Encrypted DNS: IETF at odds over ways to find DoH servers

A working group of the Internet Engineering Task Force (IETF) held at their recent virtual meeting different ways of dealing with DNS resolvers discussedthat can be reached via encrypted protocols. Because the use and availability of DNS over HTTPS (DoH) or DNS over TLS (DoT) result in very practical problems compared to the traditional DNS. The IETF now wants to tackle and solve these problems in a coordinated manner, but there is still no agreement on how to proceed.

Job market

  1. STRABAG BRVZ GMBH & CO.KG, Stuttgart, Cologne, Spittal (Austria)
  2. K├Âlner Verkehrs-Betriebe AG, Cologne

With classic DNS, which is processed unencrypted via port 53, end devices are assigned an IP address of a DNS resolver via DHCP, which is then used centrally by the entire operating system. Such a process is not yet standardized for protocols such as DoH. In addition, DoH can now also use applications in a simple and standardized way to use other DNS resolvers than the classic resolver defined in the system. This is possible with browsers, for example.

However, the current situation means that manufacturers have so far taken different paths in order to still be able to assign DoH resolvers. Mozilla uses a default DoH server in Firefox for the USA. Google, however, tries to upgrade an existing DNS resolver on DoH servers in Chrome, and maintains a corresponding list. Microsoft wants to do something similar for Windows. In addition, this juxtaposition of techniques in a so-called split DNS scenario can lead to practical problems that could previously only be solved manually.

Different suggestions

With a standard, however, the assignment and use could be standardized and the DNS assignment could then also be automated relatively easily. Various ideas have just been discussed in the working group. A suggestion looks like this its own protocol for finding the corresponding resolvers. A list of these could be kept and queried, similar to how this already works with classic DNS.

Another suggestion is for that to use the DNS records directly and store the resolver addresses there. So-called designated DNS resolvers should be used for this, which are only responsible for certain domains. A Google and Cloudflare team suggeststhat every website simply specifies its preferred server in an HTTP header, which should then be used by clients.

From companies that offer so-called middle boxes as security products and thus filter malware domains or other addresses, comes its own suggestion. This is based on a standard (Enrollment over Secure Transport) to roll out your own certificates or CAs to clients in the network. The technology is now to be expanded to assign encrypted DNS servers to clients in their own network.

The outcome is uncertain

There is currently still disagreement in the discussion among those involved about which of the problems of the new DNS technology should be given priority and which approach might be the right one. The working group initially wants to formulate requirements and possibly establish various standards for them.

Obviously, a possible upgrade path from the previous classic resolver to its encrypted counterpart, if it is available, has to be solved, as well as a direct assignment of a resolver in the network. That would also solve at least part of the problem with split DNS and middle boxes. However, it is not yet clear when this will happen.

Please activate Javascript.

Or use that Golem pure offer

and read

  • without advertisement
  • with javascript turned off
  • with RSS full text feed