Re: [hrpc] "Paul Vixie and Peter Lowe on Why DoH is Politically Motivated"

[Jacob Appelbaum <jacob@appelbaum.net>]

Hello Bill,

On 11/15/21, Bill Woodcock <woody@pch.net> wrote:
>
>
>> On Nov 15, 2021, at 1:17 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr>
>> wrote:
>>
>> It's funny (no, actually, it's sad) that some people, in 2021, still
>> use "political" as an insult and criticizes a protocol as being
>> "political" (specially in the fields of security and privacy where
>> things are even more political than the average network protocol).
>
> Well, I agree that the word “political” is not a useful one in this
> context.

Indeed. What seems especially not useful here is that the default
situation isn't critically examined as a political choice; only the
reactionary designs to that default choice are called political? Huh,
okay.  This is to say nothing of the fact that it is uncontroversial
to claim to be performing DNS intelligence at all. Huh, strange...

> But in reading what they said, I don’t find much else to disagree with…

Does this mean you don't disagree with people doing "intelligence" on
the DNS as is claimed in the discussion? I have always found this a
perplexing aspect of the DNS - it is vulnerable to network
surveillance and even censorship by (only slightly obfuscated) design.

> DoH
> is a black mark on the reputation of the IETF, and its adoption as a
> standard was a sad day for privacy.

I find this position perplexing - was it a sad day for privacy when
the IETF (a.k.a. the king makers of the DNS standards) did not pursue
query/response privacy on the wire as a first class goal? Or when it
refused to adopt TLS or another secure protocol that provides query
and response privacy as the DNS server-to-server protocol for all
communications? I realize that such a radical change would interfere
with some countrie's desire to be able to perform DNS surveillance and
censorship.

As the DNS is secured, the censorship infrastructure will improve,
they claim. These improvements will be tied to the technological and
economic capabilities of the adversary attacking users, of course.
This observation of theirs seems true, but does that mean that we
should thus leave the DNS vulnerable to interception, analysis, and
often tampering? No, it doesn't follow. DNSSEC solves part of this
problem but not all of it. The surveillance and censorship
infrastructure will improve in almost every case regardless of the DNS
privacy offerings.

Isn't it completely obvious that until, and unless the DNS (eg:
starting with the root servers) offers meaningful security, that
someone or some company, will add it somewhere else? The notion of
meaningful security includes authenticity, integrity, and *especially*
confidentiality (aka privacy) of queries and responses. This notion of
confidentiality that isn't even end-to-end (like DNSCurve, also
mentioned by the two gentlemen). In either case, strict
confidentiality is a property that even DNSSEC failed to deliver.

If all (especially authoritative) DNS servers, including the root
servers, offered encrypted, authenticated communications channels, few
would need a centralized DoH or DoT service to achieve query
confidentiality. A major driving force from my perspective behind DoH
and DoT is that people don't trust their local network not to extract
information from the DNS (as Paul Vixie observed in this discussion).
Another major driving force is related to censorship desires of users
and network administrators. I think the DNS makes a lot of compromises
to accommodate censorship and surveillance requests and there
certainly isn't as much transparency as might be desired by users of
the DNS. It doesn't seem that people here are objecting to the
censorship or surveillance practices of certain providers as much as
other issues, for example, who does it now vs who did it previously.

Users and network administrators often use DoH or DoT because of ease
of use, well populated caches, censorship features (eg: blocking
specific kinds of names on specific kinds of networks), and other
features that appeal to network administrators as well as business
administrators. It seems almost inevitable that someone would offer a
secure way to connect to the DNS, and with it, they will bring in
centralization, and other kinds of controls. One way to fight against
the centralization is clearly to ensure that the centralized service
doesn't offer something that is so appealing that it becomes
worthwhile - for example a TLS endpoint.

>From my perspective there also appears to be significant conflicts of
interest abound. Consider that some companies and some people who run
important DNS infrastructure also run surveillance operations (eg:
passive DNS surveillance) against the network traffic reaching that
service while also not offering a secure way to reach that very same
server. It is the lack of a secure connection that enables passive
(and active!) surveillance of DNS queries/responses near the DNS
servers as well as at every point along the network path. We're not
even discussing the ability to make an anonymous query which is yet
another problematic issue that remains unaddressed by the DNS
generally. This is especially frustrating since there has been next to
no deployed work on how we might solve actual anonymous querying at
scale. So even with encryption we're not really speaking of anonymity.
Several types of DNS surveillance will still learn information about
the querying party by source IP and this can be correlated with logs
that are also often kept by operators of the DNS.

My sense is that those doing DNS surveillance don't want to give up
any power at all, and DoH/DoT essentially ends the conversation in a
fairly rude way. The DoH/DoT provider is able to see the source of the
query, and the query itself, as well as any responses. Meanwhile,
upstream the DNS just sees a collection of huge proxies which deprives
them of client IP addresses, client queries, and of course, the
related responses. So the DNS surveillance at the root becomes less
effective, and the surveillance abilities moves to the DoH/DoT
provider/network. Huh, how might we fix that?

Why in 2021 do we still lack a standard, secure way to reach every
root server as well as any other DNS server?

Surveillance and censorship, of course!

More specifically, it looks like surveillance capitalism[0], and it
appears that there are at least two major factions arguing over who
shall see and thus own the data. The people who
design/deploy/run/monitor the DNS, and the people who run large
caching servers with TLS endpoints as well as other features. I think
application developers generally want this to be a solved problem, so
they're simply using the solutions that solve their problems. What
alternatives exist for them other than saying no, no query privacy for
you? Not many.

Perhaps the interests of decentralization vs centralization will
finally break this tug of war. Ideally the root servers will finally
offer a secure way to reach them, obviating the need for TLS based
privacy enhancements provided by DoH/DoT, especially those that are
run as large centralized services. Yes, those ports will be censored
by some parties (eg: entire countries), and this will be something
that can be seen by everyone. It's uncomfortable to bring this dirty
laundry out into the open, I realize.

It goes without saying that if there was a way to have end-to-end
encrypted queries/responses (eg: as DNSCurve did years ago) it would
largely ensure that those centralized services would be unable to
extract almost anything of value. That's a major part, but not the
only part, of why they exist - they're not running those services for
altruistic reasons. Adopting an end-to-end encrypted design has
caching downsides, so I don't expect people to push for it anytime
soon. Caching is clearly another large motivation behind centralized
services as latency improvements provide an advantage over other
distributed/decentralized systems like using the DNS directly at
times.

If we look at what Zuboff says with her surveillance capitalist
critique [0] then we might be well served to consider DoH/DoT as a
market response to performance, control, as well as the obvious
privacy concerns. What will the response of the IETF or DNS operators
be to this shift in the market? Maybe it might include giving up
passive DNS surveillance as it is performed today? Might it include
finally designing, and deploying meaningful query/response privacy in
the DNS system at every point?

I hope so but it seems doubtful to me. After all, the various
conflicts of interests are still highly relevant to the possible
solution space. The benefits of performing the surveillance by various
operators seems to outweigh the value of even the infrastructure
itself to those same operators. DoH/DoT appears to be changing that
value proposition in a way that clearly makes the "old guard" (no
ageism implied here) of the DNS uncomfortable. Though Zuboff's
surveillance capitalism analysis lens, we might be correct to say that
we are watching two (and sometimes more) extractive surveillance
capitalists camps complain about fairness of who does the
surveillance. It really is something to watch from a distance.

Perhaps there is another choice... What if we... did away with DNS
"intelligence" and actually secured the DNS with regard to
confidentiality of user queries/responses as well as server-to-server
confidentiality? What if we agreed to purposefully blind all these
network sniffing and injecting adversaries? Answering "no thanks" is
of course a valid option, and it's why there are people who use
DoH/DoT, or similar systems like DNSCrypt, and even DNSCurve. This is
to say nothing of secure decentralized solutions like Namecoin. My
guess is that these alternative options will not beat out the DNS any
time soon but eventually "secure" centralized systems will likely
become a serious existential threat to the DNS. Frustratingly DNSSEC
does not really help us here as it even invites untrusted third
parties to be involved in relaying data.

Kind regards,
Jacob

[0] https://news.harvard.edu/gazette/story/2019/03/harvard-professor-says-surveillance-capitalism-is-undermining-democracy/