Security engineers are proposing an experimental protocol that promises greater privacy in how DNS, the internet’s equivalent of a telephone directory, operates.
Oblivious DNS-over-HTTPS (ODoH) describes a protocol that allows clients to hide their IP addresses from DNS resolvers through proxies relaying encrypted DNS-over-HTTPS (DoH) messages.
The approach creates a setup that means no one server is aware of both a client’s IP address and the content of DNS queries and answers – a significant privacy benefit.
The experimental protocol has been developed outside the Internet Engineering Task Force (IETF) but with the involvement of engineers at Apple, Cloudflare, and Fastly.
A detailed technical outline of the experimental protocol, which its developers hope will attract wide-scale experimentation and interoperability, was published last week.
In response to a question from The Daily Swig on use cases for the technology, one of the authors of ODoH technical paper highlighted current deployments with Apple’s iCloud Private Relay (PDF) and Cloudflare.
According to Cloudflare, the ODoH protocol enhances privacy for users while aiming to “improve the overall adoption of encrypted DNS protocols” but without compromising performance and user experience on the internet.
How does Oblivious DNS-over-HTTPS work?
Oblivious DNS-over-HTTPS works by adding a layer of public key encryption, as well as a network proxy between clients and DNS-over-HTTPS servers.
The Oblivious HTTP Application Intermediation (OHAI) IETF working group, where the technology is being developed as a standard, offers an overview of how engineers would like to further develop and refine Oblivious DNS-over-HTTPS.
Cricket Liu, chief DNS architect at Infoblox, recognized the privacy benefit ODoH offers to consumers while cautioning that the technology could frustrate the operation of security controls found in many enterprise environments.
Liu told The Daily Swig: “I think the basic idea behind Oblivious DNS makes sense from a consumer privacy standpoint: You launder the query and the source IP address through a series of proxies, the first of which sees the querier’s IP address and the second of which sees the query itself.
“From the perspective of an enterprise, however, it poses the same challenges that DoH does and possibly more, since the use of an external Oblivious DNS proxy would leave IT organizations blind to what employees are doing.”
The protocol’s source code is publicly available, so anyone can try out ODoH or run their own ODoH service.
Source: https://portswigger.net/daily-swig/oblivious-dns-over-https-offers-privacy-enhancements-to-secure-lookup-protocol