DNS over HTTPS – What is it, and why should you care? – WS 06 2019

From EuroDIG Wiki
Jump to navigation Jump to search

Consolidated programme 2019 overview

Title: DNS over HTTPS: what is it, and why should you care?

Proposals assigned to this session: ID 123, 175 – list of all proposals as pdf

You are invited to become a member of the session Org Team! By joining an Org Team you agree to that your name and affiliation will be published at the respective wiki page of the session for transparency reasons. Please subscribe to the session mailing list and answer the email that will be send to you requesting your confirmation of subscription.

Session teaser

DNS-over-HTTPS is a new protocol that could fundamentally change the way DNS works today, providing less or more privacy depending on how it is used, disrupting many network security measures, shifting jurisdiction and Internet content control away from Europe, and fostering further centralization of the Internet into the hands of the big global platforms. It affects almost any stakeholder – users, governments, civil society, ISPs, network administrators... Come and participate in an open discussion on what could be done about it.

Session description

As part of its efforts to encrypt all communications, the IETF has recently released two protocols to encrypt the flow of DNS queries between user devices and their "name servers" (resolvers): DNS-over-TLS and DNS-over-HTTPS. The latter has spurred quite some controversy, as the deployment model chosen by the first major browser to embrace it, Mozilla's Firefox, would radically change the way consumer DNS services work today, giving to browser makers significant control over the choice of the resolver, and promoting the use of centralized global resolvers in place of the local ones traditionally supplied by Internet access providers.

The set of DNS queries performed by a user allows an observer to track almost any connection to any Internet service; it thus constitutes sensitive personal information. Encrypting the communication provides users with increased privacy, preventing ISPs from tracking or mangling their DNS queries, but centralizing all user queries on a few resolvers run by the big Internet operators, many of which have "surveillance capitalism" as their business model, can create an even bigger privacy and control problem.

Moreover, ISPs monitor and alter DNS queries for network security reasons, blocking access to malware and phishing websites, detecting infections and stopping botnets from working and propagating; corporate networks build their security over DNS-based mechanisms such as local names and "split horizon" configurations; all of this would stop working with DNS-over-HTTPS.

In terms of performance, global resolvers run by the big players could offer quicker responses, especially in countries where the local infrastructure is poor; the current public resolver usage patterns show this, with high penetration rates concentrated in Africa and the Middle East. However, local resolvers, in conjunction with content delivery networks, can tailor their replies to direct local users to the fastest source of the content, while global resolvers cannot do this without knowing the originating IP subnet in detail, again creating a privacy issue.

But DNS-over-HTTPS also affects human rights and national sovereignty; if browsers lead their users towards a resolver located in a foreign country, the user's country loses jurisdiction on DNS queries, while the resolver's country gains it. If the user's country censors the Internet heavily, switching to another jurisdiction will defeat censorship and increase the user's freedom of access and expression; however, the resolver's country will now be able to apply its own censorship to foreign citizens as well. The few private global resolver operators will also acquire the possibility to prevent access to content and to determine the policies for the DNS namespace.

Moreover, there are cases in which countries use DNS regulation to protect other people's rights, by barring access to content such as hate speech, totalitarian propaganda, illegal gambling; and there are cases in which Internet users voluntarily request their ISP to block access to content, such as with parental controls for families. All these mechanisms will stop working if remote resolvers connected via DNS-over-HTTPS are adopted by browsers as the new standard, while the use of DNS-over-TLS connections to the ISP's resolver would not create the same problems.

This discussion is particularly relevant to Europe, in view of the lack of European browsers and Internet platforms, of the less effective privacy regulations that American services are subject to, of the abundance of DNS-based content control mechanisms, and of the widespread concerns about the ongoing process of centralization of the Internet, of which this case is yet another instance.

The session will explain these and other issues, document the various views and provide a venue for discussion and collective brainstorming on possible solutions from a European viewpoint.

Format

The session will start with an introductory presentation to ensure that all participants are on a level field. The presentation (15 minutes) will cover:

  • Basic technicalities of encrypted DNS protocols for a non-technical audience
  • History and current deployment plans
  • Description of the policy issues that derive from the adoption of these protocols (DoH especially)

After the presentation, we will have a few “key participants” expose the views of specific stakeholder groups and make some proposals (15 minutes). Then we will brainstorm openly among participants, with a facilitator that tries to extract commonalities, starting with a “diverging” phase in which people can add more proposals to the discussion (15 minutes), working in breakout groups if necessary, and then a “converging” phase in which we try to ascertain support for the various proposals (40 minutes).

At the end, the facilitator will recap the results and ensure that everyone is happy with them (5 minutes).

Further reading

Until .

Links to relevant websites, declarations, books, documents. Please note we cannot offer web space, so only links to external resources are possible. Example for an external link: Website of EuroDIG

People

Until .

Please provide name and institution for all people you list here.

Focal Point

  • Vittorio Bertola

Organising Team (Org Team) List them here as they sign up.

  • Chivintar Amenty, YouthDIG 2019
  • Wolfgang Kleinwächter
  • Peter Koch
  • Collin Kurre, ARTICLE 19

Key Participants

Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance. Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.

Moderator

The moderator is the facilitator of the session at the event. Moderators are responsible for including the audience and encouraging a lively interaction among all session attendants. Please make sure the moderator takes a neutral role and can balance between all speakers. Please provide short CV of the moderator of your session at the Wiki or link to another source.

Remote Moderator

Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.

Reporter

Reporters will be assigned by the EuroDIG secretariat in cooperation with the Geneva Internet Platform. The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:

  • are summarised on a slide and presented to the audience at the end of each session
  • relate to the particular session and to European Internet governance policy
  • are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
  • are in (rough) consensus with the audience

Current discussion, conference calls, schedules and minutes

See the discussion tab on the upper left side of this page. Please use this page to publish:

  • dates for virtual meetings or coordination calls
  • short summary of calls or email exchange

Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.

Messages

A short summary of the session will be provided by the Reporter.

Video record

Will be provided here after the event.

Transcript

Will be provided here after the event.