RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2020/10/06 17:58:35

DNS over HTTPS DNS-over-HTTPS, DoH

DNS over HTTPS (DoH) is the experimental protocol for accomplishment of permission of DNS under the HTTPS protocol. The purpose of this method is increase in confidentiality and safety of users by prevention of interception and data manipulation of DNS using the attacks like "Attack of the intermediary".

Content

2020

RUIE: the prohibition of protocols of enciphering of the websites offered Mintsifra will disconnect Russia from the global Internet

The Russian Union of Industrialists and Entrepreneurs (RUIE) criticized Mintsifra's proposal to prohibit Internet protocols of enciphering of DNS queries. This initiative, according to business, is equivalent to disconnection of Russia from the global Internet. This conclusion of RUIE became known on October 6, 2020.

According to Kommersant with reference to a withdrawal of RUIE to the bill, prohibition of modern protocols of enciphering of the websites will make illegal use of computers and smartphones. The bill will also paralyze work of information systems and will lead to budget costs, experts said. Without enciphering traffic from banking sector — for example, data of cards and transactions — will open to swindlers, warned in RUIE.

RUIE criticized the prohibition of protocols of enciphering of the websites offered Mintsifra

The union is sure that in case of adoption of law the cryptography will need to upgrade or withdraw from all state information systems that will cause budget costs. As a result the Russian Internet companies will lose advantages which protocols of enciphering give, both their competitive opportunities and the export potential will go down.

The experts polled by the edition in general agree with outputs of RUIE. DoH-and DoT-protocols in the long term will become the most popular, their prohibition threatens with difficulties for the Russian companies, the partner and the director of the company IQReserve Pavel Myasoyedov is sure. At the same time protocols are drafted first of all for increase in security of Internet services so their restriction, really, will suit malefactors, the partner and the head of management practice by cyberrisks of Deloitte Denis Lipov agrees.

Believe in the Roskomsvoboda organizations that "will lock uses of modern protocols and encryption algorithms which are applied by increasing number of web services and IT companies, it is similar prohibition to put safe locks on doors or opaque curtains at windows".[1]

Mintsifra decided to prohibit the Internet protocols preventing blocking of the websites

In September, 2020 it became known of Mintsifra's solution to prohibit use in Russia of protocols of enciphering of DNS queries under the threat of blocking of the websites.

It is about the TLS 1.3 protocols with the ESNI expansion (HTTPS websites), DoH (DNS over HTTPS), DoT (DNS over TLS are used for placement on one IP address several) and expansion to the protocol. They allow to hide information on what site the user was going to visit — thereby the provider of the Internet cannot learn it and cannot prohibit the user transition to the prohibited resource.

Mintsifra suggested to prohibit the Internet protocols concealing a website name

As declared in Mintsifry, application of such algorithms and cryptography techniques can reduce efficiency of use of the existing filtering systems. It, in turn, considerably will complicate identification of the Internet resources containing information banned in the Russian Federation.

With respect thereto department suggests to make amendments to the law "About Information, Information Technologies and on Data Protection". The project prohibits to use the protocols of enciphering allowing to conceal a name (identifier) of the web page or the website in the country. Exceptions make the cases  set by the Russian legislation.

File:Aquote1.png
All advantages of new protocols of enciphering of requests of DNS to users are obvious, but it is necessary to understand that their wide circulation will allow to bypass also all existing filtering systems and blocking of the prohibited websites, including the websites which contain illegal content (extremist content, content violating copyright, content containing a child pornography) — Mintsifra Maksut Shadayev's head told.
File:Aquote2.png

The bill provides: if Roskomnadzor learns about use of the protocols of enciphering allowing to conceal a website name, it will block this resource. Any enciphering in network hides data, and the less data are visible, the blocking work worse, the technical director of QRator Labs Artem Gavrichenkov explains.[2] 

The authorities of the Russian Federation will fulfill blocking of the traffic passing under the DNS over HTTPS and DNS over TLS protocols

On January 15, 2020 it became known of what the Ministry of Telecom and Mass Communications was approved by the diagram of carrying out in 2020 of scheduled exercises on ensuring steady, safe and complete functioning in the territory of Russia of the Internet and public communication networks. The document signed by the acting as Minister of Communications Alexey Volin is published on the website of the ministry.

According to the order of the ministry, an opportunity on blocking of the traffic protected with use by DNS technology over HTTPS (DoH) and DNS over TLS will be fulfilled on March 20, 2020. Read more here.

2019

Threats and perspectives of development of the DNS system

On November 26 in Berlin opening of the 14th World forum on management of the Internet took place. The action takes place under the auspices of the United Nations, the Ministry of Economics of Germany acted as the host party. On a forum more than 3 thousand participants were registered.

Head of department of external communications of the Coordination center of domains. RU/.RF Mikhail Anisimov commented on possible effects of use of DoH technology (DNS over HTTPS). According to him, it is especially important to participate not only in development of standards, but also in creation of recommendations about implementation of technologies. DoH at all those chance which the technology gives for ensuring privacy of users strongly changes the developed ecosystem of information security. It complicates blocking of illegal content, often breaks many corporate security policies and concentrates a large number of the processed requests in hands of large corporations. Thus it is possible to speak about "corporate" segments of the Internet which theoretically can even not be crossed with each other – the Internet of Google, the Internet of CloudFlare and others.

Implementation in Windows 10

In November, 2019 Microsoft announced implementation of the protocol of enciphering of "DNS over HTTPS" (DNS-over-HTTPS, DoH) in the Windows 10 operating system.

Use of technology in practice means a possibility of a bypass of any blocking of the prohibited websites on DNS as all DNS queries will be transferred in encrypted form, and blocking to the IP address will be overcome by change of IP of the blocked address.

Microsoft implements the service allowing to bypass all blocking of Roskomnadzor in Windows 10

Enciphering under the DNS-over-HTTPS protocol in the long term can also leave out of work the technique of deep check and management of network traffic of Deep Packet Inspection (DPI) adopted by Roskomnadzor as filtering of packets of the ciphered https-traffic from a set of the IP addresses will lose meaning.

Developers from division of Windows Core Networking Tommie Jensen, Ivan Pasho and Gabriel of Montenegro warned that it is hard to implement support of DoH without violation of settings of the administrator in Windows devices.

File:Aquote1.png
However we should treat confidentiality as to human right. We should have the complex cyber security which is built in technology. There is an opinion that enciphering of DNS can be performed only on a centralized basis. It is right only if implementation of enciphering of DNS is not universal. To save decentralization of DNS, and operating systems of clients (for example, Windows), and Internet service providers should implement enciphering of DNS — they said.
File:Aquote2.png

The company also emphasizes that DoH in Windows 10 by November, 2019 has the status of a priority task as will help both private clients, and the companies which will be able to use already existing HTTPS infrastructure for faster enciphering of DNS.

The widespread DoH standard guarantees that it will not need to be centralized, and it should make all ecosystem of the Internet healthier, are sure of Microsoft.[3]

Inclusion of the DNS-over-HTTPS protocol in the Google Chrome 78 browser

On September 13, 2019 it became known that developers of the Chromium project from the company Google announced plans of an experimental running in protocol enciphering "DNS over HTTPS" (DNS-over-HTTPS, DoH) in assembly browser Chrome at number 78 which stable release is expected on October 22, 2019. In more detail here.

Inclusion of the DNS-over-HTTPS protocol in the Firefox browser

On September 11, 2019 it became known that developers from Mozilla Corporation announced successful testing of the experimental protocol of enciphering of DNS over HTTPS (DNS-over-HTTPS, DoH). It provides information on the domain (DNS) through cryptographic the protected HTTPS protocol. Read more here.

As DNS-over-HTTPS works

For blocking of the websites providers or regulators need to know domain name (URL) received through the DNS query, and the IP address of the blocked resource. If the DNS query is hidden by enciphering – for example, using the DNS-over-HTTPS protocol, the provider will not be able to block a specific resource because of URL hidden from it.

Comparison of the DNS and DNS-over-HTTPS system

If the blocked resource will provide one IP address for an open DNS query and another for the DNS query with enciphering under the DNS-over-HTTPS protocol, blocking will also become powerless. As technical partners for implementation of such opportunity modern CDN providers act.

Technically not ciphered URL can be also intercepted across the field a request of SNI (Server Name Indication) – special expansion of the TLS protocol in which there is an opportunity to report host name in the course of "handshake" for opening cryptographic to the protected SSL session.

The scheme of work of the TLS 1.3 protocol with the included Encrypted SNI

The standard of the ciphered transfer of host name – Encrypted SNI (ESNI) where a client system receives a public key of the server from DNS is developed for these purposes and makes enciphering of all data prior to the TLS session. As of September, 2019 a number of the CDN providers experimenting with DNS-over-HTTPS implementation also support Encrypted SNI technology.[4]

You See Also

Notes