The Impact DNS-Over-HTTP (DoH) Will Have on Protecting Children Online

The IWF recently published a letter describing the impact DNS-over-HTTP (DoH) will have on protecting children from abuse on the internet.

The following information provides background to this issue and addresses the implications for those individuals responsible for digitally safeguarding young people.

The issue at a glance

DNS over HTTPS (DoH) is a protocol for performing Domain Name System (DNS) resolution via the HTTPS protocol. This method is used to increase user privacy and security by preventing manipulation of DNS data by man-in-the-middle attacks.

Where previously DoH was firmly in the domain of technical specialists, Mozilla are now supporting DoH in Firefox which means it’s now open to non-technical users. Simply put, DoH has the power to render useless many forms of Internet filtering software. Where well over 70% of internet traffic is now encrypted, there are only two places a network administrator or ISP can look to identify the sites someone is visiting. One of these is the DNS request, the other, the SNI header. DoH removes both of these opportunities.

The detail

DNS is the ‘internet phonebook’. It turns the domains that humans can read into IP addresses computers can read. For example, the IP address of www.google.com is resolved by DNS as 216.58.204.36. Since users almost always ask for a site by name, if the ISP can control the answers the DNS gives, then it can prevent any users from accessing a particular domain. Even if a different DNS server has been configured, DNS has no protection against being altered, so filtering can still occur. DoH encrypts this traffic, so it can’t be intercepted, observed or altered.

Server Name Indication (SNI) allows the server to safely host multiple TLS Certificates for multiple sites, all under a single IP address. SNI provides similar data to DNS traffic (the domain being visited), unencrypted in the header of a user’s internet traffic. Much like the name on an envelope – if two people live at the same address, it’s important to ensure each knows which letter is theirs, so their names appears on the envelope. DoH provides a way to encrypt the name on the envelope – so an ISP can only see the IP address. With many sites sharing one IP address, it’s then very hard to see what’s going on.

The conflict

At Smoothwall, we’re sympathetic to the drive to encrypt traffic, and make the internet a more secure environment. However, we are also driven by the desire to protect young people and ensure we don’t put all the power in one company’s hands.

DoH restricts the ability for schools to proactively monitor young people’s activity

Paul Vixie (Internet pioneer and author of the world’s most popular DNS server, BIND) says; “DoH treats all networks as public, and does so unilaterally, requiring either acquiescence (‘my network, your rules’) or escalation (full TLS interception). That’s not an ‘argument’ in any sense, it’s a war, and we don’t know yet what the butcher’s bill is going to be.”

It’s an interesting point. You get to apply ‘your rules’, as a student, to a school’s network. At Smoothwall we believe there are two choices: manage the network, or manage the device. If you have neither, you will struggle to maintain the degree of control required in a school IT environment. DoH makes it harder to systematically manage a network.  Paul advises that our choices are to allow users to do what they like on our networks, or “escalate” to full TLS interception (something we would often support in schools anyway, but which is hard to do on BYOD). There are ways to protect privacy without declaring war on the network.

DoH doesn’t exempt you from proactive monitoring – now your DNS provider knows your every move

DoH still needs a DNS server. It’s interesting to note that there are some large companies offering DoH servers, and they are companies, who in some cases, have a track record of being interested in where users browse. Moreso than with a hierarchical system like DNS is at the moment, it’s possible for these companies to track a detailed record of the sites you view. In many ways, this exchanges privacy “on net” for privacy to a large corporation.

What should schools do?

The best option to guard against safeguarding avoidance is to ensure your filter is blocking DoH requests, and/or performing network level TLS interception. If you have Smoothwall Filter On-premise you already have the tools to address DoH.

Managed devices may avoid this by using client-based filtering systems which rely on browser plugins. Smoothwall Filter – Cloud is an example of this. Some client-based systems which rely on on-device network interception will be as vulnerable to DoH related bypass as their network-level equivalents.

Smoothwall's commitment

Smoothwall customers can rely on us to address the latest methods of avoiding safeguarding controls, whilst providing users with the levels of privacy they require.

If you have any questions please contact your account manager or email us at support@smoothwall.com