Since November 22 SURFnet’s DNS services has become a little bit safer and more privacy friendly. On that day, we enabled DNS-over-TLS on all three DNS resolvers that SURFnet operates for its constituency (https://www.surf.nl/en/services-and-products/surfdomeinen/dns-resolvers/index.html).
DNS and privacy
The original DNS protocol, which has its roots in the 1980s, is one of the core protocols of the Internet. Every time you visit a website, for example, you computer sends a DNS request to translate the human readable domain name (e.g. www.surf.nl) into a machine readable IP address (e.g. 2001:610:188:410:145:100:190:243).
There are no provisions for confidentiality in the original DNS protocol. This means that anyone who is able to intercept your DNS requests can see which domain names you are looking up. The domain names you request reveal a lot about your web surfing behaviour, and consequently about you as a person. For example, say you are looking for love and use a dating app; people that intercept your DNS traffic would be able to tell because of lookups of “tinder.com”.
What is DNS-over-TLS?
DNS-over-TLS is a new standard for transmitting DNS traffic, published by the Internet Engineering Task-Force in 2015. In this new standard, traffic between the client (for example your laptop computer) and so-called DNS resolvers (the servers that perform lookups of domain names on the Internet on your behalf) will be encrypted. To achieve this, the new standard relies on the Transport Layer Security (TLS) protocol, which is the same protocol that is used to protect your web traffic when you visit a website that uses HTTPS.
Which software supports DNS-over-TLS
At the moment, very little standard software already supports DNS-over-TLS. This is likely, however, to change in the near future. The Android Open Source Project, which maintains the software for the Android mobile operating system, used on phones and tablets, has added support for DNS-over-TLS. This support is set up such that Android will attempt to use DNS-over-TLS by default, to the DNS resolver that is configured for the network over which it is communicating. It is highly likely that the DNS-over-TLS feature will become part of the next version of the Android operating system. To prepare for this, SURFnet has already enabled DNS-over-TLS on its infrastructure.
And what if I already want to try DNS-over-TLS?
Experimental software called “Stubby”, that supports DNS-over-TLS, is already freely available to install on your computer. You can read more about this on the website of the DNS Privacy project (https://dnsprivacy.org/wiki/), an initiative that also receives support from SURFnet.
Can DNS privacy be improved even further?
Although DNS-over-TLS can greatly increase privacy protection for Internet users, it does not solve all privacy issues in the DNS. The DNS resolver itself, for example, remains a privacy hotspot. Operators of DNS resolvers can still see which domain names user request through the DNS software running on the DNS resolver. Fortunately, privacy legislation regulates what operators — such a SURFnet — can and cannot do in this respect. For example, operators cannot inspect DNS traffic unless there are specific operational reasons to do so.
All of this does not mean, however, that we cannot improve on the status quo. Because there are also legitimate reasons for network operators to inspect DNS requests, for example to detect botnet infections and other malicious activity. Therefore, SURFnet is currently collaborating with Quarantainenet (https://quarantainenet.nl) and NLnet Labs (https://www.nlnetlabs.nl) to develop a more privacy-friendly means for inspecting DNS requests. By making clever use of so-called privacy-enhancing technologies, we are implementing software that will allow us to check if a domain name has been requested (for example because it is associated with malicious content), but without being able to identify the individual user that sent this request. This means that we protect the privacy of individual users, while at the same time enhancing the security of the network by being able to check if malicious activity is taking place on the network.
We will be trialing this technology over the course of 2018, so stay tuned for more information.