Domain names exist so humans can remember the location of websites without needing to know specific Internet Protocol (IP) addresses. But domain names need to be translated into IP addresses for computers to communicate with each other. As described by a recent paper from the Council of European National Top-Level Domain Registries (CENTR), a device such as a laptop or mobile phone “will send the question ‘What is the IP address for www.example.com?’ to a resolver. Today, this resolver is typically provided for by the user’s Internet Service Provider (ISP). The domain name system (DNS) is a very stable and efficient protocol, but it has a few weaknesses that were not identified [when it was developed].”
The Internet Engineering Task Force (IETF) recently adopted two technical protocols to encrypt DNS queries, called DNS over HTTPs (DoH) and DNS over TLS (DoT). These were aimed at addressing perceived weaknesses of the DNS, namely that “questions to resolve a domain name are sent in clear text … [so] anyone who can monitor the traffic can see which domains users [are looking for]. Partly because of that transparency, there is a risk of these questions being intercepted, and of an incorrect answer being sent to the user. In some cases, this could lead to users being misguided to fraudulent websites.”
The challenge isn’t necessarily the protocol or encryption of the DNS, but in the way that key browsers and mobile operating systems appear set to deploy it – on a centralized basis. If encrypted DNS is implemented on a centralized basis, that would allow web browser and cloud service providers to create a different way to route web traffic, break many functions that rely on DNS today (such as parental controls, malware protection, and localized content delivery), and represent a dramatic disruption of the underlying architecture of the internet — which is highly distributed rather than centralized. Centralized encrypted DNS has the potential to create a whole new set of problems for network security and data privacy, especially since new and significant single points of attack and failure would be created and because any technical issues experience by a few platforms would affect the Internet as a whole.
A recent Axios report comments that “a relatively simple fix – just a settings change” could help filter malicious traffic. But centralized encrypted DNS has the potential to interfere with or circumvent tools for malware detection, content control, monitoring and filtering, and potentially the efficiency of content delivery networks such as Netflix and Amazon Prime as well.
ISPs implement security protections in their network to protect their users, as do the networks for the government, schools, libraries, or private enterprises. Many systems used in these networks rely on the DNS to implement network policies such as content filtering, malware detection, and other security services. These policies may ban access to or monitor for malware and intrusions, run virus scans, or, in some cases, prevent illegal content from being viewed. The CENTR paper notes that
At the moment the ISP sees the DNS traffic and can protect its own network from abuse. The most cited example is where ISPs block requests from malware sitting on their customers’ devices. By blocking these requests, ISPs make their network more secure, but also prevent attacks and abuse from spreading to other networks. With (the change DNS over HTTPS know as) DoH, ISPs no longer see this traffic and therefore cannot prevent this abuse any longer.
Promoting this fundamental architectural change away from the distributed network architecture (the current ISP model), toward alternative network design, gives edge providers that control web browsers and mobile operating systems the ability to see all of the traffic and behavior of individual users — not to mention all the lookups for sites of their competitors or potential competitors. This is because the new system will be pushed by a small number of organization top-down, rather than the network-to-network approach that pushes the query traffic to specific company servers.
This change that allows web browsers and mobile operating systems to circumvent the controls described above can also be viewed as part of a larger plan to track behavior, enhance advertising capabilities, and enrich large platform companies. It can also be used to avoid jurisdictional regulations, as noted by CENTR: “The level of control will change to whichever resolver is identified by the browsers to answer the queries. Since these resolvers are currently US-based, it will mean that US jurisdiction applies. One of these resolvers (Cloudflare) has already made public statements on how it intends to resist legislative or jurisdictional pressures” — that is, local laws and regulations on internet content.
Let’s be clear: these companies are already in the business of collecting and monetizing data about the behavior of their users, and they accumulate a vast amount of knowledge about users for their benefit. Centralized encrypted DNS is a new model of internet business that goes beyond online advertising; it’s a play by companies looking to exploit user behavior for their own monetary gain, cloaked as an effort to improve security and privacy. Of course, the information in these transactions can also be shared or sold with various unnamed third parties, for predictive analytics and other purposes.
Threats to internet infrastructure are a direct threat to the digital economy. The many companies that provide internet services know that protecting their networks from harmful interconnections is a priority and that they must have collaborative partners to be successful. Working hard to secure an end user’s internet experience is an important goal, but we should acknowledge when changing the current system creates conditions that enhance a specific providers or companies’ bottom lines, using the illusion of security or privacy protection. And we should understand other ways to get at the same goal without these risks.
While encrypted DNS was designed with the best of intentions, its proposed implementation has moved toward an outcome that was not predicted by the engineers who developed the protocol; it seems likely to become a dangerous data funnel rather than a protector of traffic. Let’s encourage those who work across their network boundaries to protect the internet as a whole to keep collaborating to trust each other, and maintain the distributed and decentralized internet on which the economy and users depend, instead of resurrecting the walled gardens that the user broke through twenty years ago.
 Cloudflare, while “not a hosting provider, is the source of all manner of services needed by websites. It provides a Content Delivery Network, an authoritative Domain Name System, as well as load balancing, routing, and DDoS protection and firewall services.”