasons.
Any new default DNS provider should commit to working with all its competitors to deliver service that is as good as would have been provided through the service providers’ DNS.
Any chokepoint of communications is susceptible to government blocking orders and legal procedures. In some countries the government shows up with a (long) list of what domains to block, in other countries this happens only after a series of long-winded lawsuits. In addition, child pornography researchers (& law enforcement organizations) frequently provide lists of domains they think should be blocked, and these often are.
Local service providers typically fight attempts to block popular content, since their subscribers don’t like it. Once an international DNS provider is the default for lookups, it can also expect government orders and other legal efforts aimed to get domain names blocked.
A new default DNS provider should document its policies on how it will deal with lawsuits and government orders commanding it to block traffic. At the very least, blocks should be constrained regionally. It should also document what content they would block out of their own accord.
Without going all “Snowden” on this subject, many governments grant themselves rights to intercept foreign communications with far less oversight than if they were intercepting national traffic. In other words, citizens of country X enjoy far less privacy protection in country Y. This is not a controversial statement and is explicitly written out in many countries’ interception laws and regulations. But the upshot is that for privacy, it pays to keep DNS within the country where you are a citizen.
In addition, most countries have legislated that communications service providers can and must break their own contracts, terms and conditions to comply with government interception orders. In other words, even though a company has committed in writing to not share your data with anyone, if the government shows up, they can be forced to do so anyhow.
It may well be that a third party DNS provider operates under a regime that has an interest in the DNS traffic that gets sent to it from all over the world.
New centralised DNS providers should document which governments have interception powers over them and be honest about their chances of standing up to such interception.
DNS is currently under control of your network provider – which could be your employer, your coffee shop or frequently, your (Internet) service provider. Enterprise environments often filter DNS for malware related traffic, blocking requests for known harmful domain names. They will also use query logs to spot infected devices. Increasingly, large scale service providers are also offering DNS based malware filtering, especially in the UK.
When moving DNS to a centralised provider, such local filtering no longer functions. Enterprise network administrators will also lose visibility into what traverses their network. From the standpoint of the individual employee this may be great but it is not what the network operator wanted.
Interestingly enough, DNS over HTTPS has specifically been designed to be hard to block, as the designers envisioned that network operators would attempt to use firewall rules to disable forms of DNS they could not monitor or control.
When asking users if they should move their DNS to a new provider, they should be reminded they may be losing protection that was previously provided to them by their service provider or employer network administrators.
Is your service provider actually spying on you?
If we want to assess the benefit of moving DNS to a third party by default, it is important to know if we are being spied upon in the first place. In some cases and in some countries, this is definitely true. In Russia and China, DNS is routinely intercepted and even changed. Also, some providers replace ‘this domain does not exist’ DNS answers by the IP address of a ‘search page’ with advertisements.
But in many places, local service providers are bound by stringent rules that forbid any spying or profiling, mostly countries that fall under the European GDPR or GDPR inspired legislation.
It has been argued that users are not sophisticated enough to reason about this subject and that the DNS move should happen by default, with an opt-out for those that care. Another idea that has been raised is a startup dialogue that proposes a more secure internet experience and a ‘Got it!’ button. This clearly does not go far enough in educating users about the change they will be authorizing.
Before moving DNS to a third party, users should be surveyed if they feel their current provider is spying on them or not, and if they think the new third party DNS provider would be an improvement. The outcome will likely be different per region. This survey could then lead to a well-designed, localized, opt-in procedure.
Having a choice of (encrypted) DNS providers is good. Mozilla is pondering moving DNS resolution to a third party by default, initially Cloudflare. Before doing so, any third party should commit to:
- Network neutrality: promise to work with competitors to ensure performance for other CDNs does not deteriorate compared to when the service provider DNS was used
- A policy on blocking: how will the provider deal with government blocking requests or lawsuits demanding that content will be blocked.
- Warning users the new DNS may not offer safety features they got from the network DNS provider
- Being clear about the legislations it operates under: which governments could force it into large scale interception?
Finally, Mozilla should survey its users to find out their attitudes towards moving DNS from their current service provider to Cloudflare. To do so, those users must first be well informed about what such a move would mean. Based on the survey results, an honest consent page can be generated that makes sure users know what they are agreeing to.
We want to thank Rudolf van der Berg and Remco van Mook for their comments & input for this post. These opinions are ours alone though.
Anyone considering Cloudflare’s claims about privacy should first consider Cloudflare’s entire history. The co-founder and CEO is not in a position to make any claims about privacy, based on his previous record.
Firefox is making all the wrong moves lately. Why would people continue to use the browser when it keeps betraying its own principles? If we didn’t care about privacy we would be using Chrome.
building on Paul’s suggestion, you could also setup a ‘pi-hole’ and do your own blocking of advertisers, known malware and botnets etc. Or something like OpenDNS
It’s really not that hard to get a $5 VPS and setup your own DNS over HTTPS server. 20 minutes max.
let users make their own choice.
If evety dns will go to cloudflare how will this work with enterprise split dns?
breaking split brain and dns oberlays would be the death for many development and test cases
How will the Cloudflare DNS service look up internal domain names in my corporate Active Directory DNS that is not reachable outside my network? And what about organizations that depend on split-horizon DNS (where internal users are supposed to get different results for some lookups than external users)?
This is my concern too, I have not been able to find the answer to this yet.
One of the arguments not yet given is “if the browser decides on its own which DNS server to query, troubleshooting connectivity issues becomes much worse”. Like, “I cannot access my outlook web access anymore” – is this because firefox is using a different DNS resolver that doesn’t know about internal DNS names?
Generally speaking, if system-level test tools like “ping” or “traceroute” use a different DNS resolution mechanism than some higher-level applications, the end result will be harder to troubleshoot and much annoyance will ensue.
Besides this, nice article, and a couple of new arguments I hadn’t seen yet 🙂