The Impact of DNS Encryption on the Internet Ecosystem and its Users – WS 03 2020
11 June 2020 | 11:30-13:00 | Studio The Hague | | |
Consolidated programme 2020 overview / Day 1
Proposals: #58, #132, #143 (#161)
DNS over HTTPS (DoH) is a technical standard for enhancing the privacy and security of end users by preventing man-in-the-middle attacks and eavesdropping on DNS traffic. Browser vendors have proposed different implementation models of DoH but essentially some of these might lead to the centralization of internet infrastructure. The session will look into what are the effects of centralized and encrypted DNS name resolutions on cybersecurity as well as the effects of browser centric control of core infrastructure functions on policy making and Internet architecture.
The session will dive into different models of implementation of DoH, as suggested by the browser community, looking into their effects on end-user “security”. The DoH was amongst other things, designed to prevent man-in-the-middle attacks, in addition to enhancing end-users' privacy by encrypting the DNS traffic. Yet its broader effects on cybersecurity, beyond privacy, have not been addressed in the discussions so far. Some of the specific security questions this session will look into are following (but not excluded to): What are the potential effects of encrypted DNS on monitoring phishing attacks and/or malware distribution/spoofing etc? What is the role (if any) of DNS resolver operators (both with and without DoH) in mitigating the internet infrastructure security threats?
Additionally, the different implementation models of DoH (as proposed by the browser community) entail a potential risk of centralisation of internet infrastructure. Concentration of DNS resolution requests in several “focal points” may lead to significant change in the internet landscape and it raises the question about “Who is responsible for quality service of internet access for end-users?”. It may also lead to revision of the existing collaboration patterns between Internet Service Providers, Content Delivery Network operators and Browser vendors. Who will be responsible for “it just works” effect for end-users? What are the effects on the market balance in providing cybersecurity services if any? Which new business cases can arise from the shift in power balance?
Until 11 May 2020.
Please try out new interactive formats. EuroDIG is about dialogue not about statements, presentations and speeches. Workshops should not be organised as a small plenary.
Links to relevant websites, declarations, books, documents. Please note we cannot offer web space, so only links to external resources are possible. Example for an external link: Website of EuroDIG
Until 27 April 2020.
Please provide name and institution for all people you list here.
- Mikhail Anisimov
- Peter Koch
Organising Team (Org Team) List them here as they sign up.
- Vittorio Bertola
- Eva Ignatuschtschenko
- Andrew Campling
- Thomas Grob
- Kris Shrishak
- Ondrej Filip, CZ.NIC
- Nicolai Leymann, Deutche Telecom
- Vittorio Bertola, Head of Policy & Innovation, Open-Xchange
- Andrew Campling (session moderator)
- Mikhail Anisimov (online moderator)
Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.
- Ilona Stadnik, Geneva Internet Platform
Current discussion, conference calls, schedules and minutes
See the discussion tab on the upper left side of this page. Please use this page to publish:
- dates for virtual meetings or coordination calls
- short summary of calls or email exchange
Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.
- The encryption of DNS queries (DoH, DoT) has different effects on end-users, ISPs, operating systems, browsers, and applications.
- Though DoH can result in stronger privacy and security for an end-user, it can also bring additional problems, such as limited choice of DNS resolvers, as well as specific browser or OS configurations and their upgrades. For ISPs it creates even more problems – the balance of power between browser and operator communities is broken, bringing forth high risks of market and network centralisation.
- We have to work on deployment models that will address these problems, keeping in mind the education of end-users about DNS operations and increasing the level of trust in ISPs and DNS resolvers.
- We also need to think about legal aspects of relationships between end-users and DoH/DoT providers.
Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at https://dig.watch/resources/impact-dns-encryption-internet-ecosystem-and-its-users.
Provided by: Caption First, Inc., P.O. Box 3066, Monument, CO 80132, Phone: +001-719-481-9835, www.captionfirst.com
This text, document, or file is based on live transcription. Communication Access Realtime Translation (CART), captioning, and/or live transcription are provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings. This text, document, or file is not to be distributed or used in any way that may violate copyright law.
>> SANDRA HOFERICHTER: So Nadia, I see the next session in your studio is about encryption and I see already around 60 participants joined your studio already. I guess these are the ones that will be speaking on this workshop. I wish you a fruitful session and we will come back after your session, to the big stage in your studio here.
>> NADIA TJAHJA: Wonderful. We look forward to having you back.
>> SANDRA HOFERICHTER: See you later, Nadia.
>> NADIA TJAHJA: Thank you so much.
>> SANDRA HOFERICHTER: I would like to connect with our next studio, which is Berlin and in Berlin, we have Elizabeth. Hi, Elizabeth. Nice to see you!
>> ELIZABETH SCHAUERMANN: Hi, Sandra. Good morning.
>> SANDRA HOFERICHTER: I see weather in Berlin is perfect!
>> ELIZABETH SCHAUERMANN: At least on our background it is.
>> SANDRA HOFERICHTER: Wonderful. Elizabeth, did you follow so far the EuroDIG a little bit or –
>> ELIZABETH SCHAUERMANN: Yeah, I could tune in today for the opening before we did our setup here and it’s really good to see that everything went well so far.
>> SANDRA HOFERICHTER: And I also see first people are already connecting your session, including the moderator Vladimir Radunovic. He’s a very experienced person with remote moderating and with him as the studio moderator or the session moderator, you will be on the safe side. Hi, Vladimir, I see you already. Perfect!
So then I wish you a fruitful day, and one thing that we should mention, our studio in Berlin, here we are going to do a great experiment, because this is going to be the networking area. We said already networking in virtual meeting is a difficult thing. Nevertheless, we try. And Nadia will be the networking host in the lunch break, and she will have prepared some questions on Mentimeter. But in case it doesn’t really work out, we take the liberty to play some music in your studio as well.
Of course, I hope that you will be able to offer some great networking opportunities for our participants. Good luck, Nadia.
>> NADIA TJAHJA: Thank you, Sandra. See you later.
>> SANDRA HOFERICHTER: Elizabeth, by the way, not Nadia, I’m sorry.
>> That’s lot of names in a short amount of time.
>> SANDRA HOFERICHTER: Okay. Thank you.
And then let’s take the bridge further to our studio in Triesta. Markko, you are sitting in front of the Miramare Castle.
>> We rented a boat and we are sitting in in front. And I hope you will be able to see it next year and we are just behind the castle. And the picture that you can see is really what you get when you go to Triesta and when you participate in the EuroDIG next year in the ICTP facilities.
Know that this ICTP, but it is just around the corner. Markko, the session in your studio will deal about innovative use of blockchain empowerment.
Nadia thank you also again for all the effort that you put into the session, and I wish you and Markko and the entire team in studio in Triesta all the good luck. And with this I think we are ready to go, and I hand over to all three studios and you at 1:00.
Over to you.
>> NADIA TJAHJA: Thank you very much, Sandra.
So good morning from studio the Hague. My name is Nadia Tjahja, I’m joined by our remote moderator, Auke Pals.
>> AUKE PALS: I’m monitoring the forum as many of you are also using that for discussion.
>> NADIA TJAHJA: So as we get started I want to go over the code of conduct. It’s your contribution, your thoughts and ideas and questions that make these so inspiring. I hope you will choose to actively participate in these virtual situations. Now that you have joined the studio, you will be able to see your name in the participants list and make sure you have your full name displayed. You can set this up by clicking on your name and choose the option rename. When you entered the room, you were muted. This is to prevent feedback which could disturb the session. Please raise your hand if you have a question and unmute you.
When you are unmuted, please switch on your video. Please let us know who you are by stating your name and affiliation. Without further ado I would like to introduce the moderator, “The Impact of DNS Encryption On the Internet Ecosystem and Its Users.”
Andrew Campling, you have the floor.
>> ANDREW CAMPLING: Good morning, everyone, and thank you to the first workshop of EuroDIG. As Nadia said, my name is Andrew Campling, I will be moderating the discussion today, supported by Mikhail Anisimov who will be acting as the online moderator. I will be joined by Ondrej Filip, Nick Leymann, and Vittorio Bertola and Ilona Stanic, who will be the recorder, just to give you some background to who is involved.
The topic we are discussing today is encrypted DNS, specifically DNS over HTTPS or DoH as it’s often called. And to give us context, I will briefly remind you of the session teaser because I’m conscious that maybe not everyone will have a chance to read the EuroDIG wiki before joining the session.
So DoH is a technical standard, a fairly recently introduced technical standard designed to enhance the privacy and the security of end users by preventing so‑called man in the middle attacks and eavesdropping on DNS traffic. And browser vendors and others have proposed different implementation models for DoH but essentially some of those may lead to the centralization of infrastructure, and our session today, we will look into the effects of centralized and encrypted DNS, name resolution on cybersecurity, as well as some of the effects of browser‑center control of infrastructure functions on policy making and the architecture of the Internet.
We will endeavor, as far as we are able to focus more on the policy aspects rather than the pure technical aspects, although they are closely interlinked today.
The structure of the session is we will have short opening comments from each of our key participants, and then we’ll move into the most important part, which is the discussion, which will involve as many people as possible from the various channels, including the Zoom room and the other channels, as was explained earlier.
We will aim to draw the conversation to a close by around or just after 12:50, in order to allow the reporter from the Geneva Internet Platform for our session to share some of the session messages and gain agreement to those messages from the participants and the audience through rough consensus, because I’m sure we won’t 100% agree. So that’s the plan for the session today.
So what I would like to do without further ado, is to introduce our key participants.
So firstly, I will ask Ondrej Filip, the CEO of the main registry to share with us his opening thoughts. So if we could unmute Ondrej, please.
>> ONDREJ FILIP: Hello, everybody. Can you hear me well?
>> ANDREW CAMPLING: Yes, we can.
>> ONDREJ FILIP: Thank you very much. I prepared a couple of slides, but to be honest, I’m not sure if I can show them now. So I will start with our slides and maybe I will be able to manage it later. Let me start with a very brief introduction of the technology. I know it was said at the beginning that this panel should be focused on policy, but I think the technology explanation is very important.
In every – in a normal run of DNS, there are several actors in the game that the traffic initiates or passes through, that’s your browser, for example, some of your application, then we have an operating system, that has stop revolver, and then usually we have some revolver in your network, in your home network or corporate, which is very often just a router that routes the traffic to some revolver that really does the resolution, that does the reclusive resolution and then we have the alternate service.
We can officer the five players in this game which is quite a lot and all of the traffic is unencrypted. There’s a technology called DNSSEC this is nothing to do with the DoH, and so that’s a separate issue. DNSSEC helps to ensure the transmission.
We have a new technology and that’s DoH, and this has the ability to bypass, basically, some of noes actors in the game. The ability of this technology allows that the browser, the application, has its own revolver and this revolver is basically located outside the network, and outside the control of the corporate network, the whole network in case, for example, if you have the parental control home.
So that’s a significant change. The traffic is encrypted. So that sounds really good. On the other hand, the choice of revolvers currently is pretty limited. Basically every application has some default. The application that enforces it which is not much these days but application that enforces the DoH has some default revolver which might be changed. That’s of course and option but the default setups are usually the most common. People don’t usually change those settings and that’s a significant problem.
So basically DoH is not just distinguishable from the normal HTTPS traffic. So that’s another issue. Because that means that nobody who is – oh, thank you very much for the slides.
So I was describing the situation in slide number two. If you can see the – show the picture, please. Thank you very much.
So here’s an example of how the traffic knows. You can see the blue arrows means the unencrypted traffic and the red or orange or what color is that, is encrypted traffic. As you can see one scenario – there are multiple scenarios. Please notice that DNS is very powerful protocols and many scenarios can be used.
But in very typical scenario, the application system revolver and the enterprise is usually bypassed and that causes several issues if you can please go to the next slide.
DoH is not distinguishable from the normal HTTPS protocol. That means that operator of the firewall of the corporate, you know – the edge of the corporate network has no clue what kind of traffic is, there and usually in DNS, there are often some principles that either prevent a user from using – from entering several sites, usually because of some maybe some security reasons. Also DNS in this point is very often used for parental controls. So user that uses DoH is just bypassing those controls.
There is also some security issues related with that. For example, in many corporates, you have split DNS, which means if you have a DNS inside the network, you can enter several sites and there’s some internal DNS still, while you could go from outside that DNS was hidden, but, of course if you can bypass the – the corporate firewall, then the query for internal sites go to the external reserver and it’s probably not resolved. But the external revolver has some knowledge about the internal network that also includes the reverse DNS look up. So that’s another issue that you can provide some information about internal network which is not, of course, intended.
Another aspect is related to some, let’s say, legal issues. In many countries, including mine, for example, there are some restrictions for several web. Those are websites that have games, online casinos and stuff like that. And, of course, it’s very easy and very handy to, again, enforce this policy in DNS. So the law says that ISPs should block these sites and there’s a list of those sites and those sites are just names. The only way you can start the user is to enforce this in DNS. Of course, with DoH, if I’m using revolver from a company outside my country, this is not possible.
So there’s also a small issue with the local legislation. Next slide, please.
And then, we have several operational issues which is something maybe my colleague from ISP will comment much farther, if you have the different DNS provider and Internet service provider and there’s some issue with connectivity, it’s not easy to troubleshoot who is actually responsible for that.
Also the same applies on the single machine. The application has a different revolver and so troubleshooting tools that were kind of invented or that are used for troubleshooting those problems are now not working because they are using different things.
And a big and huge discussion that I hope we will have today is the issue of shift of power, of the centralization of DNS queries. Currently in the traditional model, we have a lot of DNS revolver and every Internet service provider, every enterprise has its own revolver. So it’s very fractioned across the system with a lot of players. Nobody has a significant power there, but with DoH, especially if we are talking about DoH in browsers as a major application, we all use daily, this might be an issue.
If all the browsers will use, let’s say, two or three DoH providers, now we will concentrate most of the DoH to a few companies, which might be a problem for stability and robustness of the Internet. Of course, such a company is a perfect target. It has some privacy issues. Again, I hope we will have some further discussions, but very briefly, currently, you know, if you are connected to the Internet, your ISP, of course, has a lot of information about your behavior. The provider, can you know – knows what size are you looking at, and what services are you using.
And DNS is one part of that information, but for the ISP, its not the key one. So you provide the DNS information. So there’s another provider that has information about you and the sites you access. So you extend the group of companies that has some information – private information about you.
And also the shift of powers – the shift of power means one more thing, currently we have a – in the classic model, the kind of power, the way DNS works is mostly based on the decision of authoritative site of the DNS resolution. That means that I can, for example, issue a new domain and can make some change in domains and there’s a whole ecosystem behind ICANN and domain providers like us, for example.
If we will concentrate all the queries just to a few companies, a few private companies, then, of course, one day, they will realize that they have 90% of the DNS, and in their position they could say that some domains could be removed from the DNS. We could have the power of the ecosystem from the traditional model to those companies who can respond to most of the queries.
That’s my very technical introduction and I think I’m happy to pass to the other speakers.
>> ANDREW CAMPLING: Many thanks, Ondrej. I can see that you have already started to stimulate some discussion on chat, which we will get back to momentarily. So many thanks for the comments and explanations. Our second key participant is Nic Leymann. Nick is with Deutsche Telekom and is currently trying – trialing DoH orb DoH revolver in the DT network. So Nick, over to you.
>> NICOLAI LEYMANN: Thank you. Can you hear me? Thanks. And also thanks to Ondrej. So let’s see what is left from my statement, because I think he covered already a lot of the challenges and issues we see.
So thanks for that.
First of all, for all of you in general, of course, DoT and DoH, they are providing additional security for the end users but it depends on the setup and the same audio. If you are looking on the typical home network, the router is connected to our network and using our own DNS servers. The communication in general is secure. So there’s – if there is a middle man, the whole network of the end user and so on, I think, encrypting DNS is probably not the biggest problem the user has in this case because the tech can also see everything else.
It’s different, of course, if you are talking about older environments like hotspots and things like that. So their encryption definitely helps, because there might be people or trackers looking on traffic or things like that. On the other hand, what we also see, at the moment, there’s no clear indication if we are talking about browsers whether DoH is really used or not. So you can switch it on, but you get no feedback at all from the browser during your session. All the DNS requests are really encrypted or not?
So the user may think that it’s encrypted but there’s no encryption because, for instance, the DoH server is blocked or there was a portal page, things like that.
What we also see in the classical models within the providers or ISPs, that most of the DNS traffic goes to their own platform. So, for instance, in DT case, we have in general around 95% of the DNS traffic going to our own platform. There’s a very small fraction of DNS traffic going to external DNS servers, as you can see next page, I think. Yes. As you can see on the statistics here, it’s for one central location. And also most of the user, I guess, 95% or 97%, they have no clue what DNS is. They have never seen it. And on the other hand, their overall user experience heavily depends on DNS. So it’s really critical for user experience performance of the Internet, including performance DNS server, also gives pro performance for the end user.
We also have a bunch of features to optimize the network and we distribute users to the closest CDN location, things like that. We have load sharing for certain applications implemented, for instance, not every user ends up on the same server, but that it distributes them over the servers and, of course, all of those kind of features are necessary to run a network. And that only works if the DNS is owned by us and the user is using our DNS.
In the user is using an external DNS, then we lose those features. I think it’s okay for the number of users which are actively changing their DNS so they can if they want, no problem with that. But say an automatic move to an external platform, that’s really a challenge. Can you go to the next slide, please?
So I think the discussion is not whether it’s really encryption is good or encryption is bad. I think the general agreement is that encryption is good, but the question is, how is it used and what is basically the result of moving certain things into a browser, for instance, and losing control? Because the main challenge is that we, for instance, lose all of those kind of features, they are just not existing any more because an external DNS does not provide that kind of features.
Also, looking on the users, they might have run assumptions on security and data privacy. So they just click on encrypt DNS but they do not know whether it’s encrypted or not. They do not know which servers the traffic is basically hitting in most of the cases.
On the other hand, we have extremely high standards at least in Europe and in Germany in terms of data privacy. So for the user it might be very better just to keep the existing Internet server instead of moving to an external platform, and no one knows where the servers are. And things like auto upgrades, like if a browser didn’t auto upgrade. It may be somewhere in the operating system and most of the users do not know, as mentioned earlier with DNS. So I think in most of the cases they are kind of lost there.
And also the operational aspects are critical. So what happens, for instance, if the user switches on DNS and there’s a problem? Debugging is kind of easy if it’s our own DNS platform, but if the user uses five different browsers and different setting, say, in a home router, it’s extremely difficult to troubleshoot if something goes wrong.
And as mentioned, that’s also a thing which from my point of view is missing, the whole discussion. So first of all, how to educate the user and also to give the user feedback, like – I mean, if you click or if you browse the Internet today, you can see whether the access to the web page is encrypted or not. So it’s clearly signaled inside the browser.
If you for instance, set the security DNS in the browser, you get no feedback at all. With you have no clue whether the traffic is really encrypted or not. And that even might change during your session, depending on certain settings or capabilities of network in between. So I think it’s kind of still one way to go to have sales solution which really fulfills also the requirements in terms of discovery and so on, which is still lacking from the overall solution, and also I would expect again very long discussions about moves and changes in terms of centralization to certain over‑the‑top DNS providers and so on.
So that’s from my side.
>> ANDREW CAMPLING: Excellent. Thank you, Nic. That’s a helpful set of thoughts.
What I would like to do is move on to our final of our three key participants. So I would like to introduce Vittorio Bertola. Vittorio is head of policy and innovation for Open‑Xchange, and Vittorio will give his insights before we move to broaden the discussion. Vittorio over to you.
>> VITTORIO BERTOLA: Hello. Well, good morning and thank you. I think my role here is to recap a little of the policy consequences of DNS and GPS. There are at least pour points that I would like to raise, and maybe put at the center of the discussion.
So the first one is that especially the DoH, it creates changing counter points. So, I mean, also in the balance of power between the platforms, the browser makers and the ISP. Original DNS was an ISP thing. It was basically run by – mostly by the ISPs and now the browser basically becoming the controller of where the DNS queries go.
And so they become the gatekeepers of who can provide the DNS services. And so there is a potential for centralization. So it is a concern here of many, in the browser market, it’s very centralized much more than the DNS operations market is. There could be, in some deployment models the way of self‑preservation, where they decide who can provide most of the answers of the DNS queries and exploit the question to entering the markets and help by the markets like the DNS resolution.
And so in the end, there is a competition issue. The third issue is a potential for fragmentation. I mean, no one – no one DNS operator was big enough to basically create some main space, policy in a way. Everyone is using the ICANN rules – mostly everyone – because that’s the only common way to talk with each other.
In the case where browsers have a big market share, they could be enough to start fragmenting the main space. I think these are kind of things that could have a global impact.
And the fourth point is that it affects the balance between the individual and collective rights, especially when DoH affects the effectiveness of the filters based on DNS and sometimes for security issues by ISP such as malware and parental controls. Of course, DoH was explicitly designed as a technology to stop this from working and so they have this type of filtering, especially one made by governments in the name of freedom of expression which is good to an extent, but then in other parts of the world, such as Europe, there is a difference between the freedom of expression, for example, to are human rights. And so the same for law enforcement, the relationship between law enforcement and privacy. And so this is an open issue.
Of course, these issues depend the deployment models. Different browsers have different deployment models Mozilla was the first one to go full force into DoH, and, of course, this created all the issues that we know. Even if now they basically stopped the deployment to the US, and so apparently they have no plans at this point in time. They made no announcement on bringing the DoH by default to Europe.
Then there’s the Apple model, it’s, I would say, quote/unquote, because it is not an official proposal by Apple, but some Apple engineers, it’s unclear whether it’s a plan of Apple or individual thoughts but they removed them, and basically have the browser contact directly. And so they would have Facebook domains and Google domains and this creates even one more issue because the user is losing control where the data goes. It’s the destinations which decides which is always useful to the domains which is opposite of the model which the user has control of the data.
The final model is adopted by Google and Microsoft and is the least problematic in terms of policy terms because they don’t change the operator they upgrade the connection from unencrypted to encrypted. Still this doesn’t address the fundamental issue that the browser is still the gatekeeper. So the browser is still in charge of making the decisions of who gets the DNS queries and so that’s a real deep changer in the position of DNS servers. So I think in European terms, we have a question for ourselves and for the community, which is where we need to address the issue by policy level. No one wants to regulate the technology which is ever changing but there are at least a couple of principles which are involved in this discussion.
One is the discussion on self‑preservation by platform. So DNS should be supported by your browsers and they should not be disadvantaged by the browser picking certain operators and not others. There should be special attention to smaller operators, and open source. And it can be hosted by individuals.
It would be a problem if browsers could discriminate, for example, to those embargoed in the US. The other point to the regulation is the filtering issue. I mean, there’s a lot of different views of people – some people think that filtering is always bad.
Some people think it’s always good. The problem is that most European countries are doing it. There should be some attention to the fact that at least it’s not in uniform ways and proper guarantees raised of the blocking and against the procedures for redress, when there are mistakes and also there is no circumvention and there’s not this kind of unfair competition so that ISPs are the first to block certain websites in their country but the global platforms can be avoided. And this skews also the competition and directs the choice of the user.
And also it would be very important to have a chance for opening implementations and tolls. So if there were a standard to do this, put in terms of policy and technical terms at least even smaller operators would do this better and it would be possible to have free tools and interoperability and these are the two policy issues related to DNS that might enter into the discussion with the digital service sectors. Thank you.
>> ANDREW CAMPLING: Thank you, Vittorio for those thoughts and broaden the debate somewhat.
Now we will open up for questions. Let’s explain. Those of you on Zoom, you can raise your hand to ask a question or if you want to have the question read out, you can – if you prefix it with a Q so it’s clear you want it read out on the chat and it’s not just a comment for other people in the chat, you can do that.
And I think that our remote moderator is also monitoring some of the channels as well. So we have the ability to pull in questions from elsewhere.
And I note from those explanations, from Ondrej, Nic and Vittorio, I guess one of the challenges is going to be how you explain concepts like DoH to a typical user without confusing them with all the technology. That’s going to be up with of the challenges with the change in the internet going forward.
But let’s see if there are questions that we have logged so far. So I don’t know if Mikhail, I know you have picked up a questions from the chat, if you want to come in with those.
>> MIKHAIL ANISIMOV: Yes, sure. Hello, this is Mikhail, I’m the remote moderator. We have several questions in the chat and actually, I have one that wants to add a comment. So Nadia, could you please help me to switch on the video and audio for Adeel Sadiq?
Adeel, you can unmute yourself.
>> NADIA TJAHJA: The remodorrator has unmuted Adeel. You have the floor.
>> So I’m actually a student in the UK. I understand that DNS is something that we being an end user does not control. So what can I do being an Internet user to protect myself against all that DNS and privacy issues? Like is there a client maybe that I can install that can provide me services like the DO S. or DoT or anything that I can do that if I don’t trust my ISPs or any other organizations? Thanks.
>> ANDREW CAMPLING: Thank you, Adeel, I don’t know if one of our key participants want to come in with a thought on that, in terms of tools that you may wish to comment on.
>> NICOLAI LEYMANN: This is Nic. There are a couple of clients, Firefox, is supporting DoH. So it doesn’t work automatically, at least in Europe. There’s some ideas to make it auto upgrade but you don’t have control over what is going to happen with your data. So I think it was mentioned an important topic is really the user education and also to make sure if you are, for instance, a trust relationship to one of your service providers that you keep that kind of relationship, even if you change, for instance the protocol to DoH or DoT.
>> ANDREW CAMPLING: Hopefully that gives you some ideas in terms of options. But it sounds like you need to become more involved to make those settings work for you. Mikhail, do we have other questions from the Zoom chat?
>> MIKHAIL ANISIMOV: Yes, sure, we have a few questions more. So the question in the chat is, as the global adoption of DNS encryption, whether DoH or a combination there of, can we drop the DNSSEC then? I would also like – I would add if you want to address this question because it’s somewhat specific or you want to address to all of the speakers.
So I think this question is for everyone.
>> ANDREW CAMPLING: Okay. Does anyone want to comment on that?
>> VITTORIO BERTOLA: Well, yeah. I have a comment. Let’s say the theoretical answer is no. I mean DNSSEC is doing something else. It’s about the integrity of the response, the fact that it was not modified. I mean, let’s say we are starting from the root and the authoritative services remaining and getting all the way to the client. But the practical answer is a bit different. In the end, they trust this irrelevant revolver to the DNSSEC. If you trust them to tell you the answer is correct or not. It doesn’t matter whether it’s the user DNSSEC whether the answer is correct or not or whether it uses any other policy or system.
So that point in time, once you – and I mean this is also the thought of some of the DoH proponents. Once you are connecting and authenticated way to the DNS or GPS server or revolver, then you have to trust whatever it says and so it doesn’t make a lot of difference whether DNSSEC is used or not. Since you are not going to check it personally anyway. And this makes things even better, because if you rely on filtering services or amending services, they are done by the revolver and it makes them work which is not the case with DNSSEC.
>> ONDREJ FILIP: If I may join in. DNSSEC does something else. Even if you trust the revolver, there’s certain path that is the no encrypted and then it must be ensured by a different method. Still, DNSSEC is a technology that is in use there, and it’s pretty important to be there, because in the revolver, there might somebody false data that the reserver fetches an might have some consequences which is not possible with the DNSSEC. So that’s a different technology for – to focus on a different thing, and we shouldn’t drop it anyway.
>> ANDREW CAMPLING: Yep. Thanks, Ondrej.
And I think I have seen –
>> MIKHAIL ANISIMOV: We have some more question. Andrew, do you want to comment anything or do you want to go further for another question?
>> ANDREW CAMPLING: The latest stats, the DNSSEC is actually increasing over the last few months. So certainly the introduction of DoH has not slowed the DNSSEC recently.
>> MIKHAIL ANISIMOV: Agreed. We are moving on. We have the next question, it’s also addressed to all the speakers. Does the emergence of DoH create a two‑tiered Internet? Legacy devices can only use DNSSEC and new devices use DoH. And would this necessarily disadvantage the more vulnerable in society at legacy costs?
Remember, this question is for everyone. If anyone from our speakers want to comment, feel free to do so.
>> ANDREW CAMPLING: I think Nic wants to come in there.
>> NICOLAI LEYMANN: Yes, I can say at least a few words. I think it’s – I mean, it’s all about software. So I would say, of course, it’s – I think it’s not so much about new devices and old devices because you can always do a software update. I mean if you are talking for instance, about existing routers and so on, I would say it’s not so much about DoH, its month are about DoT and it’s up to the service provider, ISP or router whether he wants to support it or not.
I think it’s on the – if you are talking about clients, in terms of browsers and other apps, there are basically two models. Every application programmer implements it in the application itself, which is probably a very long way to go or you use something like proxies in between so that you have basically a piece of software sitting on your end device and that kind of piece of software is doing DoH to the server or DoT to the server and it’s not encrypted. I wouldn’t say it’s really about legacy or not legacy, but it’s more a matter of time. You see more and more browsers supporting DoH for the operating systems supporting DoH, yeah.
>> ANDREW CAMPLING: Thanks, Nic. I think Ondrej wants to come in as well.
>> ONDREJ FILIP: No one is dropping the traditional DNS protocol. And, you know, it’s been with us since, I think ’80s, I think ’83 or something like that. So a long time. It would be very impractical to drop this protocol and also the answers you do with the traditional DNS or DoH in theory should be the same. There shouldn’t be a difference. There’s tiny issues like was mentioned by Nic, for example, for optimization to some servers and things like that. But you should receive the same answer. The protocol should be with us and will be with us for a long time. The number of devices that go through the use of the traditional DNS protocol is enormous and it’s not easy to change everything.
So that’s not really a huge change. It might be just the change in there that some of the application is using one DNS provider and another application – another – and both are, you know, sending bits of your private data to some of the providers. So that’s a change, but I don’t think devices will be different.
>> ANDREW CAMPLING: Okay. Thanks, Ondrej.
Mikhail, do we have another question?
>> MIKHAIL ANISIMOV: Yes, actually, we have a lot of questions and I can see that people are really, really interested in.
The next question and it’s a combination of question and comment is also for everyone. I understand the fear of centralization or further market concentration. What do the panelists think of have European ISPs, like Deutsche Telekom offer DoH, and we could offer it as a public service. If we have such European alternatives we could offer DNS services on the legal protection under of the GDPR and in line with or European legal requirements.
This is also to everyone. It’s quite complicated question.
>> NICOLAI LEYMANN: So maybe I start since it mentions DT.
Yeah, I think it’s a good question. Let’s start differently. In the past, DNS was part of the infrastructure of every ISP. So it was meant for the end users of that ISP, and also, I mean, we are looking into implementing or supporting DoT and DoH, but to focus our own customers basically as in the past. I think, of course, you could offer like European DoH service or certain ISPs could do that, but it’s a completely different model, in terms of – well, talking to users which are not, for instance, on your own network and stuff like that. So it would move you to a position like offering over‑the‑top DNS to almost everyone. So it’s a completely different product and setup.
And I think that’s in challenge. Because, well be to be honest, it costs money, it’s complex, how do you do the rollout and so on. It’s very different from the scenarios that we have today, especially on ISP. Because ISP focuses on own infrastructure, service for their own customers and SLA related and so on and that might be very different if you move to a model where everyone from everywhere can basically access your own DoH service.
>> ANDREW CAMPLING: Yeah, thanks, Nic. Ondrej, did you want to comment on that?
>> NICOLAI LEYMANN: Yes, I hope I stated it in my initial speech, but I will try to repeat it again. I think it’s really – the best way to how to use DNS is to use DNS which is provided by your ISP. If you do the no trust your ISP, then you have a problem, because, you know, if you are using a network with an ISP, that ISP has control over parts of your data anyway. It can – it can wiretap your communication. It can see which sites you are accessing and stuff like that. So the best way how to protect your data is not to increase the number of subjects that has some knowledge of your data. So that’s why I would really suggest you use DNS provided by your ISP. And also it means this DNS, if there’s some relationship to the CDNs is in the optimal relationship with CDNs and since all the clients of the ISP are behind the revolver:
So that’s for me probably the best way from the privacy point of view, however, the user is free to use any DNS he or she wants. That’s okay. On my company is providing open DNS revolver which supports the DoH, and some people use it for several reasons, but I don’t think it makes sense to make some, you know, combined European effort for – for DoH service – DNS service.
It doesn’t make sense to me that – anyway, every ISP needs to solve this issue and I think they are doing their best what they can do, and, you know, this wouldn’t probably – nothing special. Although there are some companies that are using DoH and DNS as a filtering service. So that’s for competition. You join this DoH service and they provide you some additional services, like, for example, special filtering or whatever, some protection based on DNS, which is a possibility.
That’s it for market but doing something on European level doesn’t seem logical to me.
>> ANDREW CAMPLING: Thanks, Ondrej. Vittorio, you had a comment?
>> VITTORIO BERTOLA: The answer is yes, they should offer the DoH. In my initial intervention, I mentioned my concerns but there’s a lot of positive to moving to servers. A good ISP should be moving to this after initial testing. And I don’t know if it makes sense to just have one centralized European public revolver. But the point is if you dislike centralization, the more encrypted DNS service you have, the better. So we just need to make sure that once you deploy these, I mean the wealth of new DNS revolvers which are encrypted connections and then it’s possible to use them easily in browsers in any client applications.
>> NICOLAI LEYMANN: I think one more comment, if it’s to the European DoH server, I think it will be very different from the server that the ISPs are running. We have our own features in our DNS servers and they would be available at DoT and DoH as a protocol, but those futures are not necessarily implemented in a European DNS infrastructure. I wouldn’t expect that an off network user from Iceland or wherever wants to have our load sharing for voice. It would be a different implementation.
>> AUKE PALS: I have received also a question and the question. Is. Can we have a system where we do not have a revolver which can monitor which addresses are resolved but rather a blockchain‑like solution where having the nodes to prevent others from seeing which addresses you are visiting?
>> ANDREW CAMPLING: Interesting questioning, Ondrej? Oh, Vittorio.
>> VITTORIO BERTOLA: Yes, my comment is that that’s welcomed. Then if it’s the same name space or a different name space. But the point is that then you would have to trust the blockchains. I mean, the people that run the blockchain which in theory is everyone, but currently is a smaller number. In the end, if you want to get online services unless you are able to yourself, you will always need to trust someone. The point is rather to make sure that you as a user have a choice.
So, for example, I would also advise if you are really concerned with DNS privacy that you could run your DNS revolver yourself in your home network. And it also gets – I mean it brings you the added value of filtering advertising which are broken if you cannot choose your own revolver but indeed it could be a solution if you are very keen on preserving your privacy costs.
>> ANDREW CAMPLING: Thanks, Vittorio. Ondrej.
>> ONDREJ FILIP: Yes, I wanted to add, DNS is just part of this privacy game. While maybe there may be technology, probably not easy that would do a DNS resolution for you, but if you really have those concerns, you don’t trust your ISP, then you should use different techniques like, for example, VPN or stuff like that, you know, just – just, you know, using somehow encrypted DNS does not solve the whole issue. It’s a lot of information that you can hide if you will properly encrypt DNS and also if you would like to use some changing technology for resolution and stuff like that, but that’s not who it is. You can focus on other stuff and especially if you don’t trust your localized regulation in your country, which I don’t think is a European problem but in many countries it’s a bigger problem, but VPN is a better solution than going to pure DNS.
>> ANDREW CAMPLING: Thank you. I noted on the Zoom chat that Tommy Jenson from Microsoft asked a question and obviously we focused so far the discussion on browser implementations of DoH. Some of you may know that Windows 10 is currently testing DoH support as well within the operating system. So if we could unmute Tommy, it would be good to get to Tommy’s input.
>> Hey, can you hear me?
>> AUKE PALS: Tommy is unmuted now.
>> Thank you. The question I posed in the chat is regarding the concern over GDPR requirements for DNS providers.
There was mention of an ITF proposal for adaptive DNS wherein DNS inquiries will be routed to DoH servers designated by the web property owners. I have joined Tommy Pally from Apple on that draft, and my question for this audience is what is the nature of the GDPR challenge there. The queries will be going to a DoH server owned by the same web property owner that will receive the customer’s data via the page load that’s – that results from the DNS query. And so theory, it should be the same parties that had the data before that have the data after that implementation, and so I would believe that the same obligations would exist already. If that’s not the case, though, I would want to understand what the concerns are related to GDPR.
>> ANDREW CAMPLING: Does anyone want to comment on GDPR? Vittorio?
>> VITTORIO BERTOLA: Well, I was the one making the remarks. I think the question is open, actually. We need to ask a good privacy lawyer. It’s not that easy. It could be or not be like you say. Depending, for example, where the revolver provided by the destination really only offers the service for the same destination or if there are third parties involved. If there’s a third party for the DNS revolver, it could be different because it’s a third party or if it gets the queries for the other domain, but the third parties used inside the web and all services, and then there’s a privacy leak in that case because it’s data that this entity would not get.
So, I mean, unfortunately as always with GDPR the answer is: It depends and you need a lawyer.
I think at least it’s an assessment that needs to be done sometime during the discussion.
>> ANDREW CAMPLING: Yes. Anyone else want to come in on that? No?
Well, there’s a start to that, I think, Tommy, hopefully, but as Vittorio said, as with all things GDPR, ask a lawyer is probably the best, safest answer.
>> Certainly. I guess my – my overarching point was to determine whether this was a complete blocker or whether it’s just unknown territory that needs explored and it seems like more the latter.
>> VITTORIO BERTOLA: If I may, I agree. In general, the use the third party DNS services has never been fully understood under the privacy laws. No one realized there was a privacy issue until the discussion started and you realized that there’s a lot of personal information going on in the DNS inquiries.
In theory, it’s the same issue if you enter a separate revolver. Even if you enter it to your own configuration, then at a certain point in time, you should receive a privacy information and all of your rights and provide consent and informed explicit way. So, I mean, yeah, I think is open for discussion with privacy.
>> ANDREW CAMPLING: I know some of the regulators in Europe do provide views when asked on such matters. So, for example, in the UK, the information office in the past has given views on DNS‑related matters. So there are third parties beyond just lawyers that can give input on those things.
>> Thank you both.
>> ANDREW CAMPLING: Thanks, Tommy.
Do we have more questions?
>> MIKHAIL ANISIMOV: Yes. Yes.
>> ANDREW CAMPLING: I see just on the chat to – you can raise your hand as well and ask a question if – if you wish. So thank you to remind us of that.
Sorry, Mikhail, I think you were coming in there.
>> MIKHAIL ANISIMOV: Yeah, yeah. Sure. So we have a few more questions in the chat, but you are also welcome to raise your hand.
Sorry it seems I had some connection issues. The next question is could we have a DNS replacement that does not allow or trap users, DNS and DoH it monitors websites. I believe this question was pretty much covered with the previous discussion about the blockchain, but if any of our panelists want to add something, not about the blockchain but maybe for any other replacement for DNS, you are also welcome.
Or we can move on.
So does anyone want to comment on this?
It’s futuristic questions, how do we imagine the Internet without DNS?
>> VITTORIO BERTOLA: Unless you completely change your existence, I don’t think it’s possible. But in the end it’s possible. If you rely on someone providing your services that party will always have access to your data.
>> MIKHAIL ANISIMOV: Agreed.
If you don’t trust DNS, you have to trust another company who will provide you another service, whatever it is.
So moving on, the question from Patrick Terpe, given that most DoH providers do not have contractual relationships with their end users, what redress do their end users have for they are performance?
It means incorrectly leading to off network traffic and thereby decreasing streaming and CDN performance. It’s actually a very good question, because I have another one quite similar. It was really long comment but I will try to make it.
The question was the – currently the end users have contractual relations with their ISPs and in case of low performance, they can call to the ISP and say, hey, my Internet is not working! What should they do if they use, for example, Google DoH servers and they have a problem? How can they work with it?
This question is also for all three panelists.
>> NICOLAI LEYMANN: Okay. I mean, first of all, as ISP guarantees, we only give our own servers. If the user uses an external server. The first are contact is cloud share. But if the user does not know whether he’s using an external DNS provider, it’s extremely difficult to do the debugging because, of course the first point of contact is always the ISP. So my expectation is that we will see users calling us as an ISP, but the problem is many where else and that’s extremely difficult to solve. Because we usually don’t know for instance where in between in the chain to the revolver is the problem.
So it will probably cause a lot more debugging and challenges for solving problems, if there are problems. If there are no problems, everything is fine, but – yeah. For instance, if the revolver providers are under attack or things like that.
>> ANDREW CAMPLING: Thanks, Nic. Does anyone else want to come in on that one?
I see that Carsten has raised his hand. So Carsten, do you want to come in with a question?
>> Yes, it’s rather a follow‑up question to my initial question, whether DoH and DoT is essentially the same, like the DNSSEC or serves the same purpose of DNSSEC. There was a little bit of a Jean Paul question to get the ball rolling and to make it clear for, in particular, not so technical audience here that both things, protocols so to say essentially serve a different purpose and they are essentially often vulnerable to each other.
As a follow‑up question, I just wonder in particular, do the panelists know and we had that on the chat as well, any type of CPE vendors, customer premises equipment like particular routers, who are about to deploy either DoH or DoT or both of it, as well as DNSSEC checking so that in particular residential users wouldn’t have to deploy any kind of, like addition gear at their places to get the features of DoH, DoT and DNSSEC apt their home. It might be worthwhile as well to have this discussed by the panelists as well. Is.
>> ANDREW CAMPLING: Thank you, Carsten. I know there are certainly some shipping DoT I’m not sure about DoH. Nic.
>> NICOLAI LEYMANN: There are some routers supporting DoT, and like ABN is supporting it. Also the Turris router is supporting DoT and my expectation is that it is a software change in the DNS revolver of the router. So as soon as the software, the basic software will support you, you will see more and more routers at least supporting DoT. So my view, it’s a matter of time. It is a new protocol. It takes time to implement.
Also we are looking into whether it makes sense or not to implement DoT and how long will it take and questions like that?
I would expect, for instance, in general, that if you look on the router market, the more recent models will probably support within the next year’s DoT. The older ones maybe not because they are just too old. So no one is basically providing use of software or software upgrades.
>> ONDREJ FILIP: If I can comment too.
>> ANDREW CAMPLING: Sure.
>> ONDREJ FILIP: I’m in a very nice position because we are authors of note revolver which is currently used as cloud share as one of the platforms for DoH. And so that’s a server we developed and we are developing CPEs like routers which was mentioned by Nic. And so that router supports DoT DoH, both, and it has been supporting it for a couple of months maybe more than a year. So this is open source router based on OpenWrt, and so this implementation of DoH can be reported to OpenWrt and I’m sure the other vendors will follow soon, because this change is not very technology complicated, of course. We have HTTPS, and we know DNS and combining those two is not super easy but it’s not rocket science. I’m sure other vendors will follow too.
>> ANDREW CAMPLING: Yeah.
Thank you, Ondrej. So certainly is there and more is coming I think is the message, Carsten.
I’m conscious of touching a couple of issues. There’s been some mention of things like centralization. It will be interesting to get people’s views on whether you think DoH will lead to greater centralization on balance, and if so, does it matter anyway?
So do you have a view on that? Well we get more centralization from DoH and should users care about that?
>> ONDREJ FILIP: Yes, I commented on that at the beginning. We will see more centralization, because browser is up with of the most popular application and browser windows are pushing DoH logically because that’s the protocol they know the best. The pushing US, there is a lot of centralization in the traffic there. And so we will see more and more of that, and as I said at the beginning, I’m not very happy from that, because that’s a fundamental shift of power. That’s a fundamental shift of entering the stability of the Internet, and I would rather have more fractioned DNS ecosystem where they have their own responsibility than a concentration of responsibility and power to a few private companies like, for example, Apple, Google and so on. I’m not super happy but this is what is being developed and I expect more and more in this field.
>> ANDREW CAMPLING: Thank you, Ondrej.
>> VITTORIO BERTOLA: If I may add. I also already said that I was worried about this but I would also stress that what we are seeing in DNS is a part of the broader, which is in the web or the web technology Internet.
So for the last 20 years, I mean, the things have been going – all the applications have been turning to web applications, running inside browsers on the server side or increasingly on the client side.
And so this is a trend that possibly cannot be stopped but it is – I mean for people that are on the Internet, in the ’90s or even before, it is a problem, because the original way was that people would be able to deploy new technologies and there’s a wealth of different protocols and applications that you could choose from. But apparently now the browser is becoming the controlling entity for everything that happens on the Internet, and that’s of course a potential danger, even if the browser people are the best people, with the best intensions, it’s still a potential problem.
>> ANDREW CAMPLING: Yep. Thanks, Vittorio.
Mikhail, I think you maybe had another question to ask from the chat?
>> MIKHAIL ANISIMOV: Yes, yes, I have another question. It’s actually a very practical question. How expensive is it for an ISP to deploy a DoH service? But I would like to bring a broader perspective to that. We know that every new technology can affect the price of service and the users because the operator has to think about the turning up of investments. Do we have the same picture with DoH and other DNS encryption technologies?
>> NICOLAI LEYMANN: Yes, when it comes to costs. If I look on the software, it’s basically a new software supporting DoT and DoH as a protocol. I wouldn’t say there’s almost no cost. There’s a bit more performance necessary because it’s encrypted and so on, but also that, let’s say, overhead is very large. So we are talking about 5 to 10% more, say, compute power on the server side and if you run a decent DNS platform, 10% more performance is really not a problem.
It might be a bit different if, for instance, not, say, the whole gateway itself connects and a single session in the DNS server with 50 browsers sitting inside the same home but that needs to be proven whether that’s really an impact or not. So my guess or my experience is that basically the whole update itself is not very cost intensive.
Because just a new protocol is just a new software.
>> ANDREW CAMPLING: Yeah, thanks, Nic. Ondrej, were you trying to come in there?
>> ONDREJ FILIP: I think everything was said. I cannot comment on the deployment on service provider level, but, you know. So times deploying on the end user level, it’s just downloading the DNS revolver, like, for example on DNS and running it – for home use, it’s easy, of course, at ISP level, even to ensure some service level so it’s a different thing. But it’s really nothing huge. So I don’t think it’s technology is a huge problem.
>> ANDREW CAMPLING: Thank you. I see Carsten has raised his hand. So if we could unmute Carsten so he can ask a question.
>> I guess I’m unmuted already. Thank you. Yeah, just a follow‑up question to my follow‑up question. In terms of – we have touched the fact, like, to what extent DoT, DoH, and DNSSEC equipment will be rolled out or has been rolled out already, and Ondrej, you made a point that it might be helpful not to involve too many parties like trusting your DSL provider might actually still be a good thing. So I just wonder whether you guys would have any kind of knowledge, to what extent access providers at least across Europe, are about to deploy their own DoH services or DoT services or both of them, actually, just so that, like, DoH or DoT ready he equipment could find its counterpart on the other side of the line. Are there any plans on what the plans? Are maybe Nicolai or others could comment on that and have other access providers at least from Europe.
>> NICOLAI LEYMANN: Yes, I can comment open that. We are looking at DoH and DoT on our server platform, especially with DoH, the main challenge is the communication to the end user because you have to make your end user aware that there is DoH available and you have to get your end user to reconfigure the client to use the DoH server as well. And then the question is why should I do that? So I think the communication is really a big problem. It’s not so much about having the platform itself for DoT, I would say it’s easier because if you implement in the home gateway, you can at least do some type of silent upgrade from the home gateway to use encrypted DNS by DoT to the server, but as I mentioned in the initial statement, the question in the typical scenario that you trust your access provider anyway, and the ISP running the DNS platform, what is the real benefit of upgrading that kind of connection to DoT?
>> ANDREW CAMPLING: Yeah. I know also that some other European ISPs at least doing trials in various countries. Ondrej, do you have a comment?
>> ONDREJ FILIP: I think a comment to Nicolai. I think you said it very well. Having encrypted DNS is still better for the integrity and the security, because then if you are just using normal unencrypted DoDP, there’s some security issues this. If you trust your ISP, I would suggest to convert to DoT specifically. I think it is a very good technology that really helps the security of DNS. DoH is a different thing.
>> NICOLAI LEYMANN: Yes, I see DoT as a network pass to support DNS on typical deployments and I see DoH a bit differently. Yeah.
>> ANDREW CAMPLING: Yeah. Okay.
I can see that Andre Melancia has raised his hand.
>> Hello, my name is Andre. I have one or two questions or comments anyway. So both DoH and DoT are okay in terms of encryption, et cetera so you can guarantee your ISPs are not going to track you, however, they will be able to follow all of your remaining communications. So if you convert your DNS names to IP addresses, any follow‑up connections that you do, your ISP will still be able to track them.
So there was really no privacy compared with your local ISP. If you considered the providers that might be able to provide the DoH and DoT service, this can be a lot. So I’m assuming things like China might actually have the government provide that service, something like that.
You might also have global providers like Google or cloud slayer to provide that service but then the question is if an end user thinks, okay, let’s use this one because someone said that this is safer, how does the user choose? What about privacy? So how does the user guarantee that if they see advertised that Google has the DoH or DoT provider, is that really safe for them? So the end user itself will probably do a technique, let’s subscribe to Gmail or something else because it’s trendy and everyone else is doing that, but in reality it doesn’t do much for privacy for them. Without knowing how the technology works and most end users will never know how the technology works. This is actually not going to be that much effective.
Okay. Thank you.
>> ANDREW CAMPLING: Thanks, Andre. Does anyone want to come in on those comments? Ondrej?
>> ONDREJ FILIP: Well, it was said very well. I just agree with the comments. It’s okay.
>> ANDREW CAMPLING: Okay. Thank you.
Point well made, I think, or points well made, Andre.
I see the chat is quite busy with some points coming up. I don’t know if there are any questions so much as the conversation, which is absolutely fine.
>> AUKE PALS: At the moment, and also the other channels there are no further channels. The last point made in the chat was from Nigel Hickson and he says good point, but cannot think likes of Google would contract with.
>> ANDREW CAMPLING: Yes, thank you.
Yeah, so I’m conscious of the time. So if people do have any last questions before we go to our reporter, you will need to raise them shortly.
In the meantime, I will ask our panelists, do you see any other impacts ever DNS encryption having on the Internet ecosystem? Any other unexpected impacts as a consequence of encryption? Vittorio, it looks like you are wanting to come in.
>> VITTORIO BERTOLA: No. I think that perhaps there are at higher abstraction level, this discussion is brought up again, the question of whether – I mean, the roles of the ISPs and the Internet access providers and the platforms and I think that – I mean, we are in the middle of a trend in which services are increasingly moving from the ISPs to the platforms and, again, that’s a general trend that – I mean, there’s a reason for that. Maybe the ISPs should think of what they did in the last 20 years. I mean, if there are people that still insist in saying that they connected to an ISP but they want to be affected by it and they distrust it, it must be impact in the past how the ISP used its customers.
At the same time, I think they are – there are very few very big companies taking over everything. I mean the last point I wanted to make is that it’s really important in this regard to preserve the original idea of the Internet, that they could connect and discover services locally. So, I mean, we haven’t mentioned the efforts that are going on to create actually these discovery mechanisms. I mean, like they exist for the current DNS so that you can connect and know that there’s a local revolver that can give you the DNS resolution service. And then depending on your own policies, you may want to trust it and use it and maybe you have your own trusted revolver somewhere else and you want to connect to it. That’s open.
At least you should be able if you want to continue to use the router to discover it and that’s very important for adoption because most people – I mean, most users in the end are not particularly interested in the discussion. They want to continue using the Internet. They buy Internet service from the company and they expect that the company provides everything that is necessary for the Internet to work which includes the DNS service and they want to go ahead and use it.
It’s very important that as an industry we provide a way for – I mean, the Internet access to at least continue often and being able to, you know, make this work automatically so they connect with the network, which in the end is the most important thing, I would say.
>> ANDREW CAMPLING: Okay. Thank you, Vittorio.
Again, I’m just watching the time. So I don’t know if Ondrej or Nic, based on what you heard, you had any comments you wanted to come in more generally, just to build on either what you heard or, indeed, what Vittorio has just covered?
>> AUKE PALS: I see comments for Andre.
>> Yes, just technical details. So if you have DoT or DoH, there was much slowness in getting DNS resolved which could be bad from the beginning. So if you have normal DNS inquiries, you should have a very fast packet to the cloud – not to the cloud but to the provider, which is very local. And so that’s going to be very fast. If you do have packets that you sent or provide maybe somewhere in your continent, not necessarily in your country, that will go to your provider, for sure and then to someone else and then to someone else, until it arrives at the destination. Also because you have to encrypt everything on traffic, and especially if you are using the CPIP. Like, that’s three‑way handshake plus something else and if you add encryption, that will be much slower. I think ten times slow to get the DNS inquiry.
And in some applications, I won’t say all, but some applications this will be definitely a draw back because that will require fast DNS resolution.
>> ANDREW CAMPLING: Yes, I think Andre, I have seen some benchmarking which on some early implementations, there certainly is an overhead but to be fair, some of the later implements of DoH, I think they have been heavily streamlined and there’s little difference in performance between DoH and DNS over support 53 in the more traditional way.
So let me just go background our three key participants to see if they have any final observations they want to make before we go to our reporter for her summation. So I will do them in the order that they came on initially. So Ondrej, do you have any thoughts to come back with?
>> ONDREJ FILIP: Yes. Maybe just it’s worth to mention that DoH does not solve all the issues. It does not help to protect your privacy, probably not at all. It maybe even increase the number of subjects that can see some of your data. So that’s one problem I have with this technology.
I think it doesn’t, you know, protect you from your local ISP. So if you don’t trust your local ISP, then you have problems that cannot be solved by DoH, DoT. There are definitely different technologies for that. So, again, DoH is an interesting technology and we have to be careful using it widely. There are issues that it may trigger. Its just a technology, of course. But we have to be very careful how massively we deploy it. And what I’m concerned is the concentration of DNS resolution to a small set of companies and the Internet and I don’t think such a concentration in any industry is a good thing. And I would suggest keeping DNS local as much as possible.
>> ANDREW CAMPLING: Okay. Thank you, Ondrej. Some good thoughts there. Nic?
>> NICOLAI LEYMANN: No additional comments from my side. Think I said everything I want to say and also Ondrej gave a very good summary.
>> ANDREW CAMPLING: Thank you. Vittorio?
>> VITTORIO BERTOLA: Well, I finish with an appeal to people. I mean, actually, different – we have different types of people should do different things. If there are ISPs in this room that are not involved yet and not trying DoH, please do. Please think of how you can evolve your DNS services and make then encrypted. It’s important for your customers and important for the continuation of your market offer, let’s say.
And, of course, you can contact Ondrej who are coordinated, and they would be happy to help you. And the other thing is for the European community in general. I mean, I was really surprised when I learned of the DoH by discovering that apparently in the initial discussion at the ITF, the European perspective was completely absent. It seemed when discussing this, there was a US perspective of freedom of expression and people who might be in China and countries that would respond. But no one seemed to understand the impact this would have on European services so no parental control or other things that are common in Europe or maybe not in other parts of the world. Perhaps this happened because the European community were not very present in the discussion of the ITF. I will encourage people to be more active in the idea for people from Europe and also we have another work shop this afternoon, workshop number five which will discuss this issue, relationship between the community and the nontechnical stakeholders and this is also an invitation for you to join us this afternoon.
>> ANDREW CAMPLING: Excellent, thank you, Vittorio.
What I would like to do now is ask the reporter from the Geneva Internet platform for our session to come on to the session to share the session messages that she’s captured and we can then have a discussion about those and gain agreement to them. So if I can ask Ilona, to brought open to the session, please.
>> REPORTER: The sound is good? Very good. I’m representing the Geneva Internet Platform, and we provide key messages for the whole EuroDIG event. And also you will be able to comment on the messages that I provide now after the forum is end – after the forum ends.
So since it is – since we need to have a rough consensus of each message, I’m just asking you to keep your objections with you. If there is something that is not acceptable, just tell me and I will remove the message from the list. The first message is – also, a small remark is that this session is quite technical and I was trying to translate all this stuff into the human‑friendly policy language.
Okay. So the first message that encryption of DNS inquiries, DoH, DoT has different effects on end users and ISPs and the rating systems and the browsers and other implications.
DoH can improve the end user and the configurations and their upgrades. For ISPs it creates more problems. The balance of power between browsers and various communities is broken, high risks of mark and network centralization.
The next slide, please.
We have to work on the deployment models, that will address those problems, keeping in mind education of end users about DNS separations and increasing the level of trust and the DNS revolvers. Also we need to think about legal aspects of relationships between end users and DNS providers.
Now, I pass the mic to the moderator.
>> ANDREW CAMPLING: Thank you, Ilona.
And from a personal, I say congratulations in trying to translate that into human. That’s a remarkable job in my humble opinion. But I can – I can see on the chat some supportive messages on your summary abilities from Thomas Grob and Jim Pendergast coming in.
I guess we need to see if there are people think that there’s anything fundamentally wrong with that summation or if Ilona has, indeed, captured the spirit of the discussion.
So does anyone want to come in to indicate otherwise?
>> REPORTER: I see just plus one and plus and plus one.
Is it really critical that you talk about the DoH providers. That is a question for the tech people.
>> ANDREW CAMPLING: Can you rephrase that?
>> REPORTER: So I see the comment in the Zoom that the last message – sorry. The last message, the legal aspects of relationships between end users and DNS providers or DoH providers? Which should be more correct?
>> MIKHAIL ANISIMOV: DoH providers would be more direct because DNS providers is all existing ISPs also because they are operate the revolvers and we are talking about the specific DoH providers who concentrate the DNS queries. So it’s better to have the DoH.
>> REPORTER: Okay. I changed it in the presentation, if the presenter can upgrade it, you will see.
>> ANDREW CAMPLING: Okay. Well, as has been said in the chat, it could equally apply to DNS more broadly, but Mikhail is right the session was specifically focused on DoH. So it applied to either.
>> REPORTER: Okay. So now we are done with this.
>> ANDREW CAMPLING: Brilliant. Thank you very much, Ilona for that impressive, succinct encapsulation of the points that we covered. I’m impressed.
So just to wrap up then, thank you, everyone, for your participation. Thank you for joining our workshop and for your continuing flow of comments and questions throughout, which is extremely helpful and productive.
Thank you, in particular, to Ondrej, Nic and Vittorio for sort of jumping into the hot seat and giving their views and taking some of the questions. That’s much appreciated. And thank you to the studio team and hosts as well for all of your efforts in making this work smoothly.
And I think we’re all looking forward to some excellent sessions this afternoon and I should shamelessly advertise workshop 5 which Vittorio also mentioned, which will look at how these standards are developed in the first place, which will maybe pick up on some of the points arising in the chat around maybe the lack of a European perspective in DoH and develop that discussion further in workshop 5 this afternoon.
With that thank you very much, and enjoy the rest of EuroDIG.
>> NADIA TJAHJA: Thank you very much, Mikhail and Andrew. We appreciate the engagement happening. Just a quick remark from the remote moderator.
>> AUKE PALS: Yes thank you to reporter, the moderator and all other key participants. I’m also happy to see so much interaction in this session, in the chat, and on other platforms and I really hope to see you back soon? Studio the Hague.
>> NADIA TJAHJA: Next what will happen is the big stages and for this we will go to EuroDIG headquarters. EuroDIG headquarters, are you there?
>> SANDRA HOFERICHTER: Nadia, can you hear me?
>> NADIA TJAHJA: Yes, we can hear you.
>> SANDRA HOFERICHTER: I watched your session from a distance. I think that was a very well prepared and very successful session. Thank you very much for hosting it. Awe hear us?
>> AUKE PALS: We can definitely hear you.
>> SANDRA HOFERICHTER: Okay. Perfectly. I think Nadia and Auke, you have enjoyed a well break for lunch today. And please be back right on time for the next session. Enjoy your lunch break.
>> NADIA TJAHJA: Thank you very much, everyone, and have a great time and we hope to see you back here. Bye.
>> SANDRA HOFERICHTER: See you later.
>> AUKE PALS: Bye‑bye.
>> SANDRA HOFERICHTER: But everyone who wants to remain in studio the Hague is welcome to do so. Please don’t log out, because the studio and the headquarter will take over now. And here we will continue with a new format that we call big stage presentations.
Big stage presentations is for projects, books or intervention that usually you would not find a place in the session. So therefore, we invented this new format. But if you are not interested in more content, you can also move hater open to the room Berlin. We said in Berlin, we open up a networking space. The studio hosts Elizabeth will be prepared to do some networking questions with you, but basically the idea is to get an equivalent to a networking space and a corridor that you would have in a normal conference. Go there if you would like to connect with others and make the best out of that space. It’s your space.
And in studio 3, we will play some music. This music is coming from an app and this app is from Jean Michel Jar that generated constantly with using artificial intelligence methodologies, music. So you can understand it in a way that he has some tones and sounds and he puts them together in a totally random way and the good thing is it’s free of rights, albeit you have to pay for the app, but that’s okay. You can use it when you have a conference because you won’t get in trouble with any authorities that claim the rights on certain music.
So with that, I suggest we are going to start with the first big stage.